The Russian government and FSB (Russia’s intelligence and security agency) have accused Apple of colluding with the United States National Security Agency (NSA) in an operation that infected thousands of iPhones with malware. The malware, which was reportedly developed by the NSA, allowed the attackers to access the iPhones without the users’ knowledge or consent.
The Russian government claims that the malware was used to target Russian citizens and officials, as well as employees of foreign embassies in Moscow. The government also claims that Apple was aware of the malware and did nothing to stop it.
But that’s only half of the story.
Kaspersky releases report of Apple iPhone zero-click exploit
To date, the FSB has provided no proof of its claims.
However, a report coinciding with the FSB’s proclamations came from Kaspersky—a Russian cybersecurity company led by Eugene Kaspersky—long accused of close ties to the Kremlin. Kaspersky published a technical report on Securelist (their cyber blog) analyzing Apple iPhone “zero-click exploits” via an iMessage attachments.
iOS Triangulation: How the iMessage malware attachment infects the iPhone
A zero-click exploit in this case would result in a targeted iPhone becoming infected with malware after receiving an iMessage with the attachment. The targeted device would not need to open the attachment or perform any other action.
According to Kaspersky, “the code within the exploit downloads several subsequent stages from the command and control (C&C) server, that include additional exploits for privilege escalation.”
A number of domains have been identified by Kaspersky as part of the operation used to download the additional C&C malware payloads.
A final payload is then downloaded from the C&C server, that assembles the advanced persistent threat (APT) platform on the targeted iPhone. The original iMessage with attachment is automatically deleted.
Kaspersky spokesperson Sawyer Van Horn said in an email to TechCrunch that the company determined that one of the vulnerabilities used in the operation is known and was fixed by Apple in December 2022, but may have been exploited before it was patched, along with other vulnerabilities. “Although there is no clear indication the same vulnerabilities were exploited previously it is quite possible,” the spokesperson said.
The company has called this research “Operation Triangulation”, and dubbed the actual malware as “iOS Triangulation.”
Kaspersky claims that their own team of researchers discovered the attack after monitoring unusual web traffic on their corporate network. The earliest detected incidents of iOS Triangulation on company devices were back in 2019, and are still ongoing, according to the company.
Apple’s response to iPhone zero-click exploit malware iOS Triangulation
Apple has denied the allegations, saying it has never worked with any government to insert a backdoor into its products. The company has also said that it is committed to protecting the privacy of its users.
“We have never worked with any government to insert a backdoor into any Apple product and never will.”
– Apple spokesperson in a statement released to BleepingComputer.
The allegations have raised concerns about the security of Apple products—in the eyes of the Russian government, at least—and the potential for government surveillance. Russia has previously recommended that all Presidential administration employees switch from using Apple iPhones and if possible, give up American-made technology entirely.
The incident also highlights the growing tensions between Russia and the United States.
How to check if your iPhone is infected with iOS Triangulation, a zero-click malware
Kaspersky has published to GitHub a free tool to check if your iPhone has been infected with what they refer to as iOS Triangulation. The published code is available on GitHub and a full blog post on Securelist documents the process of actually performing the check on your iPhone.
