Pierluigi Paganini
June 02, 2023
Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.
The experts uncovered the attack while monitoring the network traffic of its own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).
According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.
The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).
Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.
“The Federal Security Service of the Russian Federation, together with the Federal Security Service of Russia, uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices (USA).” reads the announcement published by FSB. “It was found that several thousand telephone sets of this brand were infected. At the same time, in addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR and China, were revealed.”
The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.
FSB believe that Apple supported the US intelligence in this cyberespionage campaign.
“Thus, the information received by the Russian special services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true.” concludes FSB. “The company provides the US intelligence services with a wide range of opportunities to control both any person of interest to the White House, including their partners in anti-Russian activities, and their own citizens.”
The exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.
Then the initial message and the exploit in the attachment are deleted.
The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting.
The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.
Kaspersky provided the list of C2 domains involved in the attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Operation Triangulation)
