Operation Triangulation

This article is an orphan, as no other articles link to it. Please introduce links to this page from related articles; try the Find link tool for suggestions. (October 2024)

Operation Triangulation is a targeted cyberattack on iOS devices conducted using a chain of four zero-day vulnerabilities. It was first disclosed in June 2023 and is notable for its unprecedented technical complexity among iOS attacks. The number of victims is estimated to be in the thousands.

The goal of the attack was espionage: extracting messages and passwords from devices, recording conversations, and tracking geolocation. The exact number of victims is unknown due to the high level of stealth by the attackers. Some sources estimate several thousand victims, including commercial, governmental and diplomatic organizations in Russia and its overseas representatives.^[1]

June 1, 2023: Kaspersky announces the discovery of traces of a new kind of malware on the iOS devices of its employees. The malware is designed for espionage and is highly stealthy, detected only by unusual data exchange with infected iPhones. Investigators found the traces of first infections dating back to 2019. The attack is named Operation Triangulation.^[2]

A tool called triangle_check is released to allow users to check if their iOS devices have been compromised and determine whether they have been victims of the attack.^[3][4][5]

June 21, 2023: Kaspersky publishes research on the TriangleDB implant used in the attack.^[6][7]

On the same day, Apple releases updates for iOS 15.x and 16.x, addressing two vulnerabilities used in the attack: CVE-2023-32434 in the iOS kernel and CVE-2023-32435 in the WebKit browser engine. These vulnerabilities make it possible to silently infect iPhones by bypassing iOS security systems.^[8]

July 24, 2023: Apple releases updates for iOS 15.x and 16.x, addressing the CVE-2023-38606 vulnerability in the iOS kernel and CVE-2023-41990 in the FontParser font processing mechanism. These vulnerabilities were also part of the infection chain for Operation Triangulation.^[9][10]

October 23, 2023: Kaspersky publishes data on the multi-stage validation of potential victims by the attackers. This filtering process allows attackers to infect only their intended targets and evade security researchers.^[11]

October 26, 2023: At the Security Analyst Summit, a report is presented on the Operation Triangulation investigation process and efforts to identify all components in the infection chain.^[12][13]

December 27, 2023: At the Chaos Communication Congress, a report is presented on the complete attack chain and the four vulnerabilities used in the attack, including undocumented features of Apple processors.^{[14][15][16][17][18]}

December 28, 2023: Hacker Hector Martin learns about the use of undocumented features of Apple processors in Operation Triangulation and shares known information about their possible mechanisms and purposes.^[19]

Operation Triangulation is unprecedented in its technical complexity for iOS attacks: the infection chain consists of 14 steps, using four zero-day vulnerabilities and undocumented hardware features of Apple processors. All known attacks targeted iOS versions up to 15.7.x, but the techniques are effective up to iOS 16.2.^[20]

When a specially crafted iMessage is received by an iPhone, the malicious code is launched. This message is invisible to the user. Additional components are then downloaded from the command servers of Operation Triangulation, granting elevated privileges on the device, and deploying spyware with extensive access to the device's contents and functions.

The initial infection is carried out through an invisible iMessage. The malicious iMessage attachment, packaged as a .watchface (a watch screen design – essentially a ZIP file with an embedded PDF), executes a code that opens Safari in the background, which then loads the next components of the infection chain from a web page.

The web page contains a validator script that analyzes the parameters of the infected smartphone and decides whether to continue the infection. Canvas fingerprinting technology, which draws a triangle on the web page, is used to uniquely identify victims. This triangle gives its name to the entire campaign.

The attack exploits the CVE-2023-41990, CVE-2023-32434 and CVE-2023-38606 zero-day vulnerabilities in these stages.

After passing a check, the script on the web page additionally exploits the CVE-2023-32435 vulnerability and loads binary code into the device's memory, gaining root privileges and performing a more detailed check of the smartphone to match the attackers' interests. This binary validator also deletes traces of the received iMessage and loads the main malicious implant, TriangleDB.

The malware operates only in the smartphone's memory, so it is erased after a reboot. The attackers can then resend the iMessage and re-infect the victim.

To bypass the memory protections in recent generations of Apple processors (A12–A16), the exploit for the CVE-2023-38606 kernel vulnerability uses undocumented hardware features of the processors.

The exploit writes to MMIO registers, which are not described in the documentation and are not used by iOS applications or the iOS operating system itself. As a result, the exploit code can modify the hardware-protected area of the iOS kernel memory. Kaspersky researchers have suggested that this mechanism was probably created to debug the processor itself.^[17][18]

Some experts believe that "very few, if any, outside of Apple and chip suppliers like ARM Holdings" could know about this feature.^[21]

Hector Martin described a possible exploitation mechanism based on direct memory cache writes, which makes it possible to bypass its protection mechanisms in some cases.^[19]

The TriangleDB malware has a modular structure, so its functions can be extended by downloading additional modules from the server.

The basic version can upload files from the device to the attackers' server, extract data from the keychain, track the victim's geolocation, and modify files and processes on the smartphone.^[7]

Known additional modules support prolonged microphone recording (including in airplane mode), executing queries to databases stored on the device, and stealing chats from WhatsApp and Telegram.^[21][12]

Blocking updates

A telltale sign of smartphone infection caused by the Operation Triangulation malware is the inability to update iOS to a newer version. However, some infected devices have continued to update normally.^[22]

iTunes backup analysis

Traces of infection can be found in system files on the iPhone. Since these files are not accessible on the iOS device itself, a backup of the iPhone is made through iTunes on a computer and then analyzed. The triangle_check utility is used for analysis.^[3][4][23]

Network connection analysis

The malicious code of Operation Triangulation establishes connections with the attackers' servers, and a list has been made publicly available.^[2]

Removing the infection

For fully compromised devices, researchers recommend the following sequence of actions to prevent reinfection: factory reset, disable iMessage, and update iOS to a newer version.^[2]

Kaspersky has not made any official statements about the origin of the attack, nor has it attributed it to any hacker group or country.

However, on June 1, 2023, the Russian Federal Security Service (FSB) issued a statement about the discovery of malware affecting Apple mobile phones, using "software vulnerabilities provided by the manufacturer". The FSB also directly accused Apple of collaborating with the NSA. The statement indicated that several thousand phones were infected, including those outside Russia in NATO countries, the post-Soviet space, Israel, Syria and China.^[24][25]

Apple issued a statement on the same day, denying these accusations.^[26]

It should be noted that the FSB and Kaspersky made independent statements. However, some experts believe that both are referring to Operation Triangulation.^{[27][28][29][30]}

Apple publicly denied accusations of collaborating with intelligence agencies to implant backdoors.^[26]

The company released several update packages to fix the iOS vulnerabilities targeted by Operation Triangulation.^[31]

In July–August 2023, it became known that the use of Apple smartphones and tablets for official purposes was banned in several Russian governmental and commercial organizations, including the Ministry of Digital Development, Ministry of Industry and Trade, Ministry of Transport, Federal Tax Service and Russian Railways. Later in 2023, the Central Bank and the Ministry of Emergency Situations took the same decision.^[32]

In September 2023, it was revealed that the Chinese government had decided to expand its ban on iPhone use to include not only government employees but also state-controlled companies.^[33]

In 2024, South Korea's Ministry of National Defense announced a ban on iPhones for security reasons, while Android phones were not banned.^[34]

The exploit code in Operation Triangulation has been called the most complex in history.^[21]

The most remarkable features of the attack are the attackers' knowledge of undocumented Apple chip capabilities and the use of four zero-day vulnerabilities in a single attack.^[35]

Cryptographer Bruce Schneier described the attack as "absolutely crazy in sophistication" and "nation-state stuff".^[36]

Elon Musk also expressed interest in the complexity of the attack and possible defense methods.^[37]