Posted on June 2, 2023 at 7:11 AM

Kaspersky targeted by an advanced cyberattack that infected employees’ iPhones

Kaspersky, a security firm based in Moscow, has been targeted by an advanced cyberattack. The cyberattack infected the iPhones owned by several dozen employees using malware that harvests user data.

Kaspersky targeted by an advanced cyberattack

The founder of Kaspersky, Eugene Kaspersky, said that the company was confident that it was not the primary target of the hacking attack. He added that there would be more clarity and additional details on the global proliferation of these hacking attacks in the coming days.

Some officials within the Russian National Coordination Centre for Computer Incidents have said that the attacks were part of a larger campaign conducted by the US National Security Agency infecting the iPhones owned by diplomats in Russia, especially the ones situated in NATO countries, China, Israel, and post-Soviet countries.

The malware in question has targeted Kaspersky employees for at least four years and was deployed through messages on iMessage. These messages came with a malicious file that exploited one or more bugs without needing any action from the receiver. The Kaspersky researchers noted that these devices were infected by a “fully-featured APT platform.”

After the APT malware has been installed on user devices, an initial text message that started the infection chain is deleted. Kaspersky noted that the attackers were stealthy in their operation to avoid detection, and no action was required from the user’s side. The spyware transmitted personal information from the compromised device to remote servers.

“The attack is carried out as discreetly as possible. However, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices,” Kaspersky said.

Kaspersky added that the company had investigated the matter and realized that several dozen iPhones owned by its employees were infected by new spyware with high technological sophistication.

The Kaspersky researchers have also said that the earliest traces of Triangulation infections dated back to 2019. The attacks were still ongoing as of June 2023. One of the exploits last month was on the recent iOS version 15.7, which was successfully infiltrated. Kaspersky has also said it was unclear if zero-day vulnerabilities caused these attacks.

It also remains unclear whether Kaspersky detected the infections before the release of iOS 16 or if Kaspersky phones continued relying on the older version. A Kaspersky representative said that the company managed to identify one of the many vulnerabilities that were exploited by the threat actors, adding that it was likely the CVE-2022-46690.

However, the cyber-espionage activity being conducted by the hackers and the complex analysis of the iOS platform necessitated further research to obtain more details about this issue. However, it has been determined that the malware cannot achieve persistence as it does not survive reboots.

Russia says Apple is working with the NSA

The recent report by Kaspersky comes after the Federal Security Service (FSB) said that the American intelligence service had detected a reconnaissance operation. This operation is allegedly being conducted on Apple devices. The FSB has now accused Apple of supporting the NSA operation.

The officials further said that Apple’s policy of maintaining user data confidentiality on Apple devices was not factual. However, the officials did not provide any evidence on the collusion of Apple with the NSA.

The Russian National Coordination Centre for Computer Incidents (NCCCI) also released a report that appeared to agree with the FSB’s accusations of Apple. The NCCCI has also said that the indicators of compromise remained the same.

However, it is not the first time Kaspersky has been successfully targeted in an APT campaign. In 2014, the company detected stealth malware that infected its network for months while avoiding detection. The attacker went to great depths to hide the origins of the infection.

The Kaspersky cybersecurity firm at the time said that the malware used to conduct the attack was an updated version of Duqu that was detected towards the end of 211. The code for the malware was derived from Stuxnet. Consecutive evidence on the same demonstrated that Duqu was used to spy on the efforts made by Iran to create nuclear material and monitor the trade relationships in the country.

Kaspersky has also admitted that the cybersecurity industry has become aggressive, and the company is now using the right incident response procedures. He added that the company had taken measures that had led to the resumption of normal operations.