Moscow-based security firm Kaspersky has been hit by an advanced cyberattack that used clickless exploits to infect the iPhones of several dozen employees with malware that collects microphone recordings, photos, geolocation, and other data, company officials said.
“We are quite confident that Kaspersky was not the main target of this cyberattack,” Eugene Kaspersky, founder of the company, wrote in a post published on Thursday. “The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.”
According to officials inside the Russian National Coordination Centre for Computer Incidents, the attacks were part of a broader campaign by the US National Security Agency that infected several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia, specifically from those located in NATO countries, post-Soviet nations, Israel, and China. A separate alert from the FSB, Russia’s Federal Security Service, alleged Apple cooperated with the NSA in the campaign. An Apple representative denied the claim.
This clickless APT exploit will self destruct
The malware, which has been in use against Kaspersky employees for at least four years, was delivered in iMessage texts that attached a malicious file that automatically exploited one or more vulnerabilities without requiring the receiver to take any action. With that, the devices were infected with what Kaspersky researchers described as a “fully-featured APT platform.” APT is short for advanced persistent threat and refers to threat actors with nearly unlimited resources who target individuals over long periods of time. APTs are almost always backed by nation-states.
Once the APT malware was installed, the initial text message that started the infection chain was deleted. In Thursday’s post, Eugene Kaspersky wrote:
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.
The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.”
Operation Triangulation gets its name because the malware uses a technique known as canvas fingerprinting to discover what hardware and software a phone is equipped with. During this process, the malware “draws a yellow triangle in the device’s memory,” Eugene Kaspersky said.
alleging that it “uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices. During the normal course of security monitoring, officials of the Russian agency said, they discovered that “several thousand phone sets” were infected. The post accused Apple of aiding in the alleged National Security Agency operation.
“Thus, the information received by the Russian intelligence services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” the officials wrote. They didn’t provide additional details or evidence to support the claims.
post published by the Russian National Coordination Centre for Computer Incidents, however, directly linked the FSB alert to the Kaspersky attack. A Kaspersky representative wrote in an email: “Although we don’t have technical details on what has been reported by the FSB so far, the Russian National Coordination Centre for Computer Incidents (NCCCI) has already stated in their public alert that the indicators of compromise are the same.” An NSA representative said the agency had no comment on the allegations. Apple representatives have yet to respond to emails seeking a response.
This isn’t the first time Kaspersky has been successfully compromised in an APT campaign. In 2014, the company discovered that stealthy malware had infected its network for months before being detected. While the attacker took pains to disguise the origins of the infection, Kaspersky said the malware in that attack was an updated version of Duqu, which was discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran’s efforts to develop nuclear material and keep tabs on the country’s trade relationships.
“We are well aware that we work in a very aggressive environment and have developed appropriate incident response procedures,” Eugene Kaspersky wrote in Thursday’s post. “Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized.”