On Thursday, Kaspersky announced the alleged cyberattack and published a technical analysis report on it, where the company admitted that its analysis is not yet complete. The company said the hackers, who so far remain unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all events happened within a period of one to three minutes.
We've discovered a new cyberattack against iOS called Triangulation.
The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware. No user action is required.#IOSTriagulation pic.twitter.com/daxEYZwXwD
- Eugene Kaspersky (@e_kaspersky) June 1, 2023
Kaspersky spokesman Sawyer Van Horn said the company has determined that one of the vulnerabilities used in the operation is known and patched by Apple in December 2022, but may have been exploited before being patched, along with other vulnerabilities. "While there is no clear indication that the same vulnerabilities have been previously exploited, it is quite possible," the spokesperson said.
Kaspersky researchers said they discovered the attack when they noticed "suspicious activity coming from multiple iOS phones" while monitoring their own corporate Wi-Fi network. Van Horn said the cyberattacks were discovered "earlier this year".
The company called this alleged hack against its own employees “Operation Triangulation” and created a logo to the effect.
Kaspersky investigators said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to uncover "traces of compromise". The researchers did not say when they discovered the attack, and said they found traces of it as far back as 2019 and that "the attack is ongoing, and the latest version of successfully targeted devices is iOS 15.7."
Although the malware was designed to clean infected devices and remove traces of itself, "it is possible to reliably identify whether the device has been compromised," the researchers wrote.
In the report, the researchers explained step-by-step how they analyzed the compromised devices, describing how others can do the same. However, they didn't include many details about what they discovered with this process.
The researchers said that the presence of "data usage lines mentioning the process called 'BackupAgent'" was the most reliable sign that an iPhone had been hacked, and that another sign was that compromised iPhones could not install iOS updates. .
“We've noticed that update attempts end up with the error message 'Software update failed. An error occurred while downloading iOS',” the researchers wrote.
The company also published a number of URLs that were used in the operation, including ones with names like Unlimited Teacup and Backup Rabbit.
The Russian Computer Emergency Response Team (CERT), a government organization that shares information about cyberattacks, published a warning about the cyberattack along with the same domains mentioned by Kaspersky.
In a separate statement, Russia's Federal Security Service (FSB) accused US secret services - specifically mentioning the NSA - of hacking "thousands" of Apple phones with the aim of spying on Russian diplomats, according to an online translation. The FSB also accused Apple of cooperating with American secret services. The FSB has provided no evidence for its allegations.
"We have never worked with any government to put a backdoor on any product, Apple and never will," Apple spokesman Scott Radcliffe said in an email.
The NSA did not immediately respond to a request for comment.
The FSB's description of the attacks echoes what Kaspersky wrote in its report, but it's unclear whether the two operations are connected.
"While we don't have technical details on what has been reported by the FSB so far, Russia's National Computer Incident Coordination Center (NCCCI) has already stated in its public alert that the indicators of compromise are the same," said Van Horn.
Furthermore, the company refused to attribute the operation to any government or hacking group, saying that "Kaspersky does not make political attribution".
“We have no technical details on what has been reported by the FSB so far, so we cannot make any technical attributions either. Judging by the characteristics of the cyberattack, we were unable to associate this cyberespionage campaign with any existing threat actor,” wrote Van Horn.
The spokesman also said that the company contacted Apple on Thursday morning, "before sending the report to the national CERTs".
The company's founder, Eugene Kaspersky, wrote on Twitter that "they are quite confident that Kaspersky was not the main target of this cyberattack", promising "more clarity and more details" in the coming days.
Yesterday, we told you about #iOSTriangulation. Today, we've got the tools to help you see if you are infected:@securelist blog: https://t.co/GTh8brffzs@github: https://t.co/2UFiL7cFue
- Eugene Kaspersky (@e_kaspersky) June 2, 2023
