Today – some breaking cybersecurity news on an incident we’ve just uncovered…
Our experts have discovered an extremely complex, professional targeted cyberattack that uses Apple’s mobile devices. The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company – both middle and top management.
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.
Despite the attack being carried out as discreetly as possible, the infection was detected by the Kaspersky Unified Monitoring and Analysis Platform (KUMA) – a native SIEM solution for security information and event management; in the beginning of the year the system detected an anomaly in our network coming from Apple devices. Further investigation by our team showed that several dozen iPhones of senior employees were infected with new, extremely technologically sophisticated spyware we’ve dubbed “Triangulation”.
Due to the closed nature of iOS, there are no (and cannot be any) standard operating-system tools for detecting and removing this spyware on infected smartphones. To do this, external tools are needed.
An indirect indication of the presence of Triangulation on the device is the disabling of the ability to update iOS. For more precise and reliable recognition of an actual infection, a backup copy of the device needs to be made and then checked with a special utility. More detailed recommendations are set out in this technical article on Securelist. We’re also developing a free detection utility and will make it available once tested.
We’ve developed and made freely available the triangle_check utility, which can detect indicators of compromise in an Apple device’s backup. Detailed instructions on how to use it under different OSs (Windows, Linux and macOS), as well as how to create a device backup can be found in the post on Securelist.
Due to certain peculiarities inherent in the blocking of iOS updates on infected devices, we’ve not yet found an effective way to remove the spyware without losing user data. It can only be done by resetting infected iPhones to the factory settings and installing the latest version of the operating system and the entire user environment from scratch. Otherwise, even if the spyware is deleted from the device memory following a reboot, Triangulation is still able to re-infect through vulnerabilities in an outdated version of iOS.
Our report on Triangulation represents just the beginning of the investigation into this sophisticated attack. Today we’re publishing the first results of the analysis, but there’s still a lot of work to do. As the incident continues to be investigated, we’ll be updating new data in a dedicated post on Securelist, and will share our full, finalized findings at the international Security Analyst Summit in October (follow the news on the site).
We’re confident that Kaspersky was not the main target of this cyberattack. The coming days will bring more clarity and further details on the worldwide proliferation of this spyware.
We believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a “black box”, in which spyware like Triangulation can hide for years. Detecting and analyzing such threats is made all the more difficult by Apple’s monopoly of research tools – making it a perfect haven for spyware. In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen.
I’d like to remind you that this is not the first , case of a targeted attack against our company. We’re well aware that we work in a very aggressive environment, and have developed the appropriate incident response procedures. Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always.
P.S. Why “Triangulation”?
To recognize the software and hardware specifications of the attacked system, Triangulation uses Canvas Fingerprinting technology and draws a yellow triangle in the device’s memory.