The Russian cybersecurity firm Kaspersky has reported that a group of government-affiliated hackers targeted numerous iPhones belonging to company employees using an unidentified form of malicious software.
Kaspersky made the announcement on Thursday, unveiling a preliminary technical analysis of the suspected cyberattack. The company acknowledged that their investigation is still underway. According to Kaspersky, the hackers, whose identities remain unknown, employed a zero-click exploit to deliver the malware through an iMessage attachment. The entire sequence of events occurred within a remarkably short timeframe, spanning only one to three minutes.
In an email correspondence with TechCrunch, Kaspersky spokesperson Sawyer Van Horn revealed that the company identified one of the vulnerabilities exploited in the operation, which had been addressed and resolved by Apple in December 2022. However, there is a possibility that it had been previously exploited, alongside other vulnerabilities. The spokesperson emphasized that although there is no definitive evidence of prior exploitation of the same vulnerabilities, the likelihood cannot be dismissed.
The Kaspersky researchers stumbled upon the attack while monitoring their corporate Wi-Fi network, when they detected “suspicious activity originating from several iOS-based devices.” Van Horn indicated that the cyberattacks were discovered early this year.
Dubbed “Operation Triangulation” by the company, this alleged breach targeting Kaspersky’s own employees has even been assigned a logo.
The researchers at Kaspersky took offline backups of the targeted iPhones and scrutinized them using a tool developed by Amnesty International called the Mobile Verification Toolkit (MVT). This software facilitated the identification of “traces of compromise.” Although the researchers did not specify when they initially discovered the attack, they revealed that traces of compromise dated back to as early as 2019. Moreover, they highlighted that the attack is ongoing, with the most recent version of iOS (15.7) being successfully targeted.
Despite the malware’s objective of erasing all signs of its presence and cleaning up the infected devices, the researchers emphasized that it is still possible to accurately determine if a device has been compromised.
Within the report, the researchers provided a detailed step-by-step explanation of their device analysis methodology, offering guidance for others interested in replicating their approach. However, they refrained from disclosing extensive specifics regarding their findings throughout this process.
According to the researchers, the presence of “data usage lines mentioning the process named ‘BackupAgent'” emerged as the most reliable indicator of an iPhone being compromised. Another telltale sign was the inability of compromised iPhones to install iOS updates.
“We observed update attempts to end with an error message ‘Software Update Failed. An error occurred downloading iOS,'” the researchers elaborated.
Additionally, the company released a list of URLs associated with the operation, featuring names like Unlimited Teacup and Backup Rabbit.
The Russian Computer Emergency Response Team (CERT), a governmental organization responsible for sharing information on cyberattacks, issued an advisory concerning the cyberattack, aligning with the domains mentioned by Kaspersky.
In a separate statement, Russia’s Federal Security Service (FSB) accused U.S. intelligence agencies, specifically referencing the NSA, of hacking thousands of Apple phones with the intent of espionage against Russian diplomats, as per an online translation. The FSB also levied allegations against Apple, accusing the company of collaborating with American intelligence. However, the FSB did not substantiate its claims with evidence.
The NSA has not yet responded to the request for comment. The FSB’s description of the attacks corresponds with what was outlined in Kaspersky’s report, although it remains unclear whether the two operations are connected.
“While we lack technical details on the FSB’s reports thus far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise align,” commented Van Horn.
Furthermore, Kaspersky declined to attribute the operation to any specific government or hacking group, emphasizing that “Kaspersky does not engage in political attribution.”
“Given the absence of technical details from the FSB’s reports, we are unable to provide technical attribution as well. Based on the characteristics of the cyberattack, we cannot link this cyberespionage campaign to any known threat actor,” Van Horn explained.
The spokesperson also mentioned that the company reached out to Apple on Thursday morning, prior to disseminating the report to national CERTs.
Eugene Kaspersky, the founder of the company, took to Twitter to express confidence that Kaspersky itself was not the primary target of this cyberattack, assuring that “more clarity and further details” would be forthcoming in the following days.
It is worth noting that this incident is not the first time Kaspersky has been targeted by hackers. In 2015, the company disclosed a breach in which a nation-state hacking group, suspected to have ties with Israeli intelligence, infiltrated its network using malware.