Zero-click malware attack through Apple’s iMessage service
In a major cybersecurity incident, a zero-click malware attack through Apple’s iMessage service has been actively infecting iPhones. The malware, dubbed “Operation Triangulation,” has been silently compromising devices and collecting microphone recordings, photos, geolocation data, and other sensitive information from iPhones for at least four years.
The Moscow-based security firm, Kaspersky, reported this advanced cyberattack after detecting anomalies in their network coming from Apple devices. The firm found that several dozen iPhones of their employees were infected with this highly sophisticated spyware. The spyware installs itself using a number of vulnerabilities in the iOS operating system through an invisible iMessage with a malicious attachment. The deployment of the spyware is completely hidden, requiring no action from the user, and the initial text message that starts the infection chain is automatically deleted after the malware is installed.
“Operation Triangulation” gets its name from a technique the malware uses known as canvas fingerprinting to identify the hardware and software equipped on a phone. During the process, the malware “draws a yellow triangle in the device’s memory” as part of its operation.
The earliest traces of the Triangulation infections date back to 2019, and the attacks were ongoing as of June 2023. The most recent iOS version successfully targeted was 15.7. A Kaspersky representative noted that it’s unclear if any of the vulnerabilities were zero-days – unknown to Apple and unpatched in iOS at the time they were exploited. There is also no indication in Kaspersky’s account that any of the exploits work on iOS versions later than 15.7.
Despite its sophistication, the malicious toolset is unable to gain persistence, meaning it doesn’t survive reboots. Victims reportedly received zero-click exploits again after rebooting their devices.
Russian officials have accused the US National Security Agency (NSA) of being part of a broader campaign that used the malware to infect several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia, specifically from those located in NATO countries, post-Soviet nations, Israel, and China. Russia’s Federal Security Service (FSB) even alleged that Apple cooperated with the NSA in the campaign. However, Apple has categorically denied these allegations, stating they have never worked with any government to insert a backdoor into any Apple product and never will.
Kaspersky has stated that they believe they were not the main target of this cyberattack, and in the coming days, they will provide more clarity and further details on the worldwide proliferation of the spyware. The origin of this malware and the targets of the campaign are yet to be fully uncovered.
