Moscow-based security firm Kaspersky has been hit by an advanced cyberattack that used clickless exploits to infect the iPhones of several dozen employees. The phones were infected with malware that collects microphone recordings, photos, geolocation, and other data, company officials said.
“We are quite confident that Kaspersky was not the main target of this cyberattack,” Eugene Kaspersky, founder of the company, wrote in a post published on Thursday. “The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.”
This clickless APT exploit will self destruct
The malware, which has been in use for at least four years, was delivered in iMessage texts that attached a malicious file that automatically exploited one or more vulnerabilities without requiring the receiver to take any action. With that, the devices were infected with what Kaspersky researchers described as a “fully-featured APT platform.” APT is short for advanced persistent threat and refers to threat actors with nearly unlimited resources who target individuals over long periods of time. APTs are almost always backed by nation-states.
Once the APT malware was installed, the initial text message that started the infection chain was deleted. In Thursday’s post, Eugene Kaspersky wrote:
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.
The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.”
Operation Triangulation gets its name because the malware uses a technique known as canvas fingerprinting to discover what hardware and software a phone is equipped with. During this process, the malware “draws a yellow triangle in the device’s memory,” Eugene Kaspersky said.
Kaspersky researchers said the earliest traces of the Triangulation infections date back to 2019, and as of June 2023, attacks were ongoing. The most recent iOS version to be successfully targeted is 15.7, which was current as of last month. Neither Kaspersky nor Apple responded to emails asking if the vulnerability exploited was a zero-day, meaning a flaw that is known to attackers or becomes public before the vendor has a fix in place.
In an email, a Kaspersky representative wrote:
During the timeline of the attack the one-day vulnerabilities were once zero-day vulnerabilities. Although there is no clear indication the same vulnerabilities were exploited previously it is quite possible.
As of time of writing we were able to identify one of many vulnerabilities that were exploited that is most likely CVE-2022-46690. However, given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter. We will update the community about new findings once they emerge.
The malicious toolset is unable to gain persistence, meaning it doesn’t survive reboots, Kaspersky researchers said. They said the timing of infections on multiple devices suggested they were somehow “reinfected after rebooting.” The researchers didn’t elaborate. It’s likely that in the coming days or weeks, the company will provide more technical details about the malware, the targets of the campaign, and its origins.
Russia accuses Apple of colluding with the NSA
The Kasperky posts coincided with one from the FSB, Russia’s Federal Security Service, alleging that it “uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices. During the normal course of security monitoring, officials of the Russian agency said, they discovered that “several thousand phone sets” were infected. The post accused Apple of aiding in the alleged National Security Agency operation.
“Thus, the information received by the Russian intelligence services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” the officials wrote. They didn’t provide additional details or evidence to support the claims.
A post published by the Russian National Coordination Centre for Computer Incidents, however, directly linked the FSB alert to the Kaspersky attack. A Kaspersky representative wrote in an email: “Although we don’t have technical details on what has been reported by the FSB so far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise are the same.” An NSA representative said the agency had no comment on the allegations. Apple representatives have yet to respond to emails seeking a response.
This isn’t the first time Kaspersky has been successfully compromised in an APT campaign. In 2014, the company discovered that stealthy malware had infected its network for months before being detected. While the attacker took pains to disguise the origins of the infection, Kaspersky said the malware in that attack was an updated version of Duqu, which was discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran’s efforts to develop nuclear material and keep tabs on the country’s trade relationships.
“We are well aware that we work in a very aggressive environment and have developed appropriate incident response procedures,” Eugene Kaspersky wrote in Thursday’s post. “Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized.”