Russia Blames US Intelligence for iOS Zero-Click Attacks

Russian anti-malware vendor Kaspersky on Thursday said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.

Kaspersky’s disclosure comes on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.

The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”

The spy agency did not release IoCs (indicators of compromise) or technical details on the campaign, which appears to be directly linked to Kaspersky’s public disclosure of iMessage zero-click exploitation.

Kaspersky, which calls the campaign Operation Triangulation, said it collected a significant amount of data and it will take some time to analyze. However, to date the company has determined that the attack involves a zero-click exploit that starts with a malicious message being sent to the targeted user via the iMessage feature.

The message delivers an attachment containing the exploit, which is automatically triggered without any user interaction. 

The exploit chain starts with a remote code execution vulnerability. The code is designed to download other components from a command and control (C&C) server, including privilege escalation exploits. 

The final payload has been described by Kaspersky as a “fully-featured APT platform” that runs with root privileges. The company said its investigation is ongoing, but there are clear signs the malware supports commands for collecting system and user information, and executing arbitrary code that is fetched from the C&C server as a plugin module.

Once this final payload has been delivered, the message delivering the exploit is deleted. However, the Russian cybersecurity firm says the attack still leaves traces on a compromised iPhone.

“The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting,” Kaspersky explained. 

It’s unclear if the attack involves the exploitation of zero-day vulnerabilities. Kaspersky has identified attacks dating as far back as 2019. The attacks are ongoing and the newest iOS version confirmed to be targeted is iOS 15.7, which was released in September 2022, and the latest version of the operating system is 16.5.

The security firm has made available details on its forensic investigation methodology, along with device and network IoCs and C&C domains. 

Contacted by SecurityWeek, an Apple spokesperson provided the following statement: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

*updated with statement from Apple

Related: Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox

Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit