Alleged US iPhone Hacking Tool Coruna Leaked to Foreign Spies and Cybercriminals

Security researchers at Google have uncovered a sophisticated iPhone hacking toolkit named "Coruna," which exploits 23 vulnerabilities in iOS to install malware on devices. This toolkit, capable of bypassing all iPhone defenses, is believed to have been created by a well-funded, likely state-sponsored group. Google first identified components of Coruna in early 2022, linked to a "customer of a surveillance company." Later, a more complete version was used in espionage campaigns by a suspected Russian spy group targeting Ukrainian websites and in profit-driven attacks on Chinese-language crypto and gambling sites.

The origin of Coruna remains unclear, but mobile security company iVerify suggests it may have been developed for or purchased by the US government. Coruna shares components with a hacking operation called "Triangulation," which targeted Russian cybersecurity firm Kaspersky in 2023. The Russian government attributed this attack to the NSA, though the US did not respond to these claims. iVerify's analysis indicates that Coruna's code was likely written by English-speaking developers and bears similarities to other US government-attributed modules.

Google warns that Coruna, now in the wild, could be adapted by various hacker groups targeting iPhone users. The toolkit's proliferation suggests an active market for "second hand" zero-day exploits, which exploit unpatched vulnerabilities. iVerify's cofounder, Rocky Cole, compares this situation to the "EternalBlue moment" for mobile malware, referencing the Windows-hacking tool leaked from the NSA in 2017.

Apple has patched the vulnerabilities exploited by Coruna in its latest iOS versions, but devices running iOS 13 through 17.2.1 remain vulnerable. Coruna targets Apple's Webkit framework, affecting Safari users on older iOS versions, but not Chrome users. The toolkit also checks for Apple's Lockdown Mode, avoiding devices with this security setting enabled.

Despite these limitations, iVerify estimates that Coruna may have infected around 42,000 devices in the Chinese-language campaign alone. The full extent of its impact, including potential victims in Ukraine, remains unknown. Google and Apple have not commented beyond the published report.

iVerify's analysis of the cybercriminal version of Coruna reveals that additional malware was added to drain cryptocurrency and steal data, though these additions were less sophisticated than the original toolkit. iVerify's Spencer Parker describes Coruna's exploits as highly professional, suggesting the cruder malware was added by later users.

While some speculate that Coruna's components could have been repurposed from the Triangulation malware, iVerify's Cole believes the toolkit was likely created by a single author. The mystery of how Coruna ended up in foreign and criminal hands remains, but Cole points to the market for zero-day exploits, where brokers sell hacking techniques to the highest bidder. This market's lack of exclusivity arrangements could have facilitated Coruna's spread.

Notably, Peter Williams, an executive of US contractor Trenchant, was recently sentenced for selling hacking tools to a Russian broker. This case highlights the potential for US-developed tools to leak into adversarial hands, raising concerns about the security of mobile devices.