Russians Use iPhone Hacking Tools to Steal Ukrainian Data
▼ Summary
– A Russian government-linked hacking group, UNC6353, targeted iPhone users in Ukraine with a new toolkit called Darksword to steal personal data and potentially cryptocurrency.
– The discovery of Darksword, following the similar Coruna toolkit, suggests advanced iPhone spyware is becoming more common, though its use was restrained to Ukraine.
– Darksword was designed for quick “smash-and-grab” operations to steal information like messages and passwords, not for persistent surveillance, and then disappear within minutes.
– Unusually for a suspected state group, Darksword could steal cryptocurrency, indicating possible financial motives or an expansion of Russian-aligned activities into theft.
– Researchers believe the professionally developed Darksword was likely sold by the same entity that provided the earlier Coruna toolkit to the same Russian government-aligned actors.
Cybersecurity experts have uncovered a new hacking toolkit, dubbed Darksword, being used to target iPhone users in Ukraine. The campaign, attributed to a group known as UNC6353, is believed to have ties to Russian state interests and is designed to steal sensitive personal data and potentially cryptocurrency. This discovery follows the recent exposure of a similar tool called Coruna, indicating that sophisticated spyware for Apple devices is becoming more prevalent, though its use appears geographically contained for now.
Analysts from Google, iVerify, and Lookout investigated the attacks, which involved compromised Ukrainian websites. The Darksword malware operates with a “smash-and-grab” methodology. Instead of lingering on a device for long-term surveillance, it infects, steals data, and quickly removes itself. Its primary targets include passwords, photos, messages from apps like WhatsApp and Telegram, and browser history. The malware’s dwell time is estimated to be just minutes, tailored to the volume of data it finds and extracts.
A notable feature of Darksword is its capability to pilfer cryptocurrency from mobile wallet applications. This financial motive is somewhat unusual for a group suspected of conducting state-aligned espionage. Researchers suggest it could indicate the actors have expanded their operations to include financial theft, or that the group has a dual purpose combining intelligence gathering with profit. However, there is no concrete evidence that cryptocurrency theft was a primary objective in these attacks; the malware simply possesses the functionality.
The toolkit is professionally built with a modular architecture, allowing new features to be added easily. This sophistication points to experienced developers. Investigators believe there is a possibility that the same entity who provided the earlier Coruna toolkit to Russian operatives may also be behind Darksword. Coruna itself has a complex history, originally developed within U. S. defense contractor L3Harris for Western intelligence agencies before being repurposed by Russian and Chinese actors.
Regarding attribution, analysts see strong links to Russia. The group UNC6353 is described as well-funded and connected, conducting operations that align with Russian intelligence goals while also showing criminal profit motives. The malware was configured to infect visitors to specific Ukrainian websites, but only if their devices were physically located within Ukraine. This suggests a campaign focused on a broad Ukrainian audience rather than highly selective individual targeting.
The emergence of these tools underscores a troubling trend: powerful, stealthy iPhone hacking capabilities are being deployed in active conflicts. While currently restrained to a specific region, the underlying technology poses a potential threat to users globally if deployed without such limitations.
(Source: TechCrunch)
