Russia says US hacked thousands of iPhones in iOS zero-click attacks

Apple logo

Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits.

The delivery of the message exploits a vulnerability that leads to code execution without requiring any user interaction, leading to the download of additional malicious from the attackers’ server.

Subsequently, the message and attachment are wiped from the device. At the same time, the payload stays behind, running with root privileges to collect system and user information and execute commands sent by the attackers.

Kaspersky says the campaign started in 2019 and reports the attacks are still ongoing. The cybersecurity firm has named the campaign “Operation Triangulation” and is inviting anyone who knows more about it to share information.

Analysis of the malware

As it’s impossible to analyze iOS from the device, Kaspersky used the Mobile Verification Toolkit to create filesystem backups of the infected iPhones to recover information about the attack process and the malware’s function.

While the malware attempts to delete traces of the attack from devices, it still leaves signs of infection, like system file modifications that prevent the installation of iOS updates, abnormal data usage, and the injection of deprecated libraries.

The analysis revealed that the first signs of infection happened in 2019, and the most recent iOS version that was infected by the malicious toolset is 15.7.

Malicious encrypted attachmentMalicious encrypted attachment (Kaspersky)

Note that the latest major iOS release is 16.5, which might already have fixed the vulnerability used in these malware attacks.

The exploit sent via iMessage triggers an unknown vulnerability in iOS to perform code execution, fetching subsequent stages from the attacker’s server, including privilege escalation exploits.

The security firm has provided a list of 15 domains associated with this malicious activity, which security admins can use to check historical DNS logs for possible signs of exploitation on their devices.

Network exploitation sequenceNetwork exploitation sequence (Kaspersky)

After root privilege escalation, the malware downloads a fully-featured toolset that executes commands for collecting system and user information and downloading additional modules from the C2.

Kaspersky notes that the APT toolset dropped on the device has no persistence mechanisms, so a reboot would effectively stop it.

At this time, only a few details about the functions of the malware were made public, as the analysis of the final payload is still underway.

Russia accuses NSA of attacks

In a statement coinciding with Kaspersky’s report, Russia’s FSB intelligence and security agency claims that Apple deliberately provided the NSA with a backdoor it can use to infect iPhones in the country with spyware.

The FSB alleges that it has discovered malware infections on thousands of Apple iPhones belonging to officials within the Russian government and staff from the embassies of Israel, China, and several NATO member nations in Russia.

Despite the seriousness of the allegations, the FSB has provided no proof of its claims.

The Russian state has previously recommended that all presidential administration employees and members switch from using Apple iPhones and, if possible, give up American-made technology entirely.

Kaspersky confirmed to BleepingComputer that the attack impacted its headquarters office in Moscow and employees in other countries. Still, the company stated it’s in no position to verify a link between its finding and FSB’s report, as they do not have the technical details of the government’s investigation.

However, Russia’s CERT released an alert linking FSB’s statement to Kaspersky’s report.

BleepingComputer has contacted Apple to request a comment on both Kaspersky’s findings and FSB’s allegations, but we are still waiting to receive a response.

Update 6/2 – An Apple spokesperson has sent BleepingComputer the following comment: 

We have never worked with any government to insert a backdoor into any Apple product and never will.


  • EndangeredPootisBird Photo EndangeredPootisBird – 4 days ago

    About time they got a taste of their own medicine.

  • GenericUsername Photo GenericUsername – 3 days ago

    What, may I ask, is a Pootis bird? Are you wearing pantyhose on your head (your profile picture)?

  • h_b_s Photo h_b_s – 4 days ago

    Meh, probably yet another false flag. Russia is constantly doing a deed then blaming others for the effects. Tiresome.

    Chief Russian Paranoiac Putin is just making sure his frenemies aren’t plotting to get rid of him.

  • mikebutash Photo mikebutash – 4 days ago

    So I’m not an apple person, but seeing how often their zero-days show up these days, began noting that most of these all seem to be imessenger if not safari related. FFS, why do people use it? I know apple has long since trained their monkeys in the I-way of everything and it’s all they know like good beasts, but you’d think apple would at least find better ways of limiting the impact since it’s the most commonly exploited means within their ecosystem.

    It seem imessenger and safari are to be the internet explorers of apple. Even microsoft eventually shot IE in the face since they couldn’t secure or fix it after 20 years of being a malware gloryhole, guess apple is hell bent to have the same legacy.

  • Amigo-A Photo Amigo-A – 3 days ago

    Truth cannot be concealed indefinitely.

  • EndangeredPootisBird Photo EndangeredPootisBird – 3 days ago

    Says the one who constantly spread anti-west and pro-russia propaganda, with no evidence to back up anything you say.

    Seriously, you’re truly a sad loser, really goes to show how years of brainwashing can change someone.

  • Sagis Photo Sagis – 3 days ago

    As always, kaspersky found something. But nobody from russia not giving true proofs. So it’s just a BS.

  • johnlsenchak Photo johnlsenchak – 3 days ago

    Russian paranoia

  • Chris Cosgrove Photo Chris Cosgrove – 3 days ago

    Russia and the USA are not friends so it would be remiss of their intelligence agencies not to try to gather any and all information they can on each other. Apart from that all intelligence agencies keep an eye on each others countries – friends and opponents alike. As has been said it is easier to spy on your friends than your enemies !

    It would be surprising only if it was proved that the US was not trying to hack iPhones in Russian use.

  • herbman Photo herbman – 20 hours ago

    Russia is a hell of a lot more believable than the USA at this point . Most don’t have a clue what’s really happening in Ukraine but I can assure you it’s the exact opposite of what the mainstream media is reporting.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.29 5M+ Downloads

  • McAfee Consumer Products Removal tool Logo

    McAfee Consumer Products Removal tool

    Version: NA 432,521 Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 23,035 Downloads


Related posts

FBI warns of search engine ads pushing malware, phishing

Sarah Henriquez

Vice Society ransomware claims attack on Australian firefighting service

Sarah Henriquez

Hackers hide malware in James Webb telescope images

Sarah Henriquez

Leave a Comment