Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab

Apple declined to issue a bug bounty to the Russian cybersecurity company Kaspersky Lab after it disclosed four zero-day vulnerabilities in iPhone software that were allegedly used to spy on Kaspersky employees as well as Russian diplomats.

A spokesperson for Kaspersky Lab told Recorded Future News that the company’s research team considered their work “eligible for Bug Bounty rewards from Apple. However, when asked about it, we received a decline from the Apple Security team referring to the dedicated policy.”

Apple did not provide a comment when contacted by Recorded Future News.

Bug bounties are a common way for companies to encourage researchers to disclose vulnerabilities to them instead of monetizing them by selling them to malicious actors that might exploit them. 

Kaspersky publicly disclosed a suspected highly sophisticated spying campaign last year, with the company’s chief executive and namesake Eugene Kaspersky describing it as “an extremely complex, professionally targeted cyberattack” impacting “several dozen iPhones of the company’s employees — both top and middle-management.”

Operation Triangulation, as the spying campaign was named, was “definitely the most sophisticated attack chain we have ever seen,” the Kaspersky researchers said, with an explanation of it including 13 separate bullet points.

Due to the sophistication of how the vulnerabilities were exploited and the limited targeting of the attackers — seeking intelligence material rather than financial details — it was suspected to be state-sponsored.

On the same day as Kaspersky’s disclosure, Russia's Federal Security Service (FSB) accused the United States and Apple of having collaborated to enable the U.S. to spy on Russian diplomats.

The FSB provided few public details regarding the alleged operation affecting diplomats, but Russia’s computer security agency separately claimed that the indicators of compromise of both campaigns were the same.

The key problem potentially indicating collaboration was a vulnerability tracked as CVE-2023-38606. According to Kaspersky, this affected a particularly unusual hardware feature that was not actually used by any iOS firmware. As such the researchers suggested it may have been intended for debugging or testing purposes or was included in the iPhone operating system by mistake.

“We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or if it's a third-party component,” stated Kaspersky.

At the time a spokesperson for Apple disputed the allegations it had colluded with a state to enable any spying on its customers, stating: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

Once bitten, twice shy 

The allegation that Apple refused to pay a bug bounty reward to Kaspersky comes amid an intensifying period of antagonism between the United States and the Russian Federation following Moscow’s full-blown invasion of Ukraine.

In a statement that March, Apple said: “We are deeply concerned about the Russian invasion of Ukraine and stand with all of the people who are suffering as a result of the violence”

The company, which is an American multinational, announced that as a result of the invasion it was suspending all of its product sales in Russia and removing state-controlled media organizations’ apps from its App Store, as well as limiting access to services such as Apple Pay for existing customers.

Although Kaspersky is not specifically sanctioned in the United States in relation to the Ukraine conflict, the Department of Homeland Security had previously banned its products from government use on security grounds due to the level of control anti-virus software requires on a computer and the risks attached to that control for a company based in Russia.

Kaspersky has also been accused of allowing the FSB to use its anti-virus software to scan computers for intelligence material, although no public evidence of this has been produced and Kaspersky has denied the claims, stating that if its team ever detects classified material then it is ordered to be immediately deleted.

Speaking to Russian-language media agency RTVI, Kaspersky’s research head Dmitry Galov said that typically cybersecurity companies like Kaspersky nominated a charity to receive the funds from the Apple Bug Bounty program instead of collecting the revenue itself. 

He added that although Kaspersky was confident the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which state may have been behind the attack.

A spokesperson for Kaspersky did not respond to whether it had nominated a charity when initially contacting Apple, nor whether the company’s refusal to issue a bounty would affect its decision to disclose vulnerabilities discovered in the future.