US iPhone-Hacking Tools Leaked to Foreign Spies and Criminals
▼ Summary
– The “Coruna” toolkit is a highly sophisticated iPhone-hacking system that can silently infect devices via malicious websites by exploiting 23 iOS vulnerabilities.
– Google’s report traces Coruna’s use from a surveillance company’s customer, to a suspected Russian spy group targeting Ukrainians, and finally to cybercriminals stealing cryptocurrency from Chinese-speaking victims.
– Security researchers suggest Coruna may have originated as a US government tool, based on its sophistication, English-language code, and links to a prior operation Russia attributed to the NSA.
– The toolkit’s proliferation from state actors to criminals represents a dangerous leak, raising concerns about a market for second-hand, advanced hacking techniques.
– Experts compare this event to the leak of the NSA’s EternalBlue tool, warning it could enable widespread mobile malware attacks if similarly adapted by other hackers.
The digital world is facing a significant new threat with the emergence of a powerful iPhone-hacking toolkit, now confirmed to have leaked from state-sponsored espionage into the hands of cybercriminals. This sophisticated collection of exploits, known as Coruna, represents a dangerous proliferation of advanced cyber weapons, capable of silently hijacking iPhones through a simple visit to a compromised website. Security researchers warn that its journey from a likely U.S. government contractor to Russian spies and then to profit-driven hackers marks a troubling new chapter in global cybersecurity.
A new report from Google details the capabilities of this toolkit, which leverages five distinct hacking techniques and a total of 23 separate iOS vulnerabilities to bypass all of Apple’s security protections. The sheer scale and complexity of the operation point to a well-funded, state-sponsored origin. Google’s investigation traces Coruna’s components back to February of last year, where they were used by an entity described only as a “customer of a surveillance company.” By July, a more complete version was deployed in an espionage campaign attributed to a suspected Russian intelligence group, which embedded the malicious code within visitor-tracking components on Ukrainian websites.
The toolkit’s path took an even more alarming turn when it resurfaced in a purely criminal operation. Google detected Coruna being used to infect Chinese-language cryptocurrency and gambling websites, with the aim of delivering malware designed to steal digital assets from victims. This transition from geopolitical espionage to financial theft underscores the unpredictable and dangerous lifecycle of such powerful digital tools once they escape controlled environments.
While Google’s report does not name the original “customer,” analysis from mobile security firm iVerify suggests a provocative origin. Researchers there, who obtained a version of Coruna from one of the infected Chinese sites, note that the code contains multiple components previously linked to a hacking operation called “Triangulation.” That campaign, which targeted Russian cybersecurity firm Kaspersky in 2023, was publicly claimed by the Russian government to be the work of the U.S. National Security Agency. iVerify’s co-founder, Rocky Cole, points out that the toolkit’s sophistication, cost, and technical hallmarks align with other tools publicly attributed to U.S. government operations.
“This is the first example we’ve seen of very likely U.S. government tools, based on what the code is telling us, spinning out of control and being used by both our adversaries and cybercriminal groups,” Cole stated. He emphasizes that the code itself appears to have been written by English-speaking developers, further supporting the theory of a Western origin. The implications are profound, raising serious questions about the security protocols surrounding advanced cyber weapons developed for or purchased by government agencies.
Google warns that this valuable toolkit is now loose in the wild, creating a persistent threat. The report highlights an “active market for ‘second hand’ zero-day exploits,” where secret hacking techniques that exploit unpatched software flaws are traded. This proliferation means multiple threat actors now possess advanced capabilities that can be reused or modified with newly discovered vulnerabilities, putting a vast number of iPhone users at potential risk.
Cole draws a direct parallel to a infamous historical precedent, calling this “the EternalBlue moment for mobile malware.” EternalBlue was a powerful Windows-exploiting tool stolen from the NSA and leaked in 2017; its subsequent use fueled global cyberattacks like the WannaCry and NotPetya worms, which caused billions in damages. The fear is that Coruna could follow a similar, devastating trajectory, transforming from a controlled intelligence asset into a ubiquitous weapon for hackers worldwide. The incident serves as a stark reminder of the cascading dangers when the most advanced digital weapons fall into the wrong hands.
(Source: Wired)
