A Possible US Government iPhone-Hacking Toolkit Is Now In the Hands of Foreign Spies, Criminals
Source: Slashdot
Overview
Security researchers have identified a highly sophisticated iPhone exploitation toolkit called “Coruna.” The toolkit, which may have originated from a U.S. government contractor, has been observed moving from suspected Russian espionage operations to criminal campaigns that steal cryptocurrency. Apple has patched the vulnerabilities exploited by Coruna in newer iOS releases, but tens of thousands of devices could already be compromised.
Coruna Toolkit Details
- Capabilities: Coruna includes five complete hacking techniques that can bypass all iPhone defenses and silently install malware when a device visits a malicious website.
- Vulnerabilities: The toolkit leverages 23 distinct iOS vulnerabilities, a rare and extensive collection that suggests development by a well‑resourced, likely state‑sponsored group.
- Code Origin: Analysis by mobile‑security firm iVerify indicates the code was originally written by English‑speaking developers and bears hallmarks of modules previously attributed to the U.S. government.
Timeline of Activity
- February 2023: Google’s researchers traced components of Coruna to hacking techniques used by a “customer of a surveillance company.”
- July 2023 (≈5 months later): A more complete version resurfaced in an espionage campaign linked to a suspected Russian spy group. The malicious code was hidden in a visitor‑counting component on Ukrainian websites.
- Late 2023: Coruna appeared again in a profit‑driven campaign targeting Chinese‑language crypto and gambling sites, delivering malware that steals victims’ cryptocurrency.
Possible Origin
- U.S. Government Connection: iVerify’s co‑founder Rocky Cole notes that Coruna’s sophistication and development cost (millions of dollars) align with tools historically attributed to the U.S. government.
- Triangulation Link: Both Google and iVerify observed that Coruna contains components previously used in the “Triangulation” operation, which targeted Russian cybersecurity firm Kaspersky in 2023 and was claimed by Russia to be an NSA effort. The U.S. government has not responded to those claims.
Implications
Google warns that Coruna’s proliferation illustrates an active market for “second‑hand” zero‑day exploits. The toolkit’s presence in the wild means it could be adopted or adapted by any hacker group seeking to target iPhone users. The report emphasizes that beyond the identified exploits, multiple threat actors now possess advanced exploitation techniques that can be reused and modified with newly discovered vulnerabilities.
Read more of this story at Slashdot.