Kaspersky's team detected suspicious activity originating from several iOS phones. However, due to the security constraints preventing direct internal inspection of iOS devices, Kaspersky created offline backups of the implicated phones. They used the Mobile Verification Toolkit's mvt-ios to investigate these backups, leading to the discovery of compromise traces.
According to Kaspersky, the attack sequence begins when the target iOS device receives a message via the iMessage service. The message comes with an attachment containing an exploit. This exploit, designed as a zero-click, triggers a vulnerability in the system and executes malicious code without any user interaction.
The exploit then downloads additional stages from the Command and Control (C&C) server, which include further exploits designed for privilege escalation. Following successful exploitation, a fully-featured APT platform is downloaded from the C&C server, establishing complete control over the device and user data.
To maintain its stealth, the attack erases the initial message and the exploit attachment. Interestingly, the malicious toolset does not support persistence, suggesting that the constraints of the iOS might be a limiting factor. As per Kaspersky's findings, the devices could be reinfected after rebooting.
Additionally, Kaspersky mentioned that the attack has successfully targeted devices running up to iOS 15.7, as of June 2023. However, it remains unclear whether a zero-day vulnerability in iOS is being exploited, and the scale and scope of the campaign are yet to be determined.
Kaspersky's team is still investigating the final payload, which operates with root privileges. This malware has the capacity to collect system and user information and execute arbitrary code downloaded as plugin modules from the C&C server.
As the cybersecurity world grapples with this new discovery, this incident highlights the growing sophistication of mobile cyber threats and underlines the critical need for continuous vigilance and advanced cybersecurity measures.
The investigation into 'Operation Triangulation' is still ongoing, and further updates from Kaspersky and other cybersecurity authorities are eagerly awaited.
As a precaution, the CEO of Kaspersky, Eugene Kaspersky advised users to disabling iMessage would prevent iOS devices from Triangulation attacks.
Furthermore, users are advised to keep their devices up-to-date with the latest security patches and be cautious of unsolicited or suspicious messages received on their devices.
Russia accuses US of hacking thousands of Apple devices to spy on diplomats
Russia’s Federal Security Service (FSB) said on Thursday that it had uncovered a US National Security Agency (NSA) plot using previously unknown malware to penetrate specially made backdoor vulnerabilities in Apple phones.
The FSB, which is the principal successor to the Soviet-era KGB, has alleged that thousands of Apple phones have been infected, including those belonging to domestic Russian subscribers. More alarmingly, phones belonging to foreign diplomats stationed in Russia and the former Soviet Union, including representatives from NATO member states, Israel, Syria, and China, have also reportedly been targeted.
The FSB's statement claimed the operation showcased the close relationship between Apple and the NSA, accusing the latter of utilizing Apple devices as surveillance tools for monitoring individuals of interest to the US administration. They further suggested that this surveillance net extended to those involved in anti-Russian activities and US citizens.
This revelation reportedly came about through a collaborative effort with the Federal Guards Service, the agency responsible for protecting Russia's leaders. Neither Apple nor the NSA has yet responded to these allegations.
This new development adds another layer of intrigue and complexity to the unfolding 'Operation Triangulation' story.