Operation Triangulation: 4-Year Spying Campaign Targets iOS Devices

June 2, 2023

For the past four years, an unknown advanced persistent threat (APT) actor has been covertly stealing information from iOS devices using a zero-click exploit delivered via iMessage. The Federal Security Service of the Russian Federation (FSB) has accused the US National Security Agency (NSA) of being responsible for the attacks, claiming that they have affected thousands of Russian diplomats and others. However, no evidence has been provided to support these allegations.

Kaspersky researchers discovered the malware after noticing suspicious activity from dozens of infected iOS phones on their corporate Wi-Fi network. The ongoing investigation has revealed that the malware, dubbed Operation Triangulation, is still active and is quietly transmitting microphone recordings, photos from instant messages, user's geolocation, and other private data to remote command-and-control (C2) servers. Kaspersky is confident that it was not the sole target of the campaign and is currently working with other researchers and national computer emergency response teams to understand the full scope of the attack. Attribution, however, remains difficult.

Igor Kuznetsov, head of the EEMEA unit at the Kaspersky Global Research and Analysis Team, stated, "We’re awaiting further information from our colleagues from national CERTs and the cybersecurity community to understand the real exposure of this espionage campaign." He also mentioned that it's hard to attribute the attack to anyone, in response to Russia's US spying allegations.

The FSB claimed that the spyware infected several thousand Apple devices, targeting diplomats from Israel, Syria, China, and NATO members, as well as domestic Russian subscribers. They alleged that the attacks were part of a plot between Apple and the NSA to build a powerful surveillance infrastructure to spy on those with ties to Russia. Apple denied these allegations, stating, "We have never worked with any government to insert a backdoor into any Apple product and never will." The NSA and Israeli officials declined to comment, while Chinese, Syrian, and NATO representatives were not immediately available for comment.

The malware is among a growing number targeting iOS devices in recent years. Analysts have attributed this trend to Apple's increasing presence in enterprise environments and the growing use of the multiplatform compatible Go language for malware development. Kaspersky's understanding of the attack is based on its analysis of offline backups of the infected iOS devices on its network using the open-source Mobile Verification Toolkit (MVT).

The initial infection typically began with the target iOS device receiving an iMessage from a random source, with an attachment containing a zero-click exploit. The iMessage automatically triggered an iOS vulnerability without any user interaction, resulting in remote code execution (RCE) on the infected device. The malicious code downloaded several additional malicious components from remote C2 servers, including one that allowed for privilege escalation and complete device takeover.

Kaspersky has identified at least one of the many vulnerabilities that the malware appears to be exploiting. The flaw is tracked as CVE-2022-46690, an out-of-bounds write issue that Apple disclosed and patched in December 2022. The vulnerability allows an application to execute arbitrary code with kernel-level privileges. Kaspersky discovered the malware while monitoring its Wi-Fi network for mobile devices using the company's Kaspersky Unified Monitoring and Analysis Platform (KUMA). Some of the iOS devices were infected as far back as 2019.

Kuznetsov explained that researchers often discover APT activity when the threat actor makes an operational mistake or when different pieces take time to come together. He added, "Sometimes we need to spend time undertaking a proper technical analysis of a new threat, collecting more information on its modus operandi, for example." Kaspersky has published detailed information and indicators of compromise on its blog to help organizations detect and remediate infected devices. Kuznetsov noted that they are unable to link this cyberespionage campaign to any existing threat actor.

Latest News

• Splunk Enterprise Patches High-Severity Vulnerabilities
• XE Group Cybercrime Kingpin Unveiled by Cybersecurity Researchers
• Moxa Addresses Critical Vulnerabilities in MXsecurity Software
• Critical Zyxel Firewall Vulnerability Actively Exploited by Hackers
• Mirai Variant Exploits Tenda, Zyxel Devices for RCE, DDoS Attacks