Is the US government using iOS spyware in Russia? That's the allegation coming from the Kremlin after newly discovered spyware infected “several dozen iPhones” belonging to employees at antivirus provider Kaspersky.
According to CEO Eugene Kaspersky, the spyware infected the iPhones via iMessage through an attachment capable of exploiting a “number” of previously unknown vulnerabilities in iOS.
“Without any user interaction, the message triggers a vulnerability that leads to code execution,” the company warned in a report. This code execution can trigger an iPhone to download additional components to secretly hijack the device, enabling the spyware’s creator to initiate microphone recordings, loots photos, and pilfer other data.
However, there’s still a lot we don't know about the spyware, which has been dubbed Operation Triangulation. Kaspersky says its investigation into the incident is ongoing, but the Moscow-based company points out the spyware appears to be new.
“Important: The activity observed in Operation Triangulation does not overlap with already known iOS campaigns, such as Pegasus, Predator, or Reign,” the CEO said, alluding to infamous spyware strains from Israeli spyware dealers such as NSO Group, Intellexa, and QuaDream.
Curiously, Kaspersky also noted: “We are quite confident that Kaspersky was not the main target of this cyberattack. The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.”
Kaspersky refrained from tying the spyware to any group, but the Kremlin was quick to cast blame. Russia's Federal Security Service (FSB) announced it uncovered “a reconnaissance operation by American intelligence services carried out using Apple mobile devices.”
“It has been determined that several thousand devices of this brand have been infected,” the FSB said. “In addition to domestic subscribers, cases of infection have been detected in foreign numbers and subscribers using SIM cards registered to diplomatic missions and embassies in Russia, including NATO countries, post-Soviet countries, as well as Israel, South Africa, and China.”
The Russian security agency is now going as far to accuse Apple of close cooperation with US intelligence operations, which seems unlikely given Apple's past public battles with the FBI.
While the FSB didn’t mention Kaspersky in its announcement, the antivirus provider told PCMag: “We are aware of this announcement. Although we don’t have technical details on what has been reported by the FSB so far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise are the same.”
Apple didn’t immediately respond to a request for comment. But Kaspersky said it’s shared details about the exploited vulnerabilities with the company. So patches will likely be on the way. Kaspersky also said the spyware “does not support persistence, most likely due to the limitations of the OS.” This suggests the creators of the spyware were continually reinfecting the iPhones.
The spyware incident raises concerns that Kaspersky may have suffered a compromise for some time. The company’s own report says the oldest spyware infection traces go back to 2019 and that the attack remains ongoing, successfully targeting iOS 15.7.
For now, the Kaspersky’s CEO says: “Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always.”