According to recent claims by Russian intelligence, Apple and the NSA are allegedly collaborating to spy on diplomats. While Apple has long emphasized the security of iOS, the closed nature of the operating system makes it challenging for security researchers to detect cyberattacks. Russian cybersecurity firm Kaspersky has uncovered a sophisticated attack targeting iPhones running iOS 15.7 or older, particularly those belonging to Kaspersky management and key employees.
Coinciding with these findings, the Russian Federal Security Service (FSB) has accused Apple of working closely with the NSA to create a backdoor for planting spyware on thousands of iPhones owned by diplomats from various countries. Kaspersky acknowledges these allegations but has been unable to verify a direct connection between the attacks. While the spyware described by the FSB resembles the one found on Kaspersky devices, the Russian agency has not provided a technical analysis of the malware.
Apple has denied the accusations, stating that they have never collaborated with any government to insert backdoors into their products. Turning to the spyware discovered by Kaspersky, it appears to be another instance of a zero-click attack called Triangulation. This stealthy intrusion campaign employs Canvas fingerprinting to leave a distinctive mark in the targeted device’s memory. Kaspersky has determined that the campaign is ongoing, possibly starting as far back as 2019.
The attack begins with attackers sending victims a specially-crafted message via iMessage. Once received, a malicious attachment in the message automatically triggers the exploit, even without the recipient opening the message or attachment. By the time the victim attempts to delete the message, the exploit will have already downloaded spyware, granting hackers deeper access to the compromised device.
Kaspersky researchers managed to analyze infected devices by retrieving data from backups created using the Mobile Verification Toolkit. They also note that the malware does not persist after a device reboot, although some phones have shown evidence of reinfection.