Clickless iOS Exploits Infect Kaspersky iPhones With Never-Before-Seen Malware

“Clickless” iOS exploits infect Kaspersky iPhones with never-before-seen malware

Moscow-based security firm Kaspersky has been hit by an advanced cyberattack that used clickless exploits to infect the iPhones of several dozen employees with malware that collects microphone recordings, photos, geolocation, and other data, company officials said.

“We are quite confident that Kaspersky was not the main target of this cyberattack,” Eugene Kaspersky, founder of the company, wrote in a post published on Thursday. “The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.”

According to officials inside the Russian National Coordination Centre for Computer Incidents, the attacks were part of a broader campaign by the US National Security Agency that infected several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia, specifically from those located in NATO countries, post-Soviet nations, Israel, and China. A separate alert from the FSB, Russia’s Federal Security Service, alleged Apple cooperated with the NSA in the campaign. An Apple representative denied the claim.

This clickless APT exploit will self destruct

The malware, which has been in use against Kaspersky employees for at least four years, was delivered in iMessage texts that attached a malicious file that automatically exploited one or more vulnerabilities without requiring the receiver to take any action. With that, the devices were infected with what Kaspersky researchers described as a “fully-featured APT platform.” APT is short for advanced persistent threat and refers to threat actors with nearly unlimited resources who target individuals over long periods of time. APTs are almost always backed by nation-states.

Once the APT malware was installed, the initial text message that started the infection chain was deleted. In Thursday’s post, Eugene Kaspersky wrote:

The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.

The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.”

Operation Triangulation gets its name because the malware uses a technique known as canvas fingerprinting to discover what hardware and software a phone is equipped with. During this process, the malware “draws a yellow triangle in the device’s memory,” Eugene Kaspersky said.

Kaspersky researchers said the earliest traces of the Triangulation infections date back to 2019, and as of June 2023, attacks were ongoing. The most recent iOS version to be successfully targeted is 15.7, which was current as of last month. A Kaspersky representative said in an email that it’s not clear if any of the vulnerabilities were zero-days, meaning they were unknown to Apple and unpatched in iOS at the time they were exploited. It’s not clear if Kaspersky detected the infections prior to last month’s rollout of iOS 16 or if Kaspersy phones continued using the older version. An Apple representative noted there’s no indication in Kaspersky’s account that any of the exploits work on iOS versions later than 15.7.

In an email, a Kaspersky representative wrote:

During the timeline of the attack the one-day vulnerabilities were once zero-day vulnerabilities. Although there is no clear indication the same vulnerabilities were exploited previously it is quite possible.

As of time of writing we were able to identify one of many vulnerabilities that were exploited that is most likely CVE-2022-46690. However, given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter. We will update the community about new findings once they emerge.

The malicious toolset is unable to gain persistence, meaning it doesn’t survive reboots, Kaspersky researchers said. A Kaspersky representative said in an email that victims received zero-click exploits again after rebooting. It’s likely that in the coming days or weeks, the company will provide more technical details about the malware, the targets of the campaign, and its origins.

Russia accuses Apple of colluding with the NSA

The Kasperky posts coincided with one from the FSB, Russia’s Federal Security Service, alleging that it “uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices. During the normal course of security monitoring, officials of the Russian agency said, they discovered that “several thousand phone sets” were infected. The post accused Apple of aiding in the alleged National Security Agency operation.

“Thus, the information received by the Russian intelligence services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” the officials wrote. They didn’t provide additional details or evidence to support the claims.

In an email, an Apple representative denied the allegation, stating: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

A post published by the Russian National Coordination Centre for Computer Incidents, however, directly linked the FSB alert to the Kaspersky attack. A Kaspersky representative wrote in an email: “Although we don’t have technical details on what has been reported by the FSB so far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise are the same.” An NSA representative said the agency had no comment on the allegations. Apple representatives have yet to respond to emails seeking a response.

This isn’t the first time Kaspersky has been successfully compromised in an APT campaign. In 2014, the company discovered that stealthy malware had infected its network for months before being detected. While the attacker took pains to disguise the origins of the infection, Kaspersky said the malware in that attack was an updated version of Duqu, which was discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran’s efforts to develop nuclear material and keep tabs on the country’s trade relationships.

“We are well aware that we work in a very aggressive environment and have developed appropriate incident response procedures,” Eugene Kaspersky wrote in Thursday’s post. “Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized.”