US Military Link to iPhone Hacking Tool Used by Russian Spies? A Deep Dive
A concerning revelation has surfaced, suggesting a sophisticated hacking campaign targeting iPhone users in Ukraine and China leveraged tools potentially originating from a U.S. military contractor, L3Harris. This toolkit, initially designed for Western intelligence agencies, has reportedly fallen into the hands of various malicious actors, including Russian government operatives and Chinese cybercriminals. The implications are far-reaching, raising critical questions about the security of government-developed hacking tools and the potential for their misuse. This article delves into the details of this complex situation, exploring the origins of the “Coruna” toolkit, its journey into the wrong hands, and the broader cybersecurity landscape it highlights.
The Coruna Toolkit: A Global Hacking Campaign
Last week, Google unveiled the discovery of a highly advanced iPhone hacking toolkit used in a series of global attacks throughout 2025. Dubbed “Coruna” by its original developers, the toolkit comprises 23 distinct components initially deployed in “highly targeted operations” by an unnamed government client of an unspecified “surveillance vendor.” The toolkit’s trajectory took a disturbing turn, first being utilized by Russian government spies against a limited number of Ukrainian targets, and subsequently by Chinese cybercriminals in large-scale campaigns aimed at financial gain and cryptocurrency theft. The scale and sophistication of these attacks underscore the growing threat posed by advanced persistent threats (APTs).
iVerify’s Investigation and the L3Harris Connection
Researchers at mobile cybersecurity firm iVerify, conducting independent analysis of Coruna, believe the toolkit may have been originally developed by a company contracted by the U.S. government. Their investigation led them to L3Harris, a prominent defense contractor. Two former L3Harris employees, speaking anonymously due to non-disclosure agreements, confirmed that Coruna was, at least in part, developed by the company’s hacking and surveillance technology division, Trenchant. Both individuals possessed firsthand knowledge of L3Harris’s iPhone hacking capabilities.
“Coruna was definitely an internal name of a component,” stated one former L3Harris employee familiar with iPhone hacking tools within Trenchant. “Looking at the technical details,” they added, referencing evidence published by Google, “so many are familiar.” This suggests a strong link between the toolkit and Trenchant’s internal development efforts.
Trenchant: Exclusive Supplier to the Five Eyes Alliance
L3Harris, through Trenchant, exclusively sells its hacking and surveillance tools to the U.S. government and its allies within the Five Eyes intelligence alliance – Australia, Canada, New Zealand, and the United Kingdom. Given this limited customer base, it’s plausible that Coruna was initially acquired and deployed by one of these governments’ intelligence agencies before inadvertently falling into unauthorized hands. However, the precise extent of L3Harris Trenchant’s contribution to the published Coruna hacking toolkit remains unclear.
Despite repeated attempts, an L3Harris spokesperson did not respond to requests for comment regarding these allegations. This silence further fuels speculation and concern surrounding the origin and distribution of the Coruna toolkit.
The Journey of Coruna: From Government Contractor to Cybercriminals
The pathway by which Coruna transitioned from a Five Eyes government contractor to a Russian government hacking group, and ultimately to a Chinese cybercrime syndicate, remains shrouded in mystery. However, the circumstances bear striking similarities to the case of Peter Williams, a former general manager at Trenchant.
The Peter Williams Case: A Breach of Trust
From 2022 until his resignation in mid-2025, Williams allegedly sold eight company hacking tools to Operation Zero, a Russian entity known for offering substantial sums for zero-day exploits – vulnerabilities unknown to the affected vendor. Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after admitting to stealing and selling these tools for $1.3 million. The U.S. government condemned Williams’ actions, stating he “betrayed” the United States and its allies by potentially exposing millions of computers and devices to risk.
Operation Zero, sanctioned by the U.S. Treasury, claims to collaborate exclusively with the Russian government and local companies. The Treasury alleges that a Russian broker associated with Operation Zero resold Williams’ stolen tools to at least one unauthorized user, potentially explaining how the Russian espionage group, identified by Google as UNC6353, acquired Coruna and deployed it against Ukrainian iPhone users.
It’s highly probable that Operation Zero further resold Coruna, potentially to other brokers, countries, or directly to cybercriminals. The Treasury also linked Operation Zero to the Trickbot ransomware gang, suggesting a connection to financially motivated hackers. This chain of events ultimately may have led to Coruna reaching Chinese hackers.
Operation Triangulation: A Parallel Investigation
Google researchers revealed that two specific Coruna exploits – Photon and Gallium – were utilized as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly targeting Russian iPhone users. Operation Triangulation was initially uncovered by Kaspersky in 2023.
Connecting the Dots: Trenchant and the U.S. Government
Rocky Cole, co-founder of iVerify, believes the evidence strongly suggests that Trenchant and the U.S. government were the original developers and customers of Coruna. This assessment is based on three key factors: the timeline of Coruna’s use aligning with Williams’ leaks, structural similarities between Coruna modules (Plasma, Photon, and Gallium) and Triangulation, and the reuse of exploits from Operation Triangulation within Coruna.
Cole, a former U.S. National Security Agency employee, notes that sources “close to the defense community” claim Plasma was used in Operation Triangulation, although public evidence remains lacking. According to Google and iVerify, Coruna is designed to compromise iPhone models running iOS 13 through 17.2.1, a timeframe consistent with Williams’ leaks and the discovery of Operation Triangulation.
Another former Trenchant employee revealed that when Triangulation was first exposed in 2023, other company employees suspected that at least one of the zero-days identified by Kaspersky originated from their team and was potentially “ripped out” of the larger project encompassing Coruna.
Further supporting the link to Trenchant, security researcher Costin Raiu highlighted the use of bird names – Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow – for some of the 23 tools within the toolkit. In 2021, The Washington Post reported that Azimuth, a startup acquired by L3Harris and integrated into Trenchant, had sold a hacking tool called Condor to the FBI for use in the San Bernardino iPhone cracking case.
Russia’s Response and Kaspersky’s Caution
Following Kaspersky’s publication of its research on Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, particularly targeting diplomats. While Kaspersky did not confirm the FSB’s claims, a spokesperson noted that the “indicators of compromise” identified by Russia’s National Coordination Centre for Computer Incidents (NCCCI) matched those discovered by Kaspersky.
Boris Larin, a security researcher at Kaspersky, emphasized in an email to GearTech that despite extensive research, they cannot definitively attribute Operation Triangulation to any known APT group or exploit development company. He cautioned that attribution based solely on the exploitation of shared vulnerabilities (Photon and Gallium) is insufficient, as the details of these vulnerabilities are publicly available.
Kaspersky has a history of subtly signaling its knowledge of the actors behind hacking campaigns without publicly attributing them. In 2014, the company identified a sophisticated government hacking group called “Careto” (Spanish for “The Mask”) and used imagery in its report that strongly hinted at Spanish government involvement.
The Williams Leak and Operation Triangulation: A Possible Connection
Cybersecurity journalist Patrick Gray, on his podcast Risky Business, suggested that the hacking kit leaked by Williams to Operation Zero was likely the same one used in the Triangulation campaign. This theory aligns with the timeline and technical evidence gathered by researchers.
Apple, Google, Kaspersky, and Operation Zero did not respond to requests for comment on this matter.
Implications and Future Considerations
The potential link between a U.S. military contractor and a global hacking campaign raises serious concerns about the security of government-developed hacking tools and the need for stricter oversight. The incident highlights the risks associated with the proliferation of zero-day exploits and the importance of responsible vulnerability disclosure. Furthermore, it underscores the need for enhanced cybersecurity measures to protect against increasingly sophisticated attacks targeting mobile devices. The case of Coruna serves as a stark reminder that even the most advanced technologies can be exploited, and that vigilance and collaboration are essential in the ongoing battle against cybercrime. The future of mobile security hinges on proactive threat intelligence, robust security protocols, and a commitment to ethical hacking practices.