Kaspersky traces spyware attack on staff iOS devices back to 2019

Russian cyber security firm Kaspersky Lab has discovered covert spyware on its staff’s iPhones that dates back to at least 2019.

The advanced persistent threat (APT) campaign, which Kaspersky has dubbed Operation Triangulation, involves the infection of iOS devices through the iMessage app in order to steal user data.

Researchers said they discovered evidence of the campaign targeting its own staff dating as far back as 2019, and that it, at the time of writing, remains an ongoing threat.

Kaspersky believes the intention of the attack was to place spyware on devices belonging to senior employees at the cyber security company.

The attack is thought to begin with a hidden iMessage being sent to victims, which contains a malicious attachment. This initial payload is then triggered on a device without user knowledge through a zero-click vulnerability.

Once active, the package connects to the attackers’ command and control (C2) server to download a much larger payload. This exfiltrates personal data, microphone recordings, geolocation information, and photos sent on messaging apps.

“Our experts have discovered an extremely complex, professional targeted cyberattack that uses Apple’s mobile devices,” wrote Kaspersky Lab CEO Eugene Kaspersky.

“The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company – both middle and top management.”

Although the closed nature of iOS has impeded efforts to analyze the Triangulation payload, initial research showed that it exploits iOS flaws to perform privilege escalation.

This allows it to run code with root privileges, in which the malware effectively gains total control over a system with the power to amend or remove even core system files.

Kaspersky Lab discovered Operation Triangulation while conducting a scan of its Wi-Fi network traffic.

Malicious activity can be identified in network traffic including network interaction between iMessage and the domain ‘*.ess.apple.com’, connections to a series of known C2 domains, or the download of an encrypted, 242 Kb iMessage attachment.

Another indicator of compromise for Operation Triangulation that has already been found is the appearance of a process titled ‘BackupAgent’ in a device’s data usage lines. Infected devices are also unable to update to the latest version of iOS.

Researchers are confident that the firm is not the main target of Operation Triangulation, but stopped short of speculation over who may be. Further investigation will look at the international spread of the campaign.

Eugene Kaspersky noted that this is not the first time his company has fallen victim to a targeted malware campaign.

He cited Duqu 2.0 as one example, an APT which was discovered on Kaspersky Lab systems in 2015. This sophisticated worm exploited zero-day vulnerabilities in Windows to steal data without detection and did so for three months before being rooted out.

The threat actors behind the sophisticated attack have not yet been identified. 

Reuters reported that Russia’s Federal Security Service (FSB) accused the US National Security Agency (NSA) of committing the attacks in collaboration with Apple, without evidence.

Some have compared the activity of the spyware to NSO Group’s Pegasus, the spyware that authoritarian governments used to target high-profile business and media figures through covert observation and data theft.

However, in a Twitter thread Eugene Kaspersky reported that the activity of Operation Triangulation does not overlap with that of known iOS malware such as Pegasus.

Kaspersky researcher Georgy Kucherin also tweeted that the spyware does not persist, and that attackers “have to reinfect the device when it reboots”. 

This could raise hopes that regular phone reboots would work as a measure against prolonged device infection. 

Evidence of the attack chain suggests that disabling iMessage would protect iOS devices from Operation Triangulation but that once infected, devices have to undergo a factory reset and manual reinstallation of iOS and the user environment.

As infected devices cannot update, a reboot does nothing to make a device less vulnerable to subsequent reinfection.

Eugene Kaspersky speculated in a tweet that the iOS Lockdown Mode security feature could protect against initial infection, but this has not yet been proven.