Kaspersky researchers say they have uncovered a mobile malware campaign targeting their researchers the same day that Russian intelligence services referenced the report to accuse the U.S. government and Apple of collaborating to place backdoors in Apple mobile phones.
In a post published June 1, a quartet of Kaspersky researchers say the campaign was discovered while monitoring its corporate network W-Fi traffic for mobile devices. While iPhones are notoriously difficult to forensically examine, the company stores offline backups of their devices that allow them to partially examine the filesystem, user data and databases.
"Basically, the phone was connecting to the servers getting the attachment or iMessage, and then the next minute the phone started connecting to some weird suspicious domain. So we started looking more into that and ... we were able to recover this APT platform that was being delivered to the devices," Igor Kuznetsov, head of EEMEA at Kaspersky's Global Research and Analysis Team, told SC Media Thursday.
That effort revealed “specific artifacts that indicate” a number of company phones were infected with “zero-click” mobile malware. According to Kaspersky, a targeted device using iOS operating system software will receive an iMessage with an attachment containing the malware. That message automatically triggers a vulnerability that allows for remote code execution and pings command-and-control servers for additional malware payloads that facilitate privilege escalation and other capabilities, before deleting the message itself.
According to Kuznetsov, the first exploit provides initial access and compromise, while the second gives an attacker kernel-level access to the device. The individuals targeted were not just security researchers but also managers and other top executives at the firm.
"It gains complete root access over the phone — basically all the sensors, the microphone, the screen, all the data on the phone — and it starts getting the commands from the server and doing whatever the operator wants," he said.
Donncha Cearhaill, head of security lab at Amnesty Tech, said Kaspersky used their mobile verification tool to discover the attack and posted a list of indicators of compromise associated with the campaign on GitHub.
Initially, Kaspersky researchers thought they may have been targeted with Pegasus, a notorious piece of mobile phone malware created by NSO Group, but Kuznetsov said that apart from the zero-click technique used to gain initial access, there is no intersection between the indicators of compromise associated with Pegasus and the mobile malware campaign they discovered.
Kaspersky is still investigating the final payload, but the company said they believe the activity has been going on for years.
“The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7,” the researchers wrote.
Claims by Russian government exceed those made by Kaspersky
The Russian CERT posted a report the same day that referenced Kaspersky's research but expanded on the claims, alleging that the Federal Security Service (FSB) uncovered a U.S. intelligence operation using Apple mobile devices. The report claimed it found “several thousand” infected phones, including ones with SIM cards that linked to Russian embassy personnel, as well as individuals and organizations in China, NATO countries, Israel and other countries.
“In the course of ensuring the security of the Russian telecommunications infrastructure, anomalies specific only to users of Apple mobile phones and caused by operation of previously unknown malicious software (VPO) that uses software vulnerabilities provided by the manufacturer,” the FSB wrote, according to a Google-translated transcript.
To be clear, those claims go well beyond what is contained in Kaspersky's report on June 1, and Kuznetsov told SC Media they are not attributing the activity to any government or actor at this time, nor are they claiming that Apple was a willing participant in the scheme. Their analysis has been confined to the phones of internal employees and they have no information at this time about other individuals, organizations or countries that may have been targeted. He said when the company discovered the campaign, it notified the CERTs of countries around the world, including Russia, and only learned of the claims when the Russian CERT posted its own report.
"We are not attributing it to any actor at all, [and] for us it is a completely new, unknown actor," Kuznetsov said.
However, founder Eugene Kaspersky also said on Twitter that: "We are quite confident that Kaspersky was not the main target of this cyberattack."
The coming days will bring more clarity and further details on the worldwide proliferation of the spyware," Kaspersky wrote on Twitter on June 1.
In a statement sent to SC Media, an Apple spokesperson categorically denied the accusations from the Russian government that they colluded with U.S. agencies, saying "“we have never worked with any government to insert a backdoor into any Apple product and never will.”
Rocky relationship between Kaspersky and U.S. government
Taking the public claims of Russian intelligence or government services at face value can be treacherous, but the underlying research and comments from Kaspersky and Amnesty Tech lend credence to some the charges, though Kuznetsov made it clear that Kaspersky is not attributing this campaign to a specific actor or country, nor is it claiming that Apple collaborated with any party to deliberately place vulnerabilities into their devices.
Kaspersky has its own fraught history and relationship with the U.S. government: the company’s software was banned from federal devices amid claims from national security officials that founder Eugene Kaspersky and top officials maintain a close relationship with Russian intelligence services and that local laws require the company to store and possibly hand over international customer data at the behest of the Kremlin.
Kaspersky has consistently denied those charges and opened up transparency centers to allow independent review of their source code. While some U.S. security researchers are distrustful of the company, they are also widely regarded for doing quality threat intelligence research, including those on Russian-origin operations.
Kuznetsov said Kaspersky is continuing to investigate the chain of exploits, which he described as "very, very complicated" and identify specific parts of the operating system that were being targeted in the campaign.
Correction: This story was updated to reflect Igor Kuznetsov's current title.