A Chilling Scenario: US-Linked iPhone Hacking Tools Now Empowering Global Threats
The cybersecurity landscape is shaken by a startling revelation: a potent iPhone hacking toolkit, once potentially in the possession of US government contractors, has embarked on a treacherous journey. From Russian spies targeting Ukrainians to a cryptocurrency-stealing cybercriminal operation, this toolkit, dubbed 'Coruna', has left a trail of compromised devices in its wake.
Google researchers unveiled Coruna, a sophisticated iPhone hacking toolkit, in a recent report. It encompasses five distinct hacking techniques, exploiting 23 iOS vulnerabilities to silently install malware on devices visiting compromised websites. The toolkit's complexity implies a state-sponsored hacking group's involvement.
Google traced Coruna's components to a 'customer of a surveillance company' in February of last year. Months later, a more advanced version resurfaced in a suspected Russian spy group's espionage campaign against Ukrainians. Subsequently, Coruna was spotted in a profit-driven hacking campaign targeting Chinese-language crypto and gambling sites, stealing victims' cryptocurrency.
Intriguingly, Google's report omits the identity of the original surveillance company customer. iVerify, a mobile security firm, suggests Coruna's code bears similarities to a hacking kit potentially linked to the US government. Both Google and iVerify highlight Coruna's connection to 'Triangulation', a hacking operation targeting Kaspersky in 2023, which Russia attributed to the NSA.
iVerify's cofounder, Rocky Cole, emphasizes Coruna's sophistication and its resemblance to tools publicly associated with the US government. He warns that this toolkit's escape into the wild could lead to its adoption by adversaries and cybercriminal groups, marking a significant security breach.
Google warns that Coruna's proliferation remains unclear, but it indicates a thriving market for 'second-hand' zero-day exploits. These exploits, once in the hands of various threat actors, can be modified and reused with newly discovered vulnerabilities.
iVerify's Cole draws parallels between Coruna and EternalBlue, a Windows hacking tool stolen from the NSA in 2017, which led to devastating cyberattacks like WannaCry and NotPetya. He raises concerns about the security of mobile devices when such advanced tools leak to adversaries.
Apple has patched Coruna-related vulnerabilities in iOS 26, limiting its effectiveness to older iOS versions. iVerify estimates that Coruna may have infected tens of thousands of phones, particularly in the for-profit campaign targeting Chinese-language websites.
The cybercriminal version of Coruna, analyzed by iVerify, revealed modifications to plant malware for cryptocurrency theft, photo, and email stealing. These additions were rudimentary compared to the polished and modular Coruna toolkit, implying later integration by cybercriminals.
iVerify's Cole offers an alternative explanation for Coruna's origins, suggesting that the code overlaps with the Operation Triangulation malware could be coincidental. However, he argues that Coruna's unique components and cohesive design indicate a single author's creation.
The mystery deepens as to how Coruna reached foreign and criminal entities. iVerify's Cole points to the role of brokers who trade zero-day hacking techniques, often without exclusivity, to the highest bidder. This practice could have led to Coruna's dissemination to non-Western exploit brokers and, ultimately, to various threat actors.
The implications are profound. Coruna's journey highlights the risks associated with the proliferation of advanced hacking tools and the potential for them to be repurposed for malicious activities. The cybersecurity community is left with a pressing question: How can we prevent such powerful tools from falling into the wrong hands and causing global havoc?
