In the world of cybersecurity Kaspersky is a household name.
The Moscow company specializes in exposing hacking attacks sponsored by governments. In particular Kaspersky has distinguished itself by revealing hacks sponsored by the Russian state and Western countries.
In this context, the firm has just pointed out a new and very sophisticated attack targeting Apple iPhones.
This unprecedented cyberattack managed to infect "several dozen iPhones of our employees," Kaspersky says.
The malicious malware is said to transmit private information, such as microphone recordings, photos from instant messages, geolocation and data about a number of other activities to remote servers, according to a June 1 report.
Noteworthy is that on the day Kaspersky's report was published, the Russian secret service, FSB, accused the U.S. National Security Agency and Apple (AAPL) of having hacked the iPhones of thousands of Russians.
No User Action Is Required to Infect IPhones
Kaspersky said it detected the hacking at the beginning of the year by inspecting its employees' iPhones. The spyware uses several vulnerabilities of iOS, Apple's mobile operating system. The hackers then take control of the user's iPhone.
Hackers penetrate the phone via the iMessage feature. Basically, the iPhone user receives a message containing a malicious attachment that automatically exploits one or more vulnerabilities in iOS. What is striking is that the user does not need to click or open the message. No action is required from the victim.
"It is important to note, that, although the malware includes portions of code dedicated specifically to clear the traces of compromise, it is possible to reliably identify if the device was compromised," Kaspersky's researchers say in their report.
"Furthermore, if a new device was set up by migrating user data from an older device, the iTunes backup of that device will contain the traces of compromise that happened to both devices, with correct time stamps."
The devices were infected with what Kaspersky researchers described as a "fully functional APT platform". APT, or Advanced Persistent Threat, refers to hackers with almost unlimited resources that target individuals over long periods. APTs are almost always supported by governments.
Once the APT malware is installed, the initial message that started the chain of infection is deleted. The deployment of the spyware is completely hidden and does not require any user action.
Dubbed "Operation Triangulation,” this attack gets its name from the fact that the malware uses a technique known as "canvas fingerprinting” to find out which hardware and software are installed on a phone.
Kaspersky Recommends Lockdown Mode
Eugene Kaspersky, the cybersecurity firm's CEO, detailed the campaign in a lengthy Twitter thread that caught Elon Musk's attention. The Tesla (TSLA) CEO was particularly interested in ways to avoid or circumvent the attack.
"Important: Disabling iMessage would prevent iOS devices from Triangulation attack," Kaspersky advised iPhone users.
"Is playing iMessage game safe? I think the #Malware found it’s way via it," a Twitter user asked.
"Better disable it," Kaspersky responded.
It was then that Musk asked him whether another feature Apple recently introduced would not be more effective.
"Does lockdown mode address this?" the billionaire asked.
"Yes, we do recommend disabling iMessage and enable the lockdown mode," Kaspersky responded.
Last September, Apple introduced Lockdown Mode, which is a special security setting in iOS. The functionality intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit.
Kaspersky researchers said that the first traces of "Operation Triangulation" infections date back to 2019, and as of June 2023, the attacks were ongoing.
The firm can't tell whether any of the vulnerabilities were "zero-days," meaning that they were unknown to Apple and unpatched in iOS at the time when they were exploited.
Apple did not immediately respond to a request for comment. But according to a statement given to other media, the iPhone maker says Kaspersky's findings appear to relate to phones using versions 15.7 and earlier. The most recent version of iOS is 16.5.
"We have never worked with any government to insert a backdoor into any Apple product and never will," Apple told Wired magazine.
Russian Spy Agency Accuses Apple
In a statement, the Russian FSB accused Apple of colluding with U.S. authorities, especially with the NSA, to hack thousands of Russians. The Russian agency does not substantiate its accusations, nor does it detail the attack in question. This absence of details makes it difficult to know whether the hacking, of which Kaspersky speaks, is the same as the one described by the Russian authorities.
"The information received by the Russian special services testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true," the FSB said.
The FSB also said that it "found that several thousand telephone sets of this brand were infected. At the same time, in addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR and China, were revealed."
The NSA did not immediately respond to a request for comment.