Operation Triangulation: Kaspersky employees targeted in mobile APT campaign

Hackers have attacked some employees of cybersecurity solutions company Kaspersky with a new mobile Advanced Persistent Threat (APT) campaign.

Cybersecurity experts at the Moscow-based company found that the campaign targetted iOS devices. Referred to as ‘Operation Triangulation’, the campaign spreads zero-click exploits via iMessage to run malware, giving the attackers complete control over the device and user data. The compromised devices let the hackers spy on the users.

In an APT campaign, hackers gain access to a targeted network and lurk around for a significant time until the attacks are spotted. Hackers either use social engineering methods or exploit vulnerabilities to infect a system to launch the APT attack.

Kaspersky experts have uncovered a new mobile APT campaign while monitoring the network traffic of its corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

“Our researchers analysed it further and found that the threat actor has been targeting iOS devices of dozens of company employees,” it said.

“During the analysis, it was confirmed that there was no impact on the company’s products, technologies and services, and no Kaspersky customer user data or critical company processes were affected,” it said.

The attackers could only access data stored on the infected devices. Although not certain, it is believed that the attack was not targeted specifically at Kaspersky. 

“We are the first one’s to discover it. The following days will likely bring more clarity about the global exposure of this cyberattack,” it said.

Investigation

The investigation of the attack technique is still ongoing, but so far Kaspersky researchers were able to identify the general infection sequence.

“The victim received a message via iMessage with an attachment containing a zero-click exploit. Without any further interaction, the message triggered a vulnerability that led to code execution for privilege escalation and provided full control over the infected device,” a Kaspersky executive said.

Once the attacker successfully established its presence in the device, the message was automatically deleted.

The spyware, which was successfully injected, can quietly transmit private information to remote servers. It includes microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.

“When it comes to cybersecurity, even the most secure operating systems can be compromised. As APT actors are constantly evolving their tactics and searching for new weaknesses to exploit, businesses must prioritise security of their systems. This involves prioritising employee education and awareness, and providing them with the latest threat intelligence and tools to effectively recognise and defend against potential threats,” Igor Kuznetsov, head of the EEMEA unit at Kaspersky Global Research and Analysis Team (GReAT), has said.

“Our investigation of the Triangulation operation continues. We expect further details on it to be shared soon, as there can be targets of this spy operation outside Kaspersky,” he said.