The Russian cybersecurity company Kaspersky said that hackers working for a government targeted its employees’ iPhones with unknown malware.
On Monday, Kaspersky announced the alleged cyberattack, and published a technical report analyzing it, where the company admitted its analysis is not yet complete. The company said that the hackers, whom at this point are unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all the events happened within a one to three minute timeframe. At this point, it’s unclear if the hackers exploited new vulnerabilities that were unpatched at the time, meaning they were so-called zero-days.
Kaspersky researchers said that they discovered the attack when they noticed “suspicious activity that originated from several iOS-based phones,” while monitoring their own corporate Wi-Fi network.
The company called this alleged hack against its own employees “Operation Triangulation,” and created a logo for it. Neither Kaspersky nor Apple immediately responded to requests for comment.
Kaspersky researchers said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to discover “traces of compromise.” The researchers did not say when they discovered the attack, and said that they found traces of it going as far back as 2019, and that “attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.”
While the malware was designed to clean up the infected devices and remove traces of itself, “it is possible to reliably identify if the device was compromised,” the researchers wrote.
In the report, the researchers explained step by step how they analyzed the compromised devices, outlining how others can do the same. They did not, however, include many details of what they found using this process.
The researchers said that the presence of “data usage lines mentioning the process named ‘BackupAgent’,” was the most reliable sign that an iPhone was hacked, and that another one of the signs was that compromised iPhones could not install iOS updates.
“We observed update attempts to end with an error message “Software Update Failed. An error occurred downloading iOS,” the researchers wrote.
The company also published a series of URLs that were used in the operation, including some with names such as Unlimited Teacup and Backup Rabbit.
The Russian Computer Emergency Response Team (CERT), a government organization that shares information on cyberattacks, published an advisory on the cyberattack, along with the same domains mentioned by Kaspersky.
In a separate statement, Russia’s Federal Security Service (FSB) accused U.S. intelligence of hacking “thousands” of Apple phones with the goal of spying on Russian diplomats, according to an online translation. The FSB did not provide evidence for its claims.
The FSB’s description of the attacks echoes what Kaspersky wrote in its report, but it’s unclear if the two operations are connected.
This is not the first time hackers target Kaspersky. In 2015 the company announced that a nation-state hacking group, using malware believed to be developed by Israeli spies, had hacked its network.
Do you have more information about these cyberattacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email email@example.com. You can also contact ProWellTech via SecureDrop.