Russia’s Federal Security Service (FSB) has accused US intelligence services of spying on Russians via their iPhones. A post on the FSB website says that several thousand phones were infected with previously unknown malicious software. The software was said to exploit vulnerabilities that are unique to Apple’s handsets.
In addition to spying on Russians, the FSB also claimed that spyware was found on phones belonging to diplomats that work in Russia on behalf of NATO allies, former Soviet Union countries, Israel and China. They said this shows Apple’s policy of protecting the privacy of its customers cannot be relied upon.
The FSB’s account of spyware on iPhones was supplemented by an advanced persistent threat (APT) report published by Russian cybersecurity firm Kaspersky on their corporate website. Kaspersky made no claim to have determined the origin of the spyware but it was obvious from the context that they were discussing the same infected iPhones as the FSB. Kaspersky said they had…
…noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise.
Kaspersky went on to document the sequence for infecting devices:
- The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
- Without any user interaction, the message triggers a vulnerability that leads to code execution.
- The code within the exploit downloads several subsequent stages from the C&C [command and control] server, that include additional exploits for privilege escalation.
- After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
The malware then deletes the initial message and the exploit in the attachment to reduce the chances of being discovered. Kaspersky said the attack is ongoing, and they had evidence of it dating back to 2019.
The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7. The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.
The targeting of iPhones and the method of infection are both reminiscent of Pegasus, the spyware provided by Israel’s NSO Group to a wide range of governments and law enforcement agencies that were subsequently found to have abused the technology by spying on political opponents and journalists. The US government ultimately decided to reject the use of Pegasus though that was after the country’s Federal Bureau of Investigation (FBI) had already purchased it, reportedly to evaluate the product. Given the sophistication of the resources available to the USA’s National Security Agency (NSA), and its track record of extensive comms surveillance, which is subject to no legal limits when applied to non-Americans, it would be unsurprising if the NSA independently developed or acquired similar ways to exploit iPhone vulnerabilities, with or without the assistance of Apple.
Kaspersky is the only Russian business included in the US Federal Communications Commission (FCC) ‘covered list’ of businesses considered a threat to national security. The covered list was initially created as a means to restrict sales by Chinese telecoms and technology firms; Kaspersky was added to the list a month after the invasion of Ukraine. US attempts to fracture the global comms sector into trusted and hostile suppliers have received a mixed reception in other countries, with some Western countries banning manufacturers like Huawei from new 5G networks whilst other countries like Brazil welcome the opportunity for new high-tech alliances.
Whatever the truth behind Kaspersky’s research and the FSB’s claims, this announcement will remind many populations of times when the USA interfered in their country’s affairs. Brazil, India and South Africa are members of the BRICS club that also includes China and Russia, and each country has good reason to be ambivalent about US influence. The global comms industry is struggling to come to terms with the end of a golden era for internationalism. There are obvious implications given the routine way many governments show their willingness to weaponize comms technology and services in order to gain an advantage over rivals. The US candidate defeated the Russian nominee in last year’s contest to be the boss of the International Telecommunication Union but victories like these will mean nothing if regional powers in Asia, Africa and Latin America refuse to cooperate with US initiatives that seek to fundamentally alter how telecoms services are managed globally. Russian machinations should always be treated with suspicion, but stories like these effectively feed widespread skepticism about the USA too.



