The Russian cybersecurity company Kaspersky said that hackers working for a government targeted several dozen employees’ iPhones with unknown malware.
On Thursday, Kaspersky announced the alleged cyberattack and published a technical report analyzing it, where the company admitted its analysis is not yet complete. The company said that the hackers, who at this point are unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all the events happened within a one- to three-minute timeframe.
Kaspersky spokesperson Sawyer Van Horn said in an email to TechCrunch that the company determined that one of the vulnerabilities used in the operation is known and was fixed by Apple in December 2022, but may have been exploited before it was patched, along with other vulnerabilities. “Although there is no clear indication the same vulnerabilities were exploited previously it is quite possible,” the spokesperson said.
Kaspersky researchers said that they discovered the attack when they noticed “suspicious activity that originated from several iOS-based phones,” while monitoring their own corporate Wi-Fi network. Van Horn said the cyberattacks were discovered “at the beginning of this year.”
The company called this alleged hack against its own employees “Operation Triangulation” and created a logo for it.
Kaspersky researchers said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to discover “traces of compromise.” The researchers did not say when they discovered the attack, and said that they found traces of it going as far back as 2019 and that “attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.”
While the malware was designed to clean up the infected devices and remove traces of itself, “it is possible to reliably identify if the device was compromised,” the researchers wrote.
In the report, the researchers explained step by step how they analyzed the compromised devices, outlining how others can do the same. They did not, however, include many details of what they found using this process.
The researchers said that the presence of “data usage lines mentioning the process named ‘BackupAgent’,” was the most reliable sign that an iPhone was hacked, and that another one of the signs was that compromised iPhones could not install iOS updates.
“We observed update attempts to end with an error message ‘Software Update Failed. An error occurred downloading iOS,’” the researchers wrote.
The company also published a series of URLs that were used in the operation, including some with names such as Unlimited Teacup and Backup Rabbit.
The Russian Computer Emergency Response Team (CERT), a government organization that shares information on cyberattacks, published an advisory on the cyberattack, along with the same domains mentioned by Kaspersky.
In a separate statement, Russia’s Federal Security Service (FSB) accused U.S. intelligence — mentioning NSA specifically — of hacking “thousands” of Apple phones with the goal of spying on Russian diplomats, according to an online translation. The FSB also accused Apple of cooperating with American intelligence. The FSB did not provide evidence for its claims.
The NSA did not immediately respond to a request for comment.
The FSB’s description of the attacks echoes what Kaspersky wrote in its report, but it’s unclear if the two operations are connected.
“Although we don’t have technical details on what has been reported by the FSB so far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise are the same,” Van Horn said.
Also, the company declined to attribute the operation to any government or hacking group, saying “Kaspersky does not do political attribution.”
“We don’t have technical details on what has been reported by the FSB so far, hence we are unable to do any technical attribution either. Judging by the cyberattack characteristics we’re unable to link this cyberespionage campaign to any existing threat actor,” Van Horn wrote.
The spokesperson also said that the company reached out to Apple on Thursday morning, “before sending out the report to national CERTs.”
The company’s founder, Eugene Kaspersky, wrote on Twitter that they “are quite confident that Kaspersky was not the main target of this cyberattack,” while promising “more clarity and further details” in the coming days.
This is not the first time hackers have targeted Kaspersky. In 2015, the company announced that a nation-state hacking group, using malware believed to be developed by Israeli spies, had hacked its network.
Updated with additional details from Kaspersky and to include Apple’s statement.
Corrected the date in the second paragraph and the twentieth paragraph.
Do you have more information about these cyberattacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Comment