In early summer 2023, Kaspersky discovered an attack targeting iOS devices. Named “Operation Triangulation”, this campaign used a sophisticated method to distribute zero-click exploits via iMessage. The aim was to gain complete control over the device and the user’s data.
The experts at Kaspersky’s Global Research and Analysis Team (GReAT) determined that the malicious agent’s main goal could be to discreetly monitor target users, including staff members at Kaspersky. Given the complexity of the attack and the closed nature of the iOS ecosystem, a dedicated team was formed and devoted a great deal of time and resources to performing a detailed technical analysis.
“We don’t know who attacked Kaspersky, at least not officially. Kaspersky has written nothing about this, and it could be – excuse the caricature – the US government as much as the Russian government. And when I say ‘US’, I mean countries in the Anglo-American sphere,” says Fred Raynal, CEO of Quarkslab.
The most surprising thing about this attack is its highly sophisticated nature. “Zero-click attacks are very costly to make. An attack like this is really very organized. It was devised by people with significant technical resources. Not just anyone can do this. It must have been a state actor,” says Fred Raynal.
Triangulation: five vulnerabilities exploited
Kaspersky researchers identified an initial entry point via a vulnerability in the font processing library. The second was an extremely powerful and easily exploitable vulnerability in the memory mapping code that allowed the attackers to access the device’s physical memory. Furthermore, the attackers exploited two other flaws to bypass the hardware security features of Apple’s latest processor.
Kaspersky also discovered that, in addition to its ability to remotely infect Apple devices via iMessage without any user input, the attackers also had a platform to carry out attacks via the Safari web browser. This led to the detection and correction of the fifth vulnerability.
Once the malicious code was implanted on the telephone, the attackers had access to all its content and could monitor what the user does: their GPS position, their photos, their message, their calls, and more.
iOS: a black box where spyware can hide
In a four-post series on LinkedIn, Fred Raynal broke down Operation Triangulation’s operating method. He explained why he was publishing this. “I wanted to show that attacks on iPhones exist, despite Apple and its community’s claim that you cannot be hacked if you have an iPhone. It’s just that it’s not the same attackers or the same attack methods as on Android.”
Eugene Kaspersky, founder and CEO of the company named after him, agrees in a blog post dated June 1, 2023. “We think the main reason for this incident is iOS’s closed nature. This operating system is a ‘black box’ in which spyware like Triangulation can hide for years. Detecting and analyzing threats like these is more difficult due to Apple’s monopoly on research tools, making it the ideal haven for spyware.”
“In other words, like I’ve said many times, users have an illusion of security given the system’s complete opacity. Cybersecurity experts don’t know what actually goes on in iOS. Just because there’s no news about attacks doesn’t mean that attacks are inherently impossible – we’ve just seen the contrary,” says Kaspersky’s founder.
Apple officially published security updates to correct the four “zero-day” vulnerabilities discovered by Kaspersky researchers (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990). These vulnerabilities affected a wide range of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV and Apple Watch.
“The hardware security functions on devices with Apple’s most recent chips make them considerably more resistant to cyberattacks. This does not make them immune, however. Operation Triangulation reminds us that we must be careful when handling iMessage attachments that come from unknown sources. The strategies used in Operation Triangulation give us precious information and remind us that finding a balance between privacy and system accessibility can help improve security,” says Boris Larin, GReAT’s chief security researcher at Kaspersky.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend taking the following measures:
- Regularly update your operating system, your applications and your antivirus system to correct known flaws.
- Beware of emails, messages and phone calls asking for sensitive information. Verify the sender’s identity before sharing any personal information or clicking on suspicious links.
- Give your SOC access to the latest information about threats.
- Improve your team’s cybersecurity skills through training so they can weather the latest targeted threats.
- Set up EDR solutions for detection at access points and to quickly investigate and remedy incidents.