Dozens of Kaspersky staff have fallen victim to a sophisticated malware campaign in the form of a clickless, covert exploit against iPhones.
Newly discovered spyware has reportedly stolen a range of data from infected staff iPhones at Russia-based cyber security provider Kaspersky, including microphone recordings, photos shared via messaging and geolocation information.
Company officials described the event as an “extremely complex” and “professional” cyber attack which targeted Apple mobile devices of middle and top management Kaspersky employees – notably, Kaspersky researchers said evidence of device infections dates as far back as 2019.
“The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company,” said company CEO, Eugene Kaspersky.
“The deployment of the spyware is completely hidden and requires no action from the user.”
The spyware was discovered during routine monitoring of the company’s dedicated mobile device network, when staff using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) noticed suspicious activity coming from iOS-based phones.
Several dozen iPhones of senior employees were found to be infected with the novel spyware, which the cyber company has since dubbed “Triangulation”.
While Kaspersky researchers suggest Triangulation remains an ongoing threat, the company has at least managed to nail down some of its inner mechanisms.
How does the spyware work?
Researchers describe the attack as using a “zero-click” exploit on Apple’s default messaging software, iMessage.
The spyware is delivered via an “invisible iMessage” carrying a malicious attachment – but unlike traditional phishing attacks or malware, the spyware is installed automatically by exploiting vulnerabilities in the iOS operating system, requiring no action from the end user.
Once infected, the Triangulation spyware quietly leaks stolen information to remote servers, and later self-deletes the originating message and exploiting attachment.
“The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware,” said Eugene Kaspersky.
“No user action is required.”
Kaspersky suggested the Triangulation spyware was especially difficult to detect on account of the “closed nature of iOS”, requiring external tools to perform treatment on an infected device.
To further exacerbate the problem, the spyware reportedly disables infected phones from being able to update iOS, potentially hindering the ability to apply appropriate patches.
Kaspersky has not found an efficient way to remove the spyware without losing user data.
“Important: Disabling iMessage would prevent iOS devices from Triangulation attack,” tweeted Euguene Kaspersky.
Russia levies heavy accusations
In an extensive report from Kaspersky researchers, Triangulation is described as a “fully-featured APT platform.”
An APT refers to an advanced persistent threat, effectively meaning a long-term, well-resourced cyber attack which manages a sustained infiltration against targeted systems.
Notably, APTs are typically associated with nation-states on account of their resource-intensive requirements – and Russian authorities have been quick to draw suspicions against the US.
Alongside Kaspersky’s reportings, the FSB, Russia’s Federal Security Service, said it “uncovered a reconnaissance action by American intelligence services conducted using Apple mobile devices”.
“It was found that several thousand telephone sets of this brand were infected,” reads a translated FSB statement.
The statement goes on to allege a “close cooperation” between Apple and the US National Security Agency, and claims Apple “provides the American intelligence services with a wide range of opportunities to control both any person of interest to the White House, including their partners in anti-Russian activities, and their own citizens.”
Apple has vehemently denied involvement in the alleged nation-state attack, stating it has “never worked with any government to insert a backdoor into any Apple product and never will.”
Meanwhile, Kaspersky researchers suggest the attack may be more widespread than their company alone.
“Given the complexity of the attack, we are confident that we are not the only target,” they said.
