Back
Technology

iPhone Hacking Toolkit 'Coruna' Shifts from State Actors to Cybercriminals, US Origin Suspected

Generated on: Last updated: 1 sources
View source

Coruna: Sophisticated iPhone Hacking Toolkit Transitions from State Actors to Cybercriminals

A sophisticated iPhone hacking toolkit, named "Coruna" by Google security researchers, has been observed in various exploitation campaigns. This toolkit, capable of hijacking iOS devices through website visits, appears to have transitioned from use by suspected state-sponsored actors to cybercriminal operations, with evidence suggesting a potential origin with a US contractor.

Coruna, an advanced iPhone hacking toolkit, has transitioned from use by suspected state-sponsored actors to cybercriminal operations, with a potential origin with a US contractor.

Coruna Toolkit Details

Google security researchers released a report detailing "Coruna," an advanced iPhone hacking toolkit. It comprises five hacking techniques designed to bypass iPhone defenses and install malware silently upon visiting a malicious website. Coruna exploits 23 distinct iOS vulnerabilities, indicating development by a well-resourced entity, likely state-sponsored.

Observed Use and Proliferation

Google traces Coruna components to techniques observed in February last year, attributed to a "customer of a surveillance company." A more complete version of Coruna then appeared in an alleged espionage campaign by a suspected Russian spy group, embedded in Ukrainian websites' visitor-counting components. Subsequently, Coruna was utilized in a profit-driven hacking campaign, targeting Chinese-language crypto and gambling sites to steal cryptocurrency.

Suspected Origin

Google's report does not identify the initial "surveillance company customer." However, iVerify, another mobile security company that analyzed Coruna, suggests the toolkit may have been created for or acquired by the US government. Both Google and iVerify note that Coruna shares components with "Triangulation," an operation targeting Kaspersky in 2023, which the Russian government attributed to the NSA. The US government did not respond to this claim.

iVerify cofounder Rocky Cole stated that Coruna's code appears to have been written by English-speaking developers. Cole described the toolkit as highly sophisticated, expensive to develop, and exhibiting characteristics seen in modules publicly attributed to the US government.

He referred to it as a potential instance of US government tools being utilized by adversaries and cybercriminal organizations.

Security Implications

Google warned that the Coruna toolkit, regardless of its origin, is now available in the wild, posing a risk as other hacker groups could adopt or adapt it to target iPhone users. Google's report indicated that the proliferation method is unknown, but it implies a market for "second-hand" zero-day exploits, noting that multiple threat actors have acquired advanced exploitation techniques that can be reused and modified.

Cole from iVerify commented that if Coruna originated as a US government tool, it raises concerns about mobile device security given the potential for sophisticated hacking tools to reach adversaries. He compared the situation to "EternalBlue," a Windows-hacking tool stolen from the NSA and leaked in 2017, which was subsequently used in major cyberattacks like WannaCry and NotPetya.