20.5k unique visitors in the last 3 days

Russia Accuses US of Putting Spyware in iPhones

Cybersecurity business Kaspersky published details of an advanced persistent threat with similarities to NSO Group's Pegasus surveillance tool.

Russia’s Federal Security Service (FSB) has accused US intelligence services of spying on Russians via their iPhones. A post on the FSB website says that several thousand phones were infected with previously unknown malicious software. The software was said to exploit vulnerabilities that are unique to Apple’s handsets.

In addition to spying on Russians, the FSB also claimed that spyware was found on phones belonging to diplomats that work in Russia on behalf of NATO allies, former Soviet Union countries, Israel and China. They said this shows Apple’s policy of protecting the privacy of its customers cannot be relied upon.

The FSB’s account of spyware on iPhones was supplemented by an advanced persistent threat (APT) report published by Russian cybersecurity firm Kaspersky on their corporate website. Kaspersky made no claim to have determined the origin of the spyware but it was obvious from the context that they were discussing the same infected iPhones as the FSB. Kaspersky said they had…

…noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise.

Kaspersky went on to document the sequence for infecting devices:

  • The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
  • Without any user interaction, the message triggers a vulnerability that leads to code execution.
  • The code within the exploit downloads several subsequent stages from the C&C [command and control] server, that include additional exploits for privilege escalation.
  • After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.

The malware then deletes the initial message and the exploit in the attachment to reduce the chances of being discovered. Kaspersky said the attack is ongoing, and they had evidence of it dating back to 2019.

The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7. The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.

The targeting of iPhones and the method of infection are both reminiscent of Pegasus, the spyware provided by Israel’s NSO Group to a wide range of governments and law enforcement agencies that were subsequently found to have abused the technology by spying on political opponents and journalists. The US government ultimately decided to reject the use of Pegasus though that was after the country’s Federal Bureau of Investigation (FBI) had already purchased it, reportedly to evaluate the product. Given the sophistication of the resources available to the USA’s National Security Agency (NSA), and its track record of extensive comms surveillance, which is subject to no legal limits when applied to non-Americans, it would be unsurprising if the NSA independently developed or acquired similar ways to exploit iPhone vulnerabilities, with or without the assistance of Apple.

Kaspersky is the only Russian business included in the US Federal Communications Commission (FCC) ‘covered list’ of businesses considered a threat to national security. The covered list was initially created as a means to restrict sales by Chinese telecoms and technology firms; Kaspersky was added to the list a month after the invasion of Ukraine. US attempts to fracture the global comms sector into trusted and hostile suppliers have received a mixed reception in other countries, with some Western countries banning manufacturers like Huawei from new 5G networks whilst other countries like Brazil welcome the opportunity for new high-tech alliances.

Whatever the truth behind Kaspersky’s research and the FSB’s claims, this announcement will remind many populations of times when the USA interfered in their country’s affairs. Brazil, India and South Africa are members of the BRICS club that also includes China and Russia, and each country has good reason to be ambivalent about US influence. The global comms industry is struggling to come to terms with the end of a golden era for internationalism. There are obvious implications given the routine way many governments show their willingness to weaponize comms technology and services in order to gain an advantage over rivals. The US candidate defeated the Russian nominee in last year’s contest to be the boss of the International Telecommunication Union but victories like these will mean nothing if regional powers in Asia, Africa and Latin America refuse to cooperate with US initiatives that seek to fundamentally alter how telecoms services are managed globally. Russian machinations should always be treated with suspicion, but stories like these effectively feed widespread skepticism about the USA too.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email