一款被俄罗斯间谍使用的 iPhone 破解工具包可能来自美国军方承包商
Source: TechCrunch
请提供您希望翻译的正文内容,我将把它翻译成简体中文并保持原有的格式。
概述
针对乌克兰和中国的 iPhone 用户的大规模黑客行动使用了看似由美国军方承包商 L3Harris 创建的工具,TechCrunch 报道称。这些工具最初是为西方情报机构设计的,最终落入了包括俄罗斯政府特工和中国网络犯罪分子在内的各种黑客组织之手。
背景
- Google的2025年披露 – Google 报告称,一个名为 “Coruna” 的高级 iPhone 攻击工具包被用于一系列全球攻击。
- 工具包组成 – Coruna 包含 23 个组件,最初由一家未具名的政府客户、一个未指明的监控供应商在“高度针对性的行动”中使用。
- 后续滥用 – 该工具包随后被俄罗斯间谍用于针对少数乌克兰人,也被中国网络犯罪分子用于大规模窃取金钱和加密货币的行动。
独立分析
研究人员在移动安全公司 iVerify 独立审查了 Coruna,并暗示它最初可能是由一家将其出售给美国政府的公司构建的。
L3Harris 关联
两位前 L3Harris 员工(匿名)证实,Coruna 至少部分是由公司黑客与监控部门 Trenchant 开发的。
“Coruna 确实是内部使用的组件名称,”一位熟悉 Trenchant iPhone 攻击工具的前员工说。
“从技术细节来看……很多都很熟悉,”他们补充道,指的是 Google 发布的证据。
前员工的关键要点
- 更广泛的 Trenchant 工具包包含多个组件,其中包括 Coruna 及相关漏洞。
- 公共发布的黑客工具包中的一些细节来源于 Trenchant。
- L3Harris 将 Trenchant 的工具仅出售给美国政府及其“五眼联盟”盟友(澳大利亚、加拿大、新西兰、英国)。
- 由于 Trenchant 的客户群体有限,Coruna 可能最初被这些情报机构之一获取,随后才落入对手手中。
注: L3Harris 发言人未对置评请求作出回应。
联系我们
您是否拥有关于 Coruna 或其他政府黑客和间谍软件工具的更多信息?您可以通过非工作设备安全地联系 Lorenzo Franceschi‑Bicchierai:
- Signal: +1 917 257 1382
- Telegram / Keybase / Wire:
@lorenzofb - Email: lorenzo@techcrunch.com
环球 iPhone 黑客工具包
Coruna 从五眼联盟政府承包商手中转移到俄罗斯政府黑客组织,再到中国网络犯罪团伙的过程仍然扑朔迷离。其周边情况在某种程度上呼应了 Peter Williams——前 Trenchant 总经理的案例。
Peter Williams 是谁?
- 背景 – 澳大利亚公民,39 岁,曾在 Trenchant(美国国防承包商)工作。
- 犯罪行为 – 从 2022 年至 2025 年中期辞职期间,Williams 将 八个 Trenchant 黑客工具 出售给 Operation Zero,该组织是一个俄罗斯经纪人,出价数百万美元收购零日漏洞。
- 结果 – 他在认罪并承认盗窃并出售这些工具获利 130 万美元 后,被判处 七年监禁。
“Williams 利用对 Trenchant 网络的‘完全访问权’,背叛了美国及其盟友,” 美国政府如此评价。这些工具本可能让攻击者 潜在地访问全球数百万台计算机和设备,包括 iOS 设备。
Operation Zero
- 受到 美国财政部制裁(2026 年 2 月)。
- 声称 仅与俄罗斯政府及当地公司合作。
- 财政部指控该经纪人将 Williams 被盗的工具出售给 至少一名未授权用户,并将该组织与 Trickbot 勒索软件团伙关联起来。
Coruna 的传播路径
| 阶段 | 行动者 | 发生了什么 |
|---|---|---|
| 1 | Trenchant / Peter Williams | 开发并盗取 Coruna 工具包。 |
| 2 | Operation Zero | 从 Williams 手中获取 Coruna;可能转售给俄罗斯政府。 |
| 3 | UNC 6353(俄罗斯间谍组织) | 在被攻陷的乌克兰网站上部署 Coruna,以针对特定地理位置的 iPhone 用户。 |
| 4 | 中间经纪人 | 可能将工具包转交给其他方(例如 Trickbot 附属组织)。 |
| 5 | 中国黑客 | 最终据美国检察官称获得了 Coruna。 |
| 6 | 韩国经纪人 | Williams 后来发现自己的代码被该经纪人使用,暗示进一步的扩散。 |
关键要点
- 零日漏洞 价值极高;Operation Zero 据称为此类漏洞支付 数千万美元。
- 像 Coruna 这样的工具的 所有权链 可能既长且复杂,穿梭于多个国家和犯罪主体之间。
- 制裁 与 起诉 旨在破坏这些渠道,但该工具包的持续使用表明被盗代码的传播速度极快。
图片说明:Kaspersky 与 L3Harris 的 Operation Triangulation 标志
Operation Triangulation
Google researchers wrote on Tuesday that two specific Coruna exploits and underlying vulnerabilities—called Photon and Gallium by their original developers—were used as zero‑days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky in 2023 (TechCrunch article).
Rocky Cole, the co‑founder of iVerify, told TechCrunch that “the best explanation based on what’s known right now” points to Trenchant and the U.S. government being the original developers and customers of Coruna, although he added he isn’t claiming this definitively.
Cole’s three‑factor assessment
- Timeline alignment – Coruna’s use lines up with the Williams leaks.
- Module similarity – The three modules (Plasma, Photon, Gallium) found in Coruna bear strong similarities to Triangulation.
- Shared exploits – Coruna re‑used some of the same exploits used in that operation.
According to Cole, “people close to the defense community” claim Plasma was used in Operation Triangulation, “although there’s no public evidence of that.” (Cole previously worked at the U.S. National Security Agency.)
Google and iVerify say Coruna was designed to hack iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. Those dates line up with the timeline of some of Williams’s leaks and the discovery of Operation Triangulation.
Insider hints
- A former Trenchant employee told TechCrunch that when Triangulation was first revealed in 2023, other employees believed that at least one of the zero‑days caught by Kaspersky “were from us, and potentially ‘ripped out’ of the” overarching project that included Coruna.
- Security researcher Costin Raiu noted that the use of bird names for some of the 23 tools—Cassowary, Terrorbird, Bluebird, Jacurutu, Sparrow—points to Trenchant.
In 2021, The Washington Post revealed that Azimuth, one of the two startups later acquired by L3Harris and merged into Trenchant, had sold a hacking tool called Condor to the FBI in the infamous San Bernardino iPhone‑cracking case.
Geopolitical fallout
After Kaspersky published its research on Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, targeting diplomats in particular. A Kaspersky spokesperson said the company had no information on the FSB’s claims, but noted that the “indicators of compromise” identified by the Russian National Coordination Centre for Computer Incidents (NCCCI) were the same ones Kaspersky had identified.
“Despite our extensive research, we are unable to attribute Operation Triangulation to any known Advanced Persistent Threat (APT) group or exploit‑development company,” said Boris Larin, a security researcher at Kaspersky.
Larin explained that Google linked Coruna to Operation Triangulation because both exploit the same two vulnerabilities—Photon and Gallium.
“Attribution cannot be based solely on the fact of exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available, and thus anyone could have taken advantage of them,” he added, noting that those two shared vulnerabilities “are just the tip of the iceberg.”
Kaspersky never publicly accused the U.S. government of being behind Operation Triangulation. Curiously, the logo Kaspersky created for the campaign—an Apple logo composed of several triangles—resembles the L3Harris logo, which may not be a coincidence. Kaspersky has previously said it would not publicly attribute a hacking campaign while quietly signaling that it actually knew who was behind it, or who provided the tools.
Historical parallels
In 2014, Kaspersky a
nnounced 表示它已经抓获了一个名为 “Careto”(西班牙语意为“面具”)的高度复杂且难以捉摸的政府黑客组织。公司仅称黑客说西班牙语,但其报告中的面具插图包含了西班牙国旗的红黄两色、牛角和鼻环以及卡斯塔涅特鼓。
正如 TechCrunch 去年披露的,卡巴斯基的研究人员私下得出结论,“毫无疑问” Careto 由西班牙政府运营。
Recent commentary
周三,网络安全记者 Patrick Gray 在其播客 Risky Business 的一集节目中表示,基于他所确信的“零星信息”,Williams 泄露给 Operation Zero 的黑客工具包与 Triangulation(三角化)行动中使用的工具包相同。
“我认为证据强烈指向泄露工具与三角化行动之间的直接关联,” Gray 说。
Additional notes
Apple、Google、Kaspersky 和 O (文本在此处截断)。
Operation Zero 未对置评请求作出回应。