An iPhone-hacking toolkit used by Russian spies likely came from U.S military contractor
Source: TechCrunch
Overview
A large‑scale hacking operation targeting iPhone users in Ukraine and China employed tools that appear to have been created by U.S. military contractor L3Harris, according to TechCrunch. The tools, originally intended for Western intelligence agencies, eventually fell into the hands of various hacking groups, including Russian government operatives and Chinese cybercriminals.
Background
- Google’s 2025 disclosure – Google reported that a sophisticated iPhone‑hacking toolkit, dubbed “Coruna,” was used in a series of global attacks.
- Toolkit composition – Coruna consists of 23 components that were first employed in “highly targeted operations” by an unnamed government customer of an unspecified surveillance vendor.
- Subsequent abuse – The toolkit was later used by Russian spies against a limited number of Ukrainians and by Chinese cybercriminals in broad‑scale campaigns aimed at stealing money and cryptocurrency.
Independent analysis
Researchers at mobile‑security firm iVerify independently examined Coruna and suggested it may have been originally built by a company that sold it to the U.S. government.
L3Harris connection
Two former L3Harris employees (speaking anonymously) confirmed that Coruna was at least partially developed by the company’s hacking and surveillance division, Trenchant.
“Coruna was definitely an internal name of a component,” said one former employee familiar with Trenchant’s iPhone‑hacking tools.
“Looking at the technical details… so many are familiar,” they added, referring to evidence published by Google.
Key points from the former employees
- The broader Trenchant toolkit includes multiple components, among them Coruna and related exploits.
- Some details in the publicly released hacking toolkit originated from Trenchant.
- L3Harris sells Trenchant’s tools exclusively to the U.S. government and its Five Eyes allies (Australia, Canada, New Zealand, United Kingdom).
- Given Trenchant’s limited customer base, Coruna may have first been acquired by one of these intelligence agencies before ending up in the hands of adversaries.
Note: An L3Harris spokesperson did not respond to a request for comment.
Contact us
Do you have additional information about Coruna or other government hacking and spyware tools? You can reach Lorenzo Franceschi‑Bicchierai securely from a non‑work device:
- Signal: +1 917 257 1382
- Telegram / Keybase / Wire:
@lorenzofb - Email: lorenzo@techcrunch.com
A Globetrotting iPhone‑Hacking Toolkit
How Coruna moved from the hands of a Five Eyes government contractor to a Russian government hacking group, and then to a Chinese cyber‑crime gang, is still murky. Some of the surrounding circumstances echo the case of Peter Williams, a former general manager at Trenchant.
Who is Peter Williams?
- Background – Australian citizen, 39, who worked at Trenchant (a U.S. defense contractor).
- Crime – From 2022 until his resignation in mid‑2025, Williams sold eight Trenchant hacking tools to Operation Zero, a Russian broker that offers millions of dollars for zero‑day exploits.
- Outcome – He was sentenced to seven years in prison after pleading guilty to stealing and selling the tools for $1.3 million.
“Williams took advantage of having ‘full access’ to Trenchant’s networks and betrayed the United States and its allies,” the U.S. government said. The tools could have allowed attackers to potentially access millions of computers and devices worldwide, including iOS devices.
Operation Zero
- Sanctioned by the U.S. Treasury (Feb 2026).
- Claims to work exclusively with the Russian government and local companies.
- The Treasury alleged that the broker sold Williams’s stolen tools to at least one unauthorized user, linking the group to the Trickbot ransomware gang.
The Path of Coruna
| Stage | Actor | What Happened |
|---|---|---|
| 1 | Trenchant / Peter Williams | Developed and stole the Coruna toolkit. |
| 2 | Operation Zero | Acquired Coruna from Williams; possibly resold it to the Russian government. |
| 3 | UNC 6353 (Russian espionage group) | Deployed Coruna on compromised Ukrainian websites to target iPhone users from a specific geolocation. |
| 4 | Intermediate broker(s) | May have transferred the toolkit to other parties (e.g., Trickbot affiliates). |
| 5 | Chinese hackers | Eventually obtained Coruna, according to U.S. prosecutors. |
| 6 | South Korean broker | Williams later recognized his code being used by this broker, suggesting further proliferation. |
Key Takeaways
- Zero‑day exploits are highly valuable; Operation Zero reportedly offers tens of millions of dollars for them.
- The chain of custody for tools like Coruna can be long and convoluted, passing through multiple state and criminal actors.
- Sanctions and prosecutions aim to disrupt these pipelines, but the toolkit’s continued use shows how quickly stolen code can spread.
Image: Kaspersky and L3Harris
Operation Triangulation
Google researchers wrote on Tuesday that two specific Coruna exploits and underlying vulnerabilities—called Photon and Gallium by their original developers—were used as zero‑days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky in 2023 (TechCrunch article).
Rocky Cole, the co‑founder of iVerify, told TechCrunch that “the best explanation based on what’s known right now” points to Trenchant and the U.S. government being the original developers and customers of Coruna, although he added he isn’t claiming this definitively.
Cole’s three‑factor assessment
- Timeline alignment – Coruna’s use lines up with the Williams leaks.
- Module similarity – The three modules (Plasma, Photon, Gallium) found in Coruna bear strong similarities to Triangulation.
- Shared exploits – Coruna re‑used some of the same exploits used in that operation.
According to Cole, “people close to the defense community” claim Plasma was used in Operation Triangulation, “although there’s no public evidence of that.” (Cole previously worked at the U.S. National Security Agency.)
Google and iVerify say Coruna was designed to hack iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. Those dates line up with the timeline of some of Williams’s leaks and the discovery of Operation Triangulation.
Insider hints
- A former Trenchant employee told TechCrunch that when Triangulation was first revealed in 2023, other employees believed that at least one of the zero‑days caught by Kaspersky “were from us, and potentially ‘ripped out’ of the” overarching project that included Coruna.
- Security researcher Costin Raiu noted that the use of bird names for some of the 23 tools—Cassowary, Terrorbird, Bluebird, Jacurutu, Sparrow—points to Trenchant.
In 2021, The Washington Post revealed that Azimuth, one of the two startups later acquired by L3Harris and merged into Trenchant, had sold a hacking tool called Condor to the FBI in the infamous San Bernardino iPhone‑cracking case.
Geopolitical fallout
After Kaspersky published its research on Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, targeting diplomats in particular. A Kaspersky spokesperson said the company had no information on the FSB’s claims, but noted that the “indicators of compromise” identified by the Russian National Coordination Centre for Computer Incidents (NCCCI) were the same ones Kaspersky had identified.
“Despite our extensive research, we are unable to attribute Operation Triangulation to any known Advanced Persistent Threat (APT) group or exploit‑development company,” said Boris Larin, a security researcher at Kaspersky.
Larin explained that Google linked Coruna to Operation Triangulation because both exploit the same two vulnerabilities—Photon and Gallium.
“Attribution cannot be based solely on the fact of exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available, and thus anyone could have taken advantage of them,” he added, noting that those two shared vulnerabilities “are just the tip of the iceberg.”
Kaspersky never publicly accused the U.S. government of being behind Operation Triangulation. Curiously, the logo Kaspersky created for the campaign—an Apple logo composed of several triangles—resembles the L3Harris logo, which may not be a coincidence. Kaspersky has previously said it would not publicly attribute a hacking campaign while quietly signaling that it actually knew who was behind it, or who provided the tools.
Historical parallels
In 2014, Kaspersky announced that it had caught a sophisticated and elusive government hacking group known as “Careto” (Spanish for “The Mask”). The company only said the hackers spoke Spanish, but the illustration of a mask in its report included the red and yellow colors of Spain’s flag, bull’s horns and nose ring, and castanets.
As TechCrunch revealed last year, Kaspersky researchers had privately concluded that “there was no doubt” that Careto was run by the Spanish government.
Recent commentary
On Wednesday, cybersecurity journalist Patrick Gray said on an episode of his podcast Risky Business that, based on “bits and pieces” he was confident about, the hacking kit leaked by Williams to Operation Zero was the same kit used in the Triangulation campaign.
“I think the evidence points strongly toward a direct link between the leaked tools and the Triangulation operation,” Gray remarked.
Additional notes
Apple, Google, Kaspersky, and O (the text ends abruptly here).
Operation Zero did not respond to requests for comment.