Renaud Feil (Synacktiv): “Operation Triangulation may have originated from the Five Eyes”

Behind the triangulation operation, can we discern the Five Eyes’ trademark?[1]

Renaud Feil : As you can imagine, I have no inside information on the subject, it’s all supposition. But given the number of zero-day-type vulnerabilities used and the expertise required to identify and exploit them, I’d say that the organization behind this cyberattack has a lot of resources at its disposal.

My reasoning is that the Five Eyes have these resources and are extremely interested in Russia. So there’s a good chance that it is them, or at least a state with equivalent capabilities.

Could it be a Western country other than the Five Eyes?

Renaud Feil : Yes, but when you consider the technical analysis, the vulnerabilities, their sequencing, the fact that the operation was discovered and that, according to Kaspersky, it affected a lot of people, this tells you that it has to be a fairly ambitious country that has – even if its cyberattack was detected – other vulnerabilities in stock to exploit.

Who were the targets of this attack?

Renaud Feil : According to the press release issued by the FSB (Federal security service of the Russian Federation), around a thousand phones were targeted. This includes VIPs, such as diplomats, as well as Kaspersky employees.

Is the general public under threat or just specific personalities?

Renaud Feil : The targets were highly specific personalities. Hackers generally avoid wasting their ammunition on random targets. However, it is conceivable that they also hacked certain friends and relatives. These people may hold sensitive information that could be used by an intelligence service.

Why target an antivirus solutions company like Kaspersky?

Renaud Feil : Antivirus companies are interesting in many ways. They carry out a great deal of telemetry on their customers’ equipment pools, gathering a wealth of information in the process. For an intelligence service, compromising a company like Kaspersky has many advantages.

Isn’t the risk of being discovered extremely high when attacking an antivirus specialist?

Renaud Feil : Not necessarily, because the iPhone world is fairly closed and quite difficult to debug. Observing an attack on an iPhone remains more complicated than doing so on a Windows or Linux computer network, for which there is a large number of investigation tools. Progress is being made in investigations on iPhones, but it remains a field in which few experts are really comfortable. As the Apple ecosystem is very closed, hackers who manage to penetrate the system are difficult to detect.

Kaspersky managed to understand how the attack worked primarily by observing the phones’ network communications. Kaspersky’s experts had to sort out the “good” network communications from the “bad” ones. Furthermore, if an implant is well designed, it will avoid communicating on a Wi-Fi network and wait until it is on 5G, because this network is more difficult to observe, although it is feasible. The experts at Kaspersky therefore had to be patient and wait for the right moment.

What worked in their favor, however, was the lack of a persistence mechanism in this attack. This means that restarting a corrupted iPhone made the hacker’s “backdoor” disappear, which required the hacker to reinfect the phone. Kaspersky was therefore able to experiment with restarting a number of phones and observing how they were compromised again, which enabled the firm to make headway in its investigation.

Is it possible that Apple collaborated in the creation of this type of espionage tool?

Renaud Feil : This is a hot topic in certain discussion groups, and it is an argument that Russia puts forward in its press release, claiming that Apple helped the NSA carry out this attack. There is currently nothing to justify such an accusation. In the past, Apple has always refused to do so, at least publicly.

That said, communities of security experts are permeable, and no one can really combat that. Some former Apple employees have gone on to work for cybersecurity companies close to the defense sector. Conversely, some former intelligence service employees now work at Apple, in iPhone security.

It is therefore likely that there are certain exchanges between Apple and the intelligence services, without Apple’s management even being involved. The Five Eyes intelligence community is very powerful, and it would be surprising if it did not have a foothold in the major telephone solution providers such as Apple.

However, it should be stressed that the Triangulation attack is not a backdoor that Apple may have installed in iPhones. According to Kaspersky’s explanations, we can see that these are real vulnerabilities that need to be exploited one after the other to achieve their purposes. It is therefore somewhat naive to accuse Apple and the NSA of directly collaborating.

What resources were invested in this operation?

Renaud Feil : The resources invested in this operation are difficult to assess, as they are directly linked to the levels of expertise and salaries of the engineers who worked on identifying these vulnerabilities and designing these tools. Certain engineers working on extremely specialized subjects can be very well paid.

The budget mentioned by some experts in the sector – €5 million – does not seem crazy to me. But the engineers’ salaries aren’t everything. You also need a team with solid IT skills. You will never manage to design these tools just by bringing forty “conventional” engineers together. It takes a special kind of country to mount this type of attack. Even with a very large budget, you need expertise, capacity and an excellent pool of IT talent.

The time needed to set up such an operation can be estimated at least one year if you already have a good team of engineers working in parallel, at a steady pace. If this is not the case, it should be borne in mind that it takes at least two or three years to acquire these skills.