One midnight several days ago, I scratched my iPhone on the bedtable, trying to check the time, but I found my iPhone is hot and the WiFi is turned on. It’s weird because I always turn the WiFi off before I go to sleep. At that time, I thought up that my iPhone keeps freezing from time to time these days. All of a sudden, it occurred to me that my iPhone got hacked? The symptoms are highly similar to those which are exposed related to the Operation Triangulation campaign, which targets iOS devices by US intelligence service and is revealed by Kaspersky. Then, I captured the network traffic to and from my iPhone, intending to check if there are malwares running on it. I analyzed the trace files and found some weird things and some weird IP addresses. Hoooooooly shit! It turned out that my iPhone get hacked!
Here is something that you may want to know about Operation Triangulation.
5 June, 2023, Eugene Kaspersky, CEO of Kaspersky, said in a blog post, that iOS devices of Kaspersky employees were attacked. The attacked devices were implanted with a spyware, which steals private data stored on the iOS devices and then transfers the data to remote servers controlled by the attackers. The data includes microphone recordings, photos from instant message apps, geolocation and other information. Kaspersky posts a series of reports on the official website, which provide an in-depth analysis of the Operation Triangular campaign. It says that the attacker uses zero-click exploits via the iMessage platform, thereby stealthily implanting a spyware. The attacker sends victims an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs a spyware. The deployment of the spyware is completely hidden and requires no action from the user. By default, the iMessage function is turned on. As of June 2023, the exploit works on devices running iOS 15.7 and earlier versions. It’s not impossible that the attack will be carried out on iOS future versions. It is reported that the attack campaign has compromised thousands of iPhones devices in Russia, including those of foreign diplomats.
As to the attacker, the Kaspersky report says that it’s related to the Equation Group, which is under the US National Security Agency (NSA). The Equation Group is described as one of the most sophisticated cyberattack groups in the world, operating alongside the creators of Stuxnet and Flame. It can be verified with The Shadow Brokers breach and Snowden revelation.
Due to the close characteristic of iOS, users cannot connect iPhone directly to a computer and scan it. Users have to connect iPhone to a computer, backup the iPhone data to the computer, and then scan the backup data with the tool provided by Kaspersky Lab. During the scanning, if Trojans are detected, it shows DETECTED; for suspicious Trojan files, it shows SUSPICION; if no suspicious files are detected in the backup data, it shows “No traces of compromise were identified”.
If it’s detected that your iPhone is attacked, first reset your iPhone to factory settings, and set it as a new phone. Do not recover it using backup data because the implant spyware might be resumed from the backup. Last year, Apple offers advanced data protection for iCloud, which limits some functionalities if enabled, but the security is enhanced. One of the limits is that the iMessage attachment download will be disabled, which can protect it from such attack. Secondly, update your iOS to latest version.
Here are the IP addresses that you may check on your network
182.55.68.247
192.0.145.246
78.156.114.254
80.48.144.33
85.163.125.41
85.204.56.152
113.53.30.80
Hope this post help you.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.