Connect with us

Hi, what are you looking for?



Russia Blames US Intelligence for iOS Zero-Click Attacks

Kaspersky said its corporate network has been targeted with a zero-click iOS exploit, just as Russia’s FSB said iPhones have been targeted by US intelligence.

iOS Zero-Day Exploits

Russian anti-malware vendor Kaspersky on Thursday said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.

Kaspersky’s disclosure comes on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.

The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”

The spy agency did not release IoCs (indicators of compromise) or technical details on the campaign, which appears to be directly linked to Kaspersky’s public disclosure of iMessage zero-click exploitation.

Kaspersky, which calls the campaign Operation Triangulation, said it collected a significant amount of data and it will take some time to analyze. However, to date the company has determined that the attack involves a zero-click exploit that starts with a malicious message being sent to the targeted user via the iMessage feature.

The message delivers an attachment containing the exploit, which is automatically triggered without any user interaction. 

The exploit chain starts with a remote code execution vulnerability. The code is designed to download other components from a command and control (C&C) server, including privilege escalation exploits. 

Advertisement. Scroll to continue reading.

The final payload has been described by Kaspersky as a “fully-featured APT platform” that runs with root privileges. The company said its investigation is ongoing, but there are clear signs the malware supports commands for collecting system and user information, and executing arbitrary code that is fetched from the C&C server as a plugin module.

Once this final payload has been delivered, the message delivering the exploit is deleted. However, the Russian cybersecurity firm says the attack still leaves traces on a compromised iPhone.

“The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting,” Kaspersky explained. 

It’s unclear if the attack involves the exploitation of zero-day vulnerabilities. Kaspersky has identified attacks dating as far back as 2019. The attacks are ongoing and the newest iOS version confirmed to be targeted is iOS 15.7, which was released in September 2022, and the latest version of the operating system is 16.5.

The security firm has made available details on its forensic investigation methodology, along with device and network IoCs and C&C domains. 

Contacted by SecurityWeek, an Apple spokesperson provided the following statement: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

*updated with statement from Apple

Related: Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox

Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...