Russian Hackers Intensify Attacks on Ukrainians with Advanced iPhone Tools
A concerning surge in cyberattacks targeting Ukrainian iPhone users has been detected, with researchers pointing to a sophisticated hacking group, suspected of ties to the Russian government. This group is deploying a new arsenal of tools designed to steal sensitive personal data, including passwords, photos, and messages, and, surprisingly, even cryptocurrency. The attacks highlight a growing trend of advanced, stealthy spyware targeting mobile devices, and raise serious questions about the accessibility of such powerful tools.
The Emergence of Darksword: A New iPhone Hacking Toolkit
Cybersecurity researchers at Google, iVerify, and Lookout have identified a new hacking campaign orchestrated by a threat actor known as UNC6353. This campaign utilizes a toolkit dubbed Darksword, which builds upon previously discovered vulnerabilities and represents a significant escalation in the sophistication of attacks against Ukrainian citizens. The discovery of Darksword follows closely on the heels of the unveiling of another similar toolkit, Coruna, earlier in March, suggesting a proliferation of advanced iPhone hacking capabilities.
Darksword's Capabilities and Tactics
Darksword is engineered for rapid data exfiltration. Unlike spyware designed for long-term surveillance, it focuses on quickly infiltrating devices, stealing valuable information, and then disappearing. Researchers estimate the “dwell time” – the period the malware remains active on a device – is typically measured in minutes, dependent on the volume of data successfully extracted. The toolkit is capable of stealing:
- Passwords
- Photos
- WhatsApp, Telegram, and text messages
- Browser history
What sets Darksword apart is its ability to target cryptocurrency wallets, a feature rarely seen in government-sponsored hacking operations. This suggests a potential dual motive – espionage and financial gain – or the possibility of a financially motivated actor operating with the support of, or in alignment with, Russian intelligence.
Coruna: The Precursor and its US Origins
The discovery of Darksword is closely linked to the earlier revelation of Coruna, a highly sophisticated iPhone hacking toolkit. Google initially reported that Coruna was first used by a government customer of a surveillance technology vendor, then by Russian spies targeting Ukrainians, and subsequently by Chinese cybercriminals seeking to steal cryptocurrency. Further investigation by GearTech revealed that Coruna was originally developed by U.S. defense contractor L3Harris, specifically its hacking and surveillance tech department, Trenchant.
The Five Eyes Connection
According to former L3Harris employees, Coruna was initially designed for use by Western governments, particularly those within the Five Eyes intelligence alliance – Australia, Canada, New Zealand, the United States, and the United Kingdom. This raises ethical concerns about the potential misuse of powerful surveillance technologies developed for legitimate national security purposes. The fact that a tool intended for Western intelligence agencies ended up in the hands of Russian hackers underscores the risks associated with the proliferation of zero-day exploits and the vulnerabilities inherent in the cybersecurity supply chain.
UNC6353: A Financially Motivated and Espionage-Driven Threat Actor
Researchers believe that UNC6353 is a well-funded and connected threat actor operating with both financial and espionage objectives, aligning with Russian intelligence requirements. Justin Albrecht, principal security researcher at Lookout, suggests that UNC6353 could be a Russian criminal proxy, leveraging its capabilities for both financial theft and intelligence gathering. The group’s recent activity with Darksword reinforces this assessment.
Targeting and Infection Vectors
The Darksword campaign wasn't a highly targeted operation. The malware was designed to infect users simply by visiting compromised Ukrainian websites while located within Ukraine. This broad approach suggests the hackers were interested in gathering information about a wide range of individuals, focusing on their “pattern of life” rather than conducting persistent surveillance on specific targets. Rocky Cole, co-founder of iVerify, describes this as a “smash-and-grab” operation, prioritizing rapid data extraction over long-term access.
The Potential Link Between Coruna and Darksword
The modular design and ease of functionality addition in Darksword suggest a professional development process. Cole believes it’s plausible that the same individual who sold Coruna to the Russian government hacking group also sold Darksword. This highlights the concerning trend of individuals or entities profiting from the sale of zero-day exploits and advanced hacking tools to various actors, regardless of their intent.
Is Cryptocurrency Theft a Primary Goal?
While Darksword is capable of stealing cryptocurrency, there’s no concrete evidence to suggest that this is the primary motivation of the Russian hacking group. Cole suggests the capability may simply be present, offering an opportunistic avenue for financial gain. However, the inclusion of cryptocurrency theft functionality adds another layer of complexity to the threat landscape and underscores the growing intersection between nation-state hacking and cybercrime.
The Broader Implications and Future Trends
The emergence of Darksword and Coruna signifies a worrying trend: advanced, stealthy, and powerful spyware for iPhones is becoming increasingly accessible. This accessibility poses a significant threat to individuals, organizations, and even governments worldwide. Several key takeaways emerge from these recent developments:
- Proliferation of Zero-Day Exploits: The market for zero-day exploits is thriving, with actors willing to pay exorbitant sums for vulnerabilities that can be weaponized.
- Blurring Lines Between Nation-State and Cybercriminal Activity: The lines between state-sponsored hacking and cybercrime are becoming increasingly blurred, with actors often operating with dual motives.
- Supply Chain Vulnerabilities: The origin of Coruna at L3Harris highlights the vulnerabilities inherent in the cybersecurity supply chain and the need for greater oversight and security measures.
- Increased Targeting of Mobile Devices: Mobile devices are becoming increasingly attractive targets for hackers due to the wealth of personal and financial information they contain.
Looking ahead, it’s crucial for cybersecurity researchers, technology companies, and governments to collaborate to develop effective defenses against these evolving threats. This includes investing in research and development of new security technologies, strengthening the cybersecurity supply chain, and promoting responsible disclosure of vulnerabilities. Furthermore, users must remain vigilant and practice good cybersecurity hygiene, including keeping their devices updated with the latest security patches and being cautious about clicking on suspicious links or visiting untrusted websites.
Stay Secure: If you have information about Darksword, Coruna, or other government hacking and spyware tools, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.