The Covert Operation Triangulation: In-depth Analysis of the TriangleDB Spyware and Apple’s Response

Cybersecurity company Kaspersky recently uncovered a sophisticated espionage operation involving malware, codenamed TriangleDB, targeting Apple devices. According to the Russian cybersecurity firm, the spyware was deployed after gaining root access to iOS devices by exploiting a kernel vulnerability. Concurrently, Apple has released a series of software updates aimed at patching this kernel vulnerability, thereby securing several iPhone, iPad, Apple Watch, and macOS devices.

The Unveiling of TriangleDB

Kaspersky discovered the covert operation at the start of the year after becoming a target itself. The malware, codenamed TriangleDB, has a lifespan of 30 days, after which it auto-uninstalls unless the time period is extended by the attackers. As Kaspersky researchers elucidated in a recent report, the malware is deployed in memory, leaving no traces once the device is rebooted. The attackers would need to reinfect the device by sending an iMessage with a malicious attachment, hence launching the entire exploitation chain again.

How Operation Triangulation Works

The operation involves zero-click exploits via the iMessage platform, permitting the spyware total control over the device and user data. The attack begins with an invisible iMessage bearing a malicious attachment. This attachment, by exploiting a number of vulnerabilities in the iOS operating system, gets executed on the device, thereby installing the spyware. This process is entirely concealed and does not require any action from the user.

The TriangleDB Backdoor

The backdoor, written in Objective-C, is at the heart of this covert operation. It establishes encrypted connections with a command-and-control (C2) server and periodically sends a heartbeat beacon containing device metadata. In response to these heartbeat messages, the server sends back one of 24 commands. These commands enable the dumping of iCloud Keychain data and the loading of additional Mach-O modules in memory to gather sensitive data, including file contents, geolocation data, installed iOS applications, and running processes. Following the extraction of sensitive data, the original message is erased, covering the attackers’ tracks.

Apple’s Countermeasures

To counter the identified threats, Apple has released software updates that patch the kernel vulnerability across multiple Apple devices. This includes nearly all iPhone and iPad models, Apple Watches series 3 and later, and computers running macOS Ventura, Monterey, and Big Sur. The release notes credit Kaspersky researchers with finding the flaw and acknowledges that versions of iOS released before iOS 15.7 might have been actively exploited. Kaspersky’s analysis suggests that the exploit has not been successful on devices running versions of iOS since 15.7. However, later stages of the exploit process remained operational.

Additional Vulnerability Patches

In addition to the kernel bug, Apple’s updates also address two other vulnerabilities. These include a flaw in WebKit (CVE-2023-32439), reported by an anonymous source, and another exploited code-execution hole in WebKit (CVE-2023-32435), reported by the Kaspersky team.

Origins and Implications of Operation Triangulation

The origins of the espionage campaign remain unclear. The Russian government has implicated the U.S., alleging that it broke into several thousand Apple devices belonging to both domestic and foreign diplomats as part of a reconnaissance operation. Apple, however, has consistently maintained its stance against assisting any government in inserting backdoors into its products. Despite the allegations and speculation, there is still no concrete evidence to link the espionage campaign to a specific group or nation. “Judging by the cyberattack characteristics, we’re unable to link this cyberespionage campaign to any existing threat actor,” a Kaspersky spokesperson stated.

The Investigation of TriangleDB

Following the initial detection of TriangleDB on several dozen iPhones belonging to Kaspersky’s top and middle management, the cybersecurity firm embarked on a six-month investigation into the operation. This investigation also included an in-depth analysis of the exploitation chain. The researchers uncovered some intriguing aspects of the malware’s source code. The authors of the malware used unique terminologies, referring to string decryption as “unmunging” and using database terminology to assign names to various elements such as files (record), processes (schema), C2 server (DB Server), and geolocation information (DB Status). Another peculiar feature was the presence of a routine labeled “populateWithFieldsMacOSOnly.” Though this method is not called in the iOS implant, its naming convention suggests the potential for TriangleDB to be weaponized against macOS devices. The implant also requests multiple entitlements (permissions) from the operating system. Some of these permissions, such as access to the camera, microphone, and address book or the ability to interact with devices via Bluetooth, are not used in the code, indicating that these functionalities might be implemented in modules.

Protective Measures and Tools

To aid in the detection of the TriangleDB implant, Kaspersky has released a triangle_check utility that automatically searches equipment for infections of the spyware. On the other hand, Apple’s software updates have ensured that the later stages of the exploit process, which remained functional even on later versions of iOS, are now secured. This preventive measure significantly reduces the risk of separate attacks exploiting these vulnerabilities.

Conclusions and Future Implications

The investigation into Operation Triangulation and TriangleDB, while successful in uncovering the exploits and enabling Apple to develop patches, has also served as a reminder of the ever-evolving nature of cybersecurity threats. As technology advances, so do the methods and tactics of those seeking to exploit it for malicious purposes. This incident underscores the critical importance of staying updated with the latest security patches and being vigilant about potential cybersecurity threats. The challenge lies in attributing these complex cyber espionage campaigns to specific threat actors or nations, a task that remains elusive for now. However, the global tech and cybersecurity community continues to work collaboratively in the face of these threats, thereby fostering a safer cyber environment for users worldwide.