The FSB's Lubyanka Building in Moscow. Image: AnnaIlarionova / Pixabay
The FSB's Lubyanka Building in Moscow. Image: AnnaIlarionova / Pixabay

Russia accuses US of hacking thousands of Apple devices to spy on diplomats

Russia's Federal Security Service (FSB) is accusing U.S. intelligence of hacking “thousands of Apple phones” to spy on Russian diplomats.

According to FSB’s statement published on Thursday, the U.S. used previously unknown malware to target iOS devices.

Russian cybersecurity company Kaspersky also issued a report Thursday on iOS malware from an unknown source. A spokeswoman from Kaspersky initially told The Record that the company couldn’t verify if the two attacks were connected but an hour later sent an updated comment saying that Russia’s computer security agency already had publicly stated that the indicators of compromise in both reports are the same.

Kaspersky couldn’t confirm all of the FSB’s findings “due to the absence of technical details reported by them,” the spokeswoman said.

The FSB said that in addition to impacting domestic users, the malware also targeted foreign numbers and wireless subscribers who use SIM cards registered with diplomatic missions and embassies in Russia. The list included countries from the NATO bloc, the post-Soviet region, as well as Israel, Syria and China.

Russian intelligence claims that the investigation revealed that Apple is collaborating with the U.S. National Security Agency (NSA).

“This proves that Apple's stated commitment to protecting the privacy of user data is, in fact, misleading,” the FSB said.

The NSA declined to comment. An Apple spokesperson disputed the FSB report.

"We have never worked with any government to insert a backdoor into any Apple product and never will," the spokesperson said.

Oleg Shakirov, an expert on foreign policy and security at the Center for Strategic Research, said that this type of accusation from the FSB — which he referred to as “quasi-attribution” — is not unusual for Russian authorities.

“While somewhat specific, they lack technical details,” he wrote on Twitter.

For example in April, FSB accused the U.S. and NATO of using Ukraine to launch cyberattacks on Russia.

The FSB’s latest statement is also followed by one from Russia’s Ministry of Foreign Affairs, warning of "global surveillance by the US."

“The United States has placed itself above the law,” the statement said. “No state has a right to abuse its technological capabilities,” the ministry said.

According to reports from Russian media, the Russian president's administration instructed its employees in March to get rid of their Apple devices. “No more iPhones. Either throw them away or give them to your kids,” one of the administration’s employees reportedly said.

The FSB didn’t provide any technical details about the malware and its alleged victims.

Kaspersky research

Kaspersky published a report on Thursday about previously unknown malware targeting iOS devices. The company’s CEO, Eugene Kaspersky, called it “an extremely complex, professionally targeted cyberattack” and said that “several dozen iPhones of the company’s employees — both top and middle-management — were impacted.”

The U.S. government has accused Kaspersky of being a national security threat and has barred the company's products from federal agencies. Kaspersky maintains that it operates independently from the Russian government.

The report did not attribute the malware to a specific source. Several hours later, Ivan Kwiatkowski, a senior researcher with the company, tweeted out an assessment that “the two sets of activities are in fact related.”

The operation described by Kaspersky began in 2019 and is still ongoing. The most recent version of the Apple devices successfully targeted by the malware is iOS 15.7.

In this campaign, hackers send messages with an attachment containing an exploit to their targets via the iMessage service. Without any user interaction, the message triggers a vulnerability that leads to code execution.

The spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.

Devices can be reinfected upon reboot, and the initial message and exploit in the attachment are deleted during the final stages of the infection process, clearing the traces of compromise.

An implicit indication of the presence of spyware on the device is the disabling of the ability to update iOS, Kaspersky said.

Kaspersky said it is still analyzing the spyware because security features on iOS devices can make them difficult to inspect — researchers have had to generate offline backups of the infected devices, the company said.

“Although not certain, we believe that the attack was not targeted specifically at Kaspersky — the company’s just first to discover it,” Kaspersky’s spokesperson told The Record.

“We’re awaiting further information from our colleagues from national CERTs and the cybersecurity community to understand the real exposure of this espionage campaign.”

Jonathan Greig and Martin Matishak contributed to this story.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.