Credit: Freestocks
The Russian federal security agency, the FSB, has put out a security alert claiming that US intelligence services are behind an attack campaign that exploits vulnerabilities in iOS and compromised thousands of iPhones devices in Russia, including those of foreign diplomats.
In a separate report, Russian antivirus vendor Kaspersky Lab said that several dozen of its senior employees and upper management were targeted as part of the operation, although unlike the FSB, the company did not attribute the attack to any specific state.
According to the company's analysis of infected devices, the operation has been ongoing since at least 2019 and starts with victims receiving an invisible message over the iMessage application with an attachment that initiates an exploit chain and then deletes itself.
"The deployment of the spyware is completely hidden and requires no action from the user," Kaspersky Lab's founder and CEO Eugene Kaspersky said in a blog post. "The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device."
Operation Triangulation
Kaspersky Lab has dubbed the surveillance campaign as Operation Triangulation because the malware uses a hardware fingerprinting technique called canvas fingerprinting by drawing a yellow triangle in the device’s memory.
The investigation is ongoing, but what the researchers were able to determine so far is that the rogue iMessage attachment triggers a vulnerability when received by the device, and this leads to remote code execution. The exploit works on devices running iOS as recent as 15.7. After deploying the malicious payload it prevents future updates.
After the initial exploitation, the attack code downloads additional payloads from a command-and-control server that include additional privilege escalation exploits to give the attackers root privileges on the device. The final payload is what Kaspersky refers to as a fully featured APT platform.
"The analysis of the final payload is not finished yet," the researchers said in their technical report. "The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the CC server."
The malware is not persistent across device reboots, likely due to the limitations of iOS, but given the simplicity of the exploit, which requires no user interaction, this is not a big hurdle for the attackers as they can easily reinfect devices. Also, mobile devices are not rebooted very often.
Signs of iPhone infection
Performing live forensic analysis on iOS is not easy because the system is locked down and doesn't allow the deployment of security tools. As such, the researchers had to resort to offline analysis of filesystem backups generated with iTunes. These backups are encrypted and need to be decrypted before being parsed with an open-source forensic tool that will generate a report.
A sign that a device has been compromised are mentions of Datausage messages from a process called BackupAgent preceded by similar messages for a process called IMTransferAgent. The BackupAgent binary should not exist in modern iOS because it has been deprecated and replaced by a binary called BackupAgent2.
Other indicators are modification of one or several files: com.apple.ImageIO.plist, com.apple.locationd.StatusBarIconManager.plist, com.apple.imservice.ids.FaceTime.plist, as well as data usage information of the services com.apple.WebKit.WebContent, powerd/com.apple.datausage.diagnostics and lockdownd/com.apple.datausage.security.
Another less reliable indicator is modification of an SMS attachment directory (but no attachment filename), followed by data usage of com.apple.WebKit.WebContent, followed by modification of com.apple.locationd.StatusBarIconManager.plist in a short time window.
The company also published a list of command-and-control domains collected for its forensic analysis that the various payloads are downloaded from or connect to. While these could change in the future, defenders could check network DNS logs for any signs of past compromise in their networks. Kaspersky has also developed a utility in Python that can run against an iPhone offline backup and detect if any of these signs of compromise are present.
The FSB blames the US and Apple
In its alert issued via cert.gov.ru, the FSB said that the reconnaissance operation is the work of American intelligence services working in collaboration with Apple and claimed the vulnerabilities were provided by the software manufacturer. While there's no evidence presented for these claims, it's not surprising for Russia to blame the US for cyberattacks considering that US agencies frequently attribute cyberattacks to the Russian government.
The Russian security service said the targets of the campaign were thousands of iPhone users in Russia, as well as devices using foreign SIM cards and registered to diplomatic missions in Russia from China, Israel, Syria, as well as NATO and post-Soviet bloc countries.
Kaspersky Lab did not comment on the attack attribution or the source of the exploits, but Eugene Kaspersky was critical of Apple's closed source and locked-down operating system which he feels stifles security research. "We believe that the main reason for this incident is the proprietary nature of iOS," he said.
"This operating system is a 'black box,' in which spyware like Triangulation can hide for years. Detecting and analysing such threats is made all the more difficult by Apple’s monopoly of research tools – making it a perfect haven for spyware. In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen."
