A group of hackers suspected of collaborating at least in part with the Russian government targeted iPhone users in Ukraine, using a series of hacking tools designed to not only steal personal data but also potentially steal cryptocurrencies, according to cybersecurity researchers.
Researchers from Google and security companies iVerify and Lookout analyzed a new cyberattack against Ukrainians launched by a group identified only as UNC6353. Researchers investigated the websites compromised in the hacking campaign, which they say is related to a website discovered earlier this month. This latest campaign used a hacking toolkit the company calls Darksword.
The discovery of Darksword, which follows similar hacking toolkits, suggests that advanced, stealthy, and powerful spyware for iPhones may not be as rare as previously thought. Still, Dark Sword only targeted users in Ukraine, suggesting some restraint from what could have been a large-scale hacking campaign targeting users around the world.
In early March, Google revealed details of a sophisticated iPhone hacking toolkit called Coruna. The search giant said the tool was first used by the surveillance technology vendor’s government customers, then by Russian spies targeting Ukrainians, and finally by Chinese cybercriminals looking to steal cryptocurrencies. As TechCrunch later revealed, the hacking toolkit was originally developed by US defense contractor L3Harris, specifically its hacking and surveillance technology arm Trenchant.
Former L3Harris employees familiar with the company’s iPhone hacking tools say Coruna was originally designed for use by Western governments, particularly those in the so-called Five Eyes intelligence alliance made up of Australia, Canada, New Zealand, the United States and the United Kingdom.
Now, researchers said they have discovered a related campaign using modern hacking tools that exploit a variety of vulnerabilities.
Researchers say the Darksword toolkit was built to steal passwords and other personal information. Photos; WhatsApp, Telegram, Text Messages. and browser history. Interestingly, Darksword was not designed for continuous surveillance, but rather to infect victims, steal information, and quickly disappear.
inquiry
Want more information about Darksword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
Darksword’s “on-device time is likely in the range of several minutes, depending on the amount of data discovered and exfiltrated,” Lookout researchers wrote.
For Rocky Cole, co-founder of iVerify, the most likely explanation is that the hackers were interested in learning about their victims’ life patterns, and rather than requiring continuous surveillance, it was more of a slap-and-grab operation.
Darksword was also designed to steal cryptocurrencies from popular wallet apps, which is unusual for a suspected government hacking group.
“This may indicate that this actor has financial motivations, or that this (possibly) Russian state-aligned activity is expanding to financial theft targeting mobile devices,” Lookout said in the report.
However, Cole told TechCrunch there is no evidence that the Russian hacker group was actually interested in stealing cryptocurrencies, only that the malware may have been used for that purpose.
According to Lookout, the malware is professionally developed and designed to be modular and easy to add new features. Cole said he believes the person who sold Koruna to the Russian government hacking group may have also sold Dark Sword.
As for who is behind Dark Sword, Cole said “all signs point to the Russian government,” but Lookout said it is the same group that used Koruna against the Ukrainians and is also suspected to be a Russian government group.
“UNC6353 is a well-funded and well-connected threat actor conducting attacks for financial gain and espionage in line with Russian intelligence requirements,” Justin Albrecht, Principal Security Researcher at Lookout, told TechCrunch. “Given its dual objectives of financial theft and intelligence gathering, we believe it can be argued that UNC6363 may be a Russian criminal agent.”
As for the victims, Cole said the malware was designed to infect anyone within Ukraine as long as they accessed specific Ukrainian websites, and it was not a particularly targeted campaign.
Source link
