For at least the past four years, an advanced persistent threat (APT) actor has been covertly stealing information from iOS devices belonging to an unknown number of victims, using a zero-click exploit delivered via iMessage. Russia’s top intelligence apparatus, the Federal Security Service of the Russian Federation (FSB), is alleging that the attacks are the work of the National Security Agency (NSA) in the United States, and that they have affected thousands of Russian diplomats and others. So far, there’s no evidence to support those claims.
What can be confirmed is the fact that researchers from Kaspersky discovered the malware after spotting suspicious activity originating from dozens of infected iOS phones on its own corporate Wi-Fi network. The company’s ongoing investigation of the campaign — which is still active, researchers stressed — showed the malware is quietly transmitting microphone recordings, photos from instant messages, the user’s geolocation and other private data about the owner to remote command-and-control (C2) servers.
Kaspersky said that it’s “quite confident” that the company was not the sole target of Operation Triangulation, as it has dubbed the campaign. The security vendor is currently working with other researchers and national computer emergency response teams to understand the full scope of the attack — and notes that for now, attribution is difficult.
“We’re awaiting further information from our colleagues from national CERTs and the cybersecurity community to understand the real exposure of this espionage campaign,” Igor Kuznetsov, head of the EEMEA unit at the Kaspersky Global Research and Analysis Team, tells Dark Reading. “Although not certain, we believe that the attack was not targeted specifically at Kaspersky — the company’s just first to discover it.”
He adds, “Judging by the cyberattack characteristics, we’re unable to link this cyberespionage campaign to any existing threat actor.”
Further, “It’s very hard to attribute anything to anyone,” Kuznetsov told Reuters in specific response to Russia’s US spying allegations.
Russia’s Claims of US Spy Plot
For its part, the FSB said in a media statement that the spyware infected “several thousand” Apple devices, targeting diplomats from Israel, Syria, China, and NATO members, as well as domestic Russian subscribers. It goes on to claim without evidence that the attacks amount to a plot between Apple and the NSA to build a powerful surveillance infrastructure to snoop on those with ties to Russia.
“The hidden data collection was carried out through software vulnerabilities in US-made mobile phones,” Russia’s foreign ministry said in its statement. “The US intelligence services have been using IT corporations for decades in order to collect large-scale data of Internet users without their knowledge.”
Accused parties denied the allegations or refused comment.
“We have never worked with any government to insert a backdoor into any Apple product and never will,” Apple said in a statement to Reuters, which first reported on the allegations. The NSA and Israeli officials declined to comment, and Chinese, Syrian, and NATO representatives were not immediately able for comment, according to the outlet.
Operation Triangulation
The malware is among a growing number to target iOS devices over the past year. Analysts have pointed to Apple’s growing presence in enterprise environments and the growing use of the multiplatform compatible Go language for malware development as reasons for the trend.
On the technical side, Kaspersky’s understanding of the attack so far is based on its analysis of offline backups of the infected iOS devices on its network using the open source Mobile Verification Toolkit (MVT). The different utilities in the toolkit enable forensic analysis of iOS and Android devices to identify — among other things — the presence of spyware tools such as Pegasus on them.
Kaspersky used MVT on the offline backups to reconstruct the sequence of events leading from initial device infection to total device compromise. The company found the initial infection typically began with the target iOS device receiving an iMessage from a random source, with an attachment containing a zero-click exploit.
Upon landing on the device, the iMessage automatically triggers an iOS vulnerability — without any user interaction — that results in remote code execution (RCE) on the infected device. The malicious code downloads several additional malicious components from remote C2 servers, including one that allows for privilege escalation and complete device takeover.
Kaspersky has not yet completed its full analysis of the final payload. But it has been able to determine the malware runs with root privileges on infected devices and takes complete control of the phone and all user data on it. Once the malware takes control of a device, it automatically deletes the iMessage that enabled its presence on the device.
Given the sophistication of the cyber-espionage campaign and the complexity of analysis of the iOS platform, it will take further research to uncover all the iOS vulnerabilities that the malware in the Operation Triangulation campaign can exploit, Kuznetsov says. “We will update the community about new findings once they emerge,” he says. “During the timeline of the attack the one-day vulnerabilities were once zero-day vulnerabilities.”
Kuznetsov says Kaspersky researchers have so far been able to identify at least one of the many vulnerabilities that the malware appears to be exploiting. The flaw is tracked as CVE-2022-46690, a so-called out-of-bounds write issue that Apple disclosed and patched in December 2022. Apple has described the critical vulnerability as allowing an application to execute arbitrary code with kernel level privileges.
Apple Spyware Infections Hard to Spot
Kaspersky discovered the malware while monitoring its Wi-Fi network for mobile devices using the company’s Kaspersky Unified Monitoring and Analysis Platform (KUMA). It’s unclear why the company did not detect the activity sooner, considering that some of the iOS devices were infected as far back as 2019.
Kuznetsov says that researchers often discover APT activity when the threat actor makes an operational mistake. In other instances, different pieces simply take time to come together.
“Sometimes we need to spend time undertaking a proper technical analysis of a new threat, collecting more information on its modus operandi, for example,” he says. “As soon as we have a clear picture, we publish our findings.”
Kaspersky has published detailed information and indicators of compromise on its blog that organizations can use to detect and remediate infected devices, along with a “triangle_check” utility that organizatons can use to scan backups and check for infection.