Russian Government Accuses Apple, NSA of iPhone Malware Operation with iOS Triangulation a new iMessage exploit
The Russian government has accused Apple and the NSA with colluding to infect key Russian government officials and citizens with an iMessage exploit

The Russian government and FSB (Russia’s intelligence and security agency) have accused Apple of colluding with the United States National Security Agency (NSA) in an operation that infected thousands of iPhones with malware. The malware, which was reportedly developed by the NSA, allowed the attackers to access the iPhones without the users’ knowledge or consent.

The Russian government claims that the malware was used to target Russian citizens and officials, as well as employees of foreign embassies in Moscow. The government also claims that Apple was aware of the malware and did nothing to stop it.

But that’s only half of the story.

Kaspersky releases report of Apple iPhone zero-click exploit

To date, the FSB has provided no proof of its claims.

However, a report coinciding with the FSB’s proclamations came from Kaspersky—a Russian cybersecurity company led by Eugene Kaspersky—long accused of close ties to the Kremlin. Kaspersky published a technical report on Securelist (their cyber blog) analyzing Apple iPhone “zero-click exploits” via an iMessage attachments.

Eugene Kaspersky, CEO of the cybersecurity firm Kaspersky, announcing the discovery of Operation Triangulation, a zero-click Apple iMessage vulnerability that infects a targeted iPhone with malware used for spying. (Source: Twitter)

iOS Triangulation: How the iMessage malware attachment infects the iPhone

A zero-click exploit in this case would result in a targeted iPhone becoming infected with malware after receiving an iMessage with the attachment. The targeted device would not need to open the attachment or perform any other action.

According to Kaspersky, “the code within the exploit downloads several subsequent stages from the command and control (C&C) server, that include additional exploits for privilege escalation.”

A number of domains have been identified by Kaspersky as part of the operation used to download the additional C&C malware payloads.

Kaspersky researchers have identified multiple domains used in iOS Triangulation that download additional payloads from C&C servers to build the advanced persistent threat platform on the targeted iPhone device. (Source: Kaspersky)
Kaspersky researchers have identified multiple domains used in iOS Triangulation that download additional payloads from C&C servers to build the advanced persistent threat platform on the targeted iPhone device. (Source: Kaspersky)

A final payload is then downloaded from the C&C server, that assembles the advanced persistent threat (APT) platform on the targeted iPhone. The original iMessage with attachment is automatically deleted.

Kaspersky spokesperson Sawyer Van Horn said in an email to TechCrunch that the company determined that one of the vulnerabilities used in the operation is known and was fixed by Apple in December 2022, but may have been exploited before it was patched, along with other vulnerabilities. “Although there is no clear indication the same vulnerabilities were exploited previously it is quite possible,” the spokesperson said.

The company has called this research “Operation Triangulation”, and dubbed the actual malware as “iOS Triangulation.”

Kaspersky claims that their own team of researchers discovered the attack after monitoring unusual web traffic on their corporate network. The earliest detected incidents of iOS Triangulation on company devices were back in 2019, and are still ongoing, according to the company.

Apple’s response to iPhone zero-click exploit malware iOS Triangulation

Apple has denied the allegations, saying it has never worked with any government to insert a backdoor into its products. The company has also said that it is committed to protecting the privacy of its users.

“We have never worked with any government to insert a backdoor into any Apple product and never will.”

– Apple spokesperson in a statement released to BleepingComputer.

The allegations have raised concerns about the security of Apple products—in the eyes of the Russian government, at least—and the potential for government surveillance. Russia has previously recommended that all Presidential administration employees switch from using Apple iPhones and if possible, give up American-made technology entirely.

The incident also highlights the growing tensions between Russia and the United States.

How to check if your iPhone is infected with iOS Triangulation, a zero-click malware

Eugene Kaspersky announcing the release of a free utility to check if your Apple iPhone has been targeted with iOS Triangulation, a zero-click malware. (Source: Twitter)

Kaspersky has published to GitHub a free tool to check if your iPhone has been infected with what they refer to as iOS Triangulation. The published code is available on GitHub and a full blog post on Securelist documents the process of actually performing the check on your iPhone.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.