The lack of attribution on this organized and well-financed operation is the most concerning part of this attack, in my opinion. It seems unlikely that any APT would burn ALL of its 0-days for the iOS platform in one campaign, so they likely have more which they can pivot to. Of course there are 3 nation-states who are most likely to be behind this operation, but which one was it? If possible, we should be looking for other victims of this attack using the IOCs discovered at Kaspersky. If we find other instances of this attack on Taiwanese government officials or members of the Uighur population, for instance, that would be a smoking gun for attributing it to one particular nation. Finding traces of this attack on the devices of Ukrainian government officials would point in a different direction. Either way, we need to be able to attribute this attack, and the other victims of this APT might not know to check themselves for indicators. Does anyone here know if there are efforts by cybersecurity researchers to uncover other victims of this attack in vulnerable or potentially targeted communities?
Is there an "everyone knows but nobody says" dynamic here, like if the tea comes from Mandiant/CrowdStrike it's about Russia, if it comes from Kaspersky it's about NSA, etc?
You can bet that if Kaspersky dares to uncover this in that much detail and with so much publicity, then revealing those details doesn’t go against the interests of the Russian state. (Which, to be very clear, is not the same thing as suggesting Kaspersky is an actor of the state. Just that they would wisely think twice about revealing attacks from a certain direction.)
There are generally 4 major cyber powers that I consider when hearing about new advanced techniques / applications / threats: USA, Russia, Israel, China (in roughly that order). Israel is obviously complicated because historically a lot of their work has been in partnership with the USA, but that seems to be mildly less the case these days.
Agree that its concerning regarding the lack of attribution especial given the complexity.
If I had to guess...and this is a wild guess and in no way based on hard evidence....but I think the true value would be using this as a vector to bypass 2fa or MFA for attacks on a supply chain. Chaining exploints isn't a new concept...hell I had a similar idea years ago regarding chaining cve's to create a better more fluid escalation of privileges. The concerning thing is these were 0days from the brief reading I did, and exploited hardware vulnerabilities.
IMO hardware is the best target because few people are going to rip apart the device to look at chips...and even if they did they would need a metrology or lithography lab to find a backdoor in a part of a CPU or other component. Just because the part was shipped from the factory and the factory made it correctly, if someone could compromise a basic part of the chip then its all over and you really have to spend your time looking for these things. Example would be the BMC on your dell server gets backdoored or editing a snippet of microcode that these chip makers do not publicly document.
Seems unlikely that they would blow so many 0days so recklessly just to infect the iPhone to get data....when it could be used for so much more.
If this is a nation state actor....chances are they can just buy the data via third party or could have forced apple to turn over the icloud data or just caught it via intercepting the undersea cables and the their 1 isp's
Unless I'm missing something.....and this was used go after a really critical target that was hard to compromise and as a result, once they got the Intel they wanted they might have just used it willy nilly or have considered the 0days as lost if they had compromised a foreign nation state or person of interest and figure since they used the exploit....their advisary will discover it sooner or later
If I were in charge, I would attack 90% Taiwanese and 10% of my real target. And I would leave Chinese comments everywhere. So I doubt you can point fingers so easily. These are some smart people.
rollulus|2 years ago
dang|2 years ago
Kaspersky discloses iPhone hardware feature vital in Operation Triangulation - https://news.ycombinator.com/item?id=38801275 - Dec 2023 (52 comments)
4-year campaign backdoored iPhones using advanced exploit - https://news.ycombinator.com/item?id=38784073 - Dec 2023 (7 comments)
Operation Triangulation: What you get when attack iPhones of researchers - https://news.ycombinator.com/item?id=38783112 - Dec 2023 (371 comments)
How to catch a wild triangle - https://news.ycombinator.com/item?id=38034269 - Oct 2023 (43 comments)
Scan iPhone backups for traces of compromise by “Operation Triangulation” - https://news.ycombinator.com/item?id=36164340 - June 2023 (153 comments)
Targeted attack on our management with the Triangulation Trojan - https://news.ycombinator.com/item?id=36161392 - June 2023 (126 comments)
“Clickless” iOS exploits infect Kaspersky iPhones with never-before-seen malware - https://news.ycombinator.com/item?id=36154455 - June 2023 (41 comments)
Operation Triangulation: iOS devices targeted with previously unknown malware - https://news.ycombinator.com/item?id=36151220 - June 2023 (31 comments)
Others?
rusty_venture|2 years ago
jdewerd|2 years ago
codeflo|2 years ago
reaperman|2 years ago
tonetegeatinst|2 years ago
If I had to guess...and this is a wild guess and in no way based on hard evidence....but I think the true value would be using this as a vector to bypass 2fa or MFA for attacks on a supply chain. Chaining exploints isn't a new concept...hell I had a similar idea years ago regarding chaining cve's to create a better more fluid escalation of privileges. The concerning thing is these were 0days from the brief reading I did, and exploited hardware vulnerabilities.
IMO hardware is the best target because few people are going to rip apart the device to look at chips...and even if they did they would need a metrology or lithography lab to find a backdoor in a part of a CPU or other component. Just because the part was shipped from the factory and the factory made it correctly, if someone could compromise a basic part of the chip then its all over and you really have to spend your time looking for these things. Example would be the BMC on your dell server gets backdoored or editing a snippet of microcode that these chip makers do not publicly document.
Seems unlikely that they would blow so many 0days so recklessly just to infect the iPhone to get data....when it could be used for so much more.
If this is a nation state actor....chances are they can just buy the data via third party or could have forced apple to turn over the icloud data or just caught it via intercepting the undersea cables and the their 1 isp's
Unless I'm missing something.....and this was used go after a really critical target that was hard to compromise and as a result, once they got the Intel they wanted they might have just used it willy nilly or have considered the 0days as lost if they had compromised a foreign nation state or person of interest and figure since they used the exploit....their advisary will discover it sooner or later
swamp40|2 years ago
unknown|2 years ago
[deleted]
unknown|2 years ago
[deleted]