Cyber Incident Victim: Kaspersky Lab
Date:
Jan 2019
Location:
Russia
Summary
A cybersecurity firm discovered iPhones compromised through a zero-click iMessage exploit delivering malware that executed code without user interaction, collected system and user data, and deleted attack traces while leaving indicators like abnormal data usage and system file modifications. The malicious toolset lacked persistence mechanisms, requiring device reboots for removal. Russian authorities attributed the campaign to a foreign intelligence agency, alleging deliberate backdoor access in Apple devices affecting government personnel and diplomatic staff, though no evidence was provided. The company confirmed infections among its own employees but could not verify state claims, while Apple denied collaborating on backdoors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2019, Kaspersky detected a sophisticated cyber espionage campaign targeting iPhones through a previously unknown iOS vulnerability, later designated as "Operation Triangulation." The attack exploited a zero-click iMessage vulnerability that executed malicious code without user interaction, enabling the delivery of additional payloads from attacker-controlled servers. Upon successful exploitation, the malware automatically deleted the initial malicious message and attachment while retaining a persistent payload with root privileges. This payload collected system and user data, executed remote commands, and transmitted information to command-and-control infrastructure. Kaspersky's investigation, conducted using the Mobile Verification Toolkit on infected employee devices, revealed the campaign remained active through at least mid-2023, affecting iOS versions up to 15.7. Forensic analysis identified multiple infection indicators including modified system files that blocked iOS updates, abnormal network traffic patterns, and the presence of deprecated libraries. The malware lacked persistence mechanisms, meaning device reboots would terminate its execution, though reinfection could occur through subsequent zero-click exploits. Kaspersky identified 15 domains associated with the operation's infrastructure and confirmed infections among its Moscow headquarters staff and international employees.
The Russian Federal Security Service (FSB) publicly attributed the campaign to the U.S. National Security Agency in June 2023, alleging Apple had deliberately provided backdoor access for iPhone surveillance. Russian authorities claimed thousands of infected devices belonged to government officials and diplomatic staff from Israel, China, and NATO countries operating within Russia. While Kaspersky acknowledged its own corporate network compromise, it explicitly stated it could not validate the FSB's technical claims or establish a definitive connection to U.S. intelligence agencies. Russia's national CERT issued an advisory aligning the FSB's allegations with Kaspersky's technical report, and the Russian government reiterated prior recommendations for officials to discontinue iPhone use. Apple denied collaborating with any government to insert backdoors, emphasizing its commitment to user privacy. The company had not publicly addressed whether iOS versions beyond 15.7 contained patches for the exploited vulnerability at the time of reporting. Kaspersky's analysis of the final payload remained incomplete, though confirmed capabilities included environment reconnaissance, data exfiltration, and modular extension via downloaded components.