Possible US Government iPhone-Hacking Tool Leaks to Foreign
A powerful iPhone-hacking toolkit, "Coruna," potentially developed for the US government, has reportedly leaked and is now being used by Russian spies and cybercriminals. Google discovered the sophisticated exploits, capable of silently hijacking iPhones, which were first seen targeting Ukrainians and later used to steal cryptocurrency from Chinese victims. This proliferation highlights a dangerous "second-hand" market for advanced cyber weapons.
A sophisticated iPhone-hacking toolkit, potentially originating from a US government contractor, has reportedly fallen into the hands of Russian intelligence and, subsequently, cybercriminals. Dubbed "Coruna" by Google researchers, this powerful set of exploits, capable of silently hijacking iPhones by merely visiting a website, represents a critical security leak with alarming implications for global mobile device safety and international espionage. Its observed journey from targeting Ukrainians to stealing cryptocurrency from Chinese-speaking victims highlights a dangerous proliferation of advanced cyber capabilities.
Google's Tuesday report details Coruna as a highly advanced toolkit comprising five distinct hacking techniques that exploit 23 vulnerabilities in iOS. These techniques allow for the silent installation of malware on an iPhone simply by visiting a compromised website. Such a comprehensive collection of exploits suggests development by a well-funded, likely state-sponsored entity.
Coruna's Troubling Trajectory
The toolkit's evolution is a concerning timeline. Google initially detected components of Coruna in February of last year, attributing their use to an undisclosed “customer of a surveillance company.” Five months later, a more complete version resurfaced, employed in an espionage campaign by a suspected Russian spy group, discreetly embedded within visitor counters on Ukrainian websites. Most recently, Coruna has been observed in a purely profit-driven operation, infecting Chinese-language crypto and gambling sites to steal victims' cryptocurrency.
While Google's report is notably silent on the original "surveillance company customer," mobile security firm iVerify provides a strong suggestion: the code may have been built for or acquired by the US government. iVerify co-founder Rocky Cole points to Coruna's overlap with "Triangulation," a hacking operation discovered targeting Kaspersky in 2023, which Russia attributed to the NSA. Cole further notes the code appears to be originally written by English speakers and bears the "hallmarks of other modules that have been publicly attributed to the US government,” calling it the first instance of “very likely US government tools…spinning out of control.”
An "EternalBlue Moment" for Mobile
This potential leak raises profound questions about the security of mobile devices globally, akin to what iVerify’s Cole terms the “EternalBlue moment for mobile malware.” EternalBlue was an NSA Windows-hacking tool stolen and leaked in 2017, leading to widespread catastrophic cyberattacks like WannaCry and NotPetya. Google warns that Coruna's proliferation suggests an “active market for ‘second hand’ zero-day exploits,” meaning these advanced techniques could be adopted or adapted by various threat actors.
Apple has since patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. However, devices running iOS 13 through 17.2.1 remain susceptible, particularly Safari users, as the toolkit targets Apple's Webkit framework. Coruna also checks for and avoids devices with Apple's Lockdown Mode enabled, providing a layer of protection for users who utilize this stringent security setting. Despite these limitations, iVerify estimates that the cybercriminal version of Coruna alone may have infected roughly 42,000 devices, based on command-and-control server traffic. The full extent of infections from the Russian espionage campaign remains unclear.
Professional Origins, Crude Alterations
Spencer Parker, iVerify's chief product officer, described the core Coruna exploits as "very professionally written" and modular, contrasting them with the "poorly written" additions made by cybercriminals to steal cryptocurrency, photos, and emails. Rocky Cole argues against the possibility of Coruna being merely repurposed components of Triangulation, emphasizing that many elements are novel and the entire toolkit appears to have been crafted by a "single author," indicating a cohesive, purpose-built framework.
The Role of Exploit Brokers
The precise mechanism of Coruna's potential leak remains a mystery. However, experts like Cole point to the shadowy industry of zero-day exploit brokers who deal in sophisticated hacking techniques for tens of millions of dollars. These brokers, often “unscrupulous,” may sell tools to the highest bidder without exclusivity arrangements. Cole suggests that Coruna likely “ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” echoing the sentiment that “the genie is out of the bottle.” This scenario gains some context from recent events, such as the sentencing of Peter Williams, an executive of US government contractor Trenchant, who sold hacking tools to a Russian zero-day broker.
The emergence and wide-ranging proliferation of Coruna underscore a chilling new reality in cybersecurity. A potent, potentially state-developed, iPhone-hacking capability has now entered the global black market, posing an ongoing threat to individuals and national security interests alike, even as the original source and the full extent of its impact continue to unravel.
FAQ
Q: What is Coruna and why is it significant? A: Coruna is a highly sophisticated iPhone-hacking toolkit that exploits 23 vulnerabilities in iOS to silently install malware on devices. It's significant because it represents a rare and powerful capability, possibly originating from the US government, that has since proliferated to Russian spies and cybercriminals, raising major concerns about mobile security.
Q: Which iPhone users are vulnerable to Coruna? A: iPhone users running iOS versions 13 through 17.2.1 are primarily vulnerable, especially if using Safari, as the toolkit targets Apple's Webkit framework. Apple has patched these vulnerabilities in iOS 17.3 and later. Devices with Apple's Lockdown Mode enabled are not targeted by Coruna.
Q: How did Coruna potentially get into the hands of foreign adversaries and criminals? A: While unconfirmed, security experts suggest that unscrupulous zero-day exploit brokers, who operate a multi-million-dollar market for hacking tools, may have sold Coruna to various buyers. This could explain its journey from a potential US government source to Russian espionage operations and then to cybercriminal groups.
Related articles
Google Rolls Out Native Gemini AI App for Mac
Google has launched a native Gemini AI app for Mac, providing instant, context-aware assistance through a quick shortcut. The app allows users to share screen content and local files for analysis, and supports multimedia generation. This move brings Google into direct competition with other AI providers on the macOS platform.
Netgear Routers: Navigating the FCC Ban & Conditional Approval
Netgear has secured conditional approval from the FCC to continue importing foreign-made routers until October 2027, bypassing a broader ban. This ensures continued availability of popular models but raises transparency questions about manufacturing commitments, setting an interesting precedent for other brands.
Apple's Satellite Shift: Amazon Leo Takes the Reins – A Detailed Look
Quick Verdict Apple's decision to partner with Amazon for its iPhone and Apple Watch satellite connectivity marks a significant shift in the nascent direct-to-device (D2D) satellite market. Years after reportedly
Google Supercharges Chrome with 'AI Skills' for Workflow Automation
Google is significantly enhancing its Chrome web browser with the introduction of a new AI-powered feature called “Skills.” Announced Tuesday by the tech giant, this update allows users to save and reuse their preferred
Amazon & Apple vs. Starlink: A Satellite Connectivity Game Changer
Amazon's acquisition of Globalstar, securing its Apple partnership and valuable assets, marks a significant escalation in the satellite internet race against Starlink and promises expanded satellite features for iPhone users.
iPhone Fold: Apple's Risky Bid for Foldable Dominance
Apple’s entry into the foldable phone market has been a topic of fervent speculation for years. Now, with rumors pointing to a potential 2026 release for the 'iPhone Fold,' the anticipation is palpable. As an