Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russia Blames US Intelligence for iOS Zero-Click Attacks

Kaspersky said its corporate network has been targeted with a zero-click iOS exploit, just as Russia’s FSB said iPhones have been targeted by US intelligence.

iOS App Store

Russian anti-malware vendor Kaspersky on Thursday said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.

Kaspersky’s disclosure comes on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.

The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”

The spy agency did not release IoCs (indicators of compromise) or technical details on the campaign, which appears to be directly linked to Kaspersky’s public disclosure of iMessage zero-click exploitation.

Kaspersky, which calls the campaign Operation Triangulation, said it collected a significant amount of data and it will take some time to analyze. However, to date the company has determined that the attack involves a zero-click exploit that starts with a malicious message being sent to the targeted user via the iMessage feature.

The message delivers an attachment containing the exploit, which is automatically triggered without any user interaction. 

The exploit chain starts with a remote code execution vulnerability. The code is designed to download other components from a command and control (C&C) server, including privilege escalation exploits. 

The final payload has been described by Kaspersky as a “fully-featured APT platform” that runs with root privileges. The company said its investigation is ongoing, but there are clear signs the malware supports commands for collecting system and user information, and executing arbitrary code that is fetched from the C&C server as a plugin module.

Advertisement. Scroll to continue reading.

Once this final payload has been delivered, the message delivering the exploit is deleted. However, the Russian cybersecurity firm says the attack still leaves traces on a compromised iPhone.

“The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting,” Kaspersky explained. 

It’s unclear if the attack involves the exploitation of zero-day vulnerabilities. Kaspersky has identified attacks dating as far back as 2019. The attacks are ongoing and the newest iOS version confirmed to be targeted is iOS 15.7, which was released in September 2022, and the latest version of the operating system is 16.5.

The security firm has made available details on its forensic investigation methodology, along with device and network IoCs and C&C domains. 

Contacted by SecurityWeek, an Apple spokesperson provided the following statement: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

*updated with statement from Apple

Related: Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox

Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...