What is known so far?
On June 1, 2023, Kaspersky published a notification in which the company stated that several members of their top- and mid-management had their iPhones compromised as part of an APT attack codenamed Operation Triangulation. After being made aware of Kaspersky’s research, Group-IB experts immediately launched their own analysis of these discoveries. Any notable findings will be added to this blog and communicated to Group-IB clients.
In order to raise awareness of this new threat, we would like to highlight the most important findings into Operation Triangulation at this stage:
- The first traces of Operation Triangulation date back to 2019, and the most recent version of iOS that was confirmed on infected devices was 15.7. It is not yet known if newer versions of iOS can be compromised.
- This is a Zero-Click vulnerability, so it does not require any interactions from users. After receiving an infected message via iMessage, a device will be infected and an APT toolkit will be deployed in the infected iPhone.
- Network indicators are a strong sign of Operation Triangulation, and this can be understood by looking for connections to known command and control (C2) infrastructure. The strongest sign of confirmed device compromise is evidence gathered during forensics actions.
- On June 2, Kaspersky researchers released a new tool that can also automatically discover traces of Operation Triangulation in iTunes backups.
- There is at least one indirect indicator of potential infection (inability to update iOS).
- The APT toolkit is run with elevated (root) privileges, collects information about the device, and it can download and run an arbitrary module.
- Rebooting an infected device does not guarantee the removal of the malware — the Kaspersky team discovered that even after rebooting, a device was infected again.
- The research is still ongoing and new data may potentially be disclosed.
Am I in danger?
There are several ways to detect the presence of the Operation Triangulation APT toolkit. Here is what we know so far:
- The least implicit indicator of compromise on an infected device is the inability to install iOS updates. Any attempts at updating the device will end with an error message stating “Software Update Failed. An error occurred downloading iOS.”
- The Kaspersky team has published a list of C2 infrastructure. These can also be found at the bottom of this blog. Group-IB would like to highlight that its Threat Intelligence unit is currently working to enrich this list of indicators.
- Kaspersky also provided instructions on how to perform forensics actions that can confirm infection.
Recommendations to organizations
- We recommend checking the history of network sensors in your organization to detect whether the iPhone devices of employees were infected (it is possible to ascertain if a device was connected to a corporate WiFi network and performed a DNS request to any of the C2 domains listed below).
- Checking C2 connections may reveal that a device is infected but it won’t tell the full story. We recommend that organizations conduct a forensic analysis, as this is the most reliable way to understand what actions were performed by the threat actor.
- If you believe your device may be infected, we recommend performing the forensic steps outlined above, or get in touch with Group-IB’s Digital Forensics team, composed of experts who can support organizations in determining a smartphone security breach both at Group-IB premises and on-site.
Group-IB’s research into Operation Triangulation is still ongoing, we will update this notification with any new findings.
List of C2s
- addatamarket[.]net
- backuprabbit[.]com
- businessvideonews[.]com
- cloudsponcer[.]com
- datamarketplace[.]net
- mobilegamerstats[.]com
- snoweeanalytics[.]com
- tagclick-cdn[.]com
- topographyupdates[.]com
- unlimitedteacup[.]com
- virtuallaughing[.]com
- web-trackers[.]com
- growthtransport[.]com
- anstv[.]net
- ans7tv[.]net
