Russia says U.S. exploited iOS vulnerability to hack thousands of iPhones

A report by Russian cybersecurity firm Kaspersky said the attack began in 2019 and is still ongoing, naming the attack "Operation Triangulation.

Since iOS could not be analyzed from the device, Kaspersky used the Mobile Authentication Toolkit to create a file system backup of the infected iPhone to recover information about the course of the attack and the malware's functionality. While the malware attempts to remove traces of the attack from the device, it still leaves behind signs of infection, such as system files modified to prevent the installation of iOS updates, unusual data usage, and deprecated injection libraries.

Analysis shows that the most initial version of the infection was iOS 15.7, but Apple may have fixed the vulnerabilities exploited by the malware in the latest iOS 16.5 release.

According to the report, the vulnerability sent via iMessage triggers an unknown flaw in iOS to execute code and obtain subsequent commands from the attacker's server to enable actions such as privilege escalation. After a root privilege escalation, the malware downloads a fully functional toolset that executes commands to collect system and user information and download additional modules from C2.

Kaspersky notes that the APT toolset dropped onto the device has no persistence mechanism and can therefore be blocked by rebooting. Currently, only some details about the malware's functionality are publicly available, as analysis of the final payload is still in progress.

Russia accuses NSA of launching attacks

In a statement consistent with the Kaspersky report, the Russian Federal State Security Service (FSB) claims that Apple deliberately provided the NSA with backdoors to deploy spyware in iPhones in the country.

The FSB claims that it has found thousands of iPhones infected with spyware that belonged to Russian government officials and staff at the embassies of Israel, China and several NATO member countries in Russia, but at this point the FSB has not provided any evidence to support its claims.

Kaspersky also confirmed that the attack affected its headquarters office in Moscow and employees in other countries. Nonetheless, the company said it could not confirm whether there was a connection between its findings and the FSB's report due to a lack of technical details about the government's investigation.