Apple addresses two zero-days exploited in Operation Triangulation spyware campaign

Apple has released patches for two zero-days exploited in a spyware campaign that the Russian government has blamed on the U.S.

The campaign, dubbed Operation Triangulation, was publicized by the Moscow-based cybersecurity company Kaspersky in early June after the malware was detected on iPhones within its network, as well as on Wednesday in new research describing how the spyware behaves. It has been active since 2019 and attacks its targets by sending iMessages with malicious attachments.

The two zero-days, dubbed CVE-2023-32434 and CVE-2023-32439, were each reported to Apple by Kaspersky researchers. Neither bug is known to have affected devices newer than iOS 15.7.

“Kaspersky researchers discovered kernel and WebKit vulnerabilities during the investigation of the Operation Triangulation attack reported earlier this month,” the company said. “The team proactively collaborated with the Apple Security Research team by sharing information about the attack and reporting the exploits.”

While the exact threat actor behind the campaign is not known, it was put into the spotlight in early June when Russia’s Federal Security Service (FSB) claimed the spyware was being used by U.S. intelligence to target the iPhones of Russian diplomats.

In a statement the same day as Kaspersky’s report, the FSB alleged the U.S. had infected thousands of iPhones with the malware, while also accusing Apple of complicity in the campaign. According to the agency, both domestic users as well as foreign numbers using SIM cards registered with diplomatic missions and embassies in Russia were targeted.

"We have never worked with any government to insert a backdoor into any Apple product and never will," an Apple spokesperson told The Record at the time.

While neither Kaspersky nor the FSB explicitly linked the two campaigns, Russia’s computer security agency reported that the indicators of compromise were the same.

After a half-year investigation into the exploitation chain, Kaspersky found that the implant is deployed after attackers gain root privileges, with the spyware operating solely on a device’s memory. Traces of it disappear after a reboot, after which the malware would need to be reinstalled onto the device. The implant is also set to disappear after 30 days unless the attackers choose to extend it.

Researchers identified 24 commands sent by the malware, including creating, modifying and exfiltrating files, dumping keychain items and monitoring geolocation. They noted that one file used to define configuration settings had a method named “populateWithFieldsMacOSOnly,” suggesting that the malware could be used on MacOS devices as well.

“As we delved into the attack, we discovered a sophisticated iOS implant that displayed numerous intriguing oddities,” said Georgy Kucherin, security expert at Kaspersky Global Research and Analysis Team, in a press release.

“We continue analyzing the campaign and will keep everyone updated with further insights into this sophisticated attack.”