Possible US Government iPhone-Hacking Tool Leaks to Foreign

A sophisticated iPhone-hacking toolkit, potentially originating from a US government contractor, has reportedly fallen into the hands of Russian intelligence and, subsequently, cybercriminals. Dubbed "Coruna" by Google researchers, this powerful set of exploits, capable of silently hijacking iPhones by merely visiting a website, represents a critical security leak with alarming implications for global mobile device safety and international espionage. Its observed journey from targeting Ukrainians to stealing cryptocurrency from Chinese-speaking victims highlights a dangerous proliferation of advanced cyber capabilities.

Google's Tuesday report details Coruna as a highly advanced toolkit comprising five distinct hacking techniques that exploit 23 vulnerabilities in iOS. These techniques allow for the silent installation of malware on an iPhone simply by visiting a compromised website. Such a comprehensive collection of exploits suggests development by a well-funded, likely state-sponsored entity.

Coruna's Troubling Trajectory

The toolkit's evolution is a concerning timeline. Google initially detected components of Coruna in February of last year, attributing their use to an undisclosed “customer of a surveillance company.” Five months later, a more complete version resurfaced, employed in an espionage campaign by a suspected Russian spy group, discreetly embedded within visitor counters on Ukrainian websites. Most recently, Coruna has been observed in a purely profit-driven operation, infecting Chinese-language crypto and gambling sites to steal victims' cryptocurrency.

While Google's report is notably silent on the original "surveillance company customer," mobile security firm iVerify provides a strong suggestion: the code may have been built for or acquired by the US government. iVerify co-founder Rocky Cole points to Coruna's overlap with "Triangulation," a hacking operation discovered targeting Kaspersky in 2023, which Russia attributed to the NSA. Cole further notes the code appears to be originally written by English speakers and bears the "hallmarks of other modules that have been publicly attributed to the US government,” calling it the first instance of “very likely US government tools…spinning out of control.”

An "EternalBlue Moment" for Mobile

This potential leak raises profound questions about the security of mobile devices globally, akin to what iVerify’s Cole terms the “EternalBlue moment for mobile malware.” EternalBlue was an NSA Windows-hacking tool stolen and leaked in 2017, leading to widespread catastrophic cyberattacks like WannaCry and NotPetya. Google warns that Coruna's proliferation suggests an “active market for ‘second hand’ zero-day exploits,” meaning these advanced techniques could be adopted or adapted by various threat actors.

Apple has since patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. However, devices running iOS 13 through 17.2.1 remain susceptible, particularly Safari users, as the toolkit targets Apple's Webkit framework. Coruna also checks for and avoids devices with Apple's Lockdown Mode enabled, providing a layer of protection for users who utilize this stringent security setting. Despite these limitations, iVerify estimates that the cybercriminal version of Coruna alone may have infected roughly 42,000 devices, based on command-and-control server traffic. The full extent of infections from the Russian espionage campaign remains unclear.

Professional Origins, Crude Alterations

Spencer Parker, iVerify's chief product officer, described the core Coruna exploits as "very professionally written" and modular, contrasting them with the "poorly written" additions made by cybercriminals to steal cryptocurrency, photos, and emails. Rocky Cole argues against the possibility of Coruna being merely repurposed components of Triangulation, emphasizing that many elements are novel and the entire toolkit appears to have been crafted by a "single author," indicating a cohesive, purpose-built framework.

The Role of Exploit Brokers

The precise mechanism of Coruna's potential leak remains a mystery. However, experts like Cole point to the shadowy industry of zero-day exploit brokers who deal in sophisticated hacking techniques for tens of millions of dollars. These brokers, often “unscrupulous,” may sell tools to the highest bidder without exclusivity arrangements. Cole suggests that Coruna likely “ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” echoing the sentiment that “the genie is out of the bottle.” This scenario gains some context from recent events, such as the sentencing of Peter Williams, an executive of US government contractor Trenchant, who sold hacking tools to a Russian zero-day broker.

The emergence and wide-ranging proliferation of Coruna underscore a chilling new reality in cybersecurity. A potent, potentially state-developed, iPhone-hacking capability has now entered the global black market, posing an ongoing threat to individuals and national security interests alike, even as the original source and the full extent of its impact continue to unravel.

FAQ

Q: What is Coruna and why is it significant? A: Coruna is a highly sophisticated iPhone-hacking toolkit that exploits 23 vulnerabilities in iOS to silently install malware on devices. It's significant because it represents a rare and powerful capability, possibly originating from the US government, that has since proliferated to Russian spies and cybercriminals, raising major concerns about mobile security.

Q: Which iPhone users are vulnerable to Coruna? A: iPhone users running iOS versions 13 through 17.2.1 are primarily vulnerable, especially if using Safari, as the toolkit targets Apple's Webkit framework. Apple has patched these vulnerabilities in iOS 17.3 and later. Devices with Apple's Lockdown Mode enabled are not targeted by Coruna.

Q: How did Coruna potentially get into the hands of foreign adversaries and criminals? A: While unconfirmed, security experts suggest that unscrupulous zero-day exploit brokers, who operate a multi-million-dollar market for hacking tools, may have sold Coruna to various buyers. This could explain its journey from a potential US government source to Russian espionage operations and then to cybercriminal groups.