Russia is usually reluctant to blame attacks on its digital infrastructure on other states, but in early June, the FSB made a number of statements indicating a change in traditional Russian approaches, according to PIR Center consultant Oleg Shakirov.
On June 1, Kaspersky Lab reported a targeted cyberattack: with the help of previously unknown malware, attackers tried to inject spyware into the iPhones of top management and employees of the company. However, this news received a wide response not so much because of the technical complexity of the attack, but because of the political context. On the same day, the FSB also made a statement about the revealed spy action, laying the blame on the American intelligence services and Apple Corporation.
Information about the spy campaign came into the public space from several sources that contain different details and do not agree on everything. Therefore, to begin with, it is worth understanding the sequence of events.
Timeline of exposure
The FSB was the first to report the attack, which, together with the FSO, uncovered “an intelligence operation by American intelligence services carried out using Apple (USA) mobile devices.” The short five-paragraph press release claims that the malware used by the attackers exploited software vulnerabilities provided by the manufacturer. From this, Russian security officials concluded that Apple was closely cooperating with the American intelligence community, in particular, with the National Security Agency (NSA). According to a press release, thousands of iPhones were infected, both Russian subscribers and numbers registered to foreign diplomatic missions in Russia, including NATO countries, post-Soviet states, Israel, Syria and China.
The FSB press release did not contain a technical description of the attack and indicators of compromise, that is, artifacts that could be used to detect malicious activity. However, the FSB’s public statements about cyberattacks are almost always limited to a general description.
The FSB statement was supported by the Ministry of Foreign Affairs, adding that “evidence of such illegal activities (the use of private companies by US intelligence agencies for surveillance) appears every year.”
Only after political statements by government agencies did a Kaspersky Lab study come out describing the procedure for infecting iPhones with unknown malware as part of a campaign designated as “Operation Triangulation”. The program got to the phone via an iMessage message and launched independently, without user intervention, after which it contacted the control server and downloaded additional components, which ultimately allowed attackers to collect information about the user and the system and run arbitrary code on the device.
Kaspersky Lab specialists noted the difficulty of tracking and studying suspicious activity. However, they did not make statements about the US involvement in the attack (the company usually does not attribute attacks to any states) or Apple. In contrast, the researchers sent a portion of the malware they analyzed to Apple through its security program before the report was released and before the national computer incident response teams were notified.
Finally, Kaspersky Lab found attacks only on its own employees, which was also at odds with FSB data on thousands of infected phones. However, the company does not believe that she was the main target of espionage, and hope to find other victims.
Another document connected the FSB press release and the Kaspersky Lab study – a bulletin of the National Coordination Center for Computer Incidents subordinate to the FSB. The bulletin recounted political accusations, and for technical details the reader was referred to the report on “Operation Triangulation”.
Who is guilty
As a result, many key points, primarily the role of Apple and American intelligence agencies, remained unclear.
Apple’s experience with US intelligence agencies is indeed mixed. In 2013, it became known from Edward Snowden’s revelations that Apple was among the companies involved in the NSA’s PRISM program to intercept Internet communications and store them. The NSA sent requests to companies about specific accounts or addresses, in response received from them the relevant data that was used for analysis. Despite the fact that the program was carried out under the Foreign Intelligence Surveillance Act (FISA), its disclosure caused a scandal, and the companies participating in it were forced to justify themselves to users. Apple today continues to respond to requests under the FISA law and, if necessary, provides intelligence agencies with information from users’ iCloud.
On the other hand, Apple has consistently opposed the creation of backdoors for intelligence agencies – technical opportunities to gain unauthorized access to data. She confirmed the same position now – in response to the accusations of the FSB. In 2014, the company implemented the idea of data encryption in mobile devices by default, which made it difficult for both law enforcement agencies and the company to extract information. In 2016, Apple refused to comply with an FBI request to help unlock the iPhone of one of the assailants who staged a mass shooting in San Bernardino – in the end, an Australian hacking firm helped hack the FBI phone.
In recent years, Apple has faced the threat of being hacked by commercial spyware such as Pegasus from Israeli firm NSO Group. In 2021, the company filed a lawsuit against the developer Pegasus for exploiting a previously unknown vulnerability.
Could Apple specifically leave software vulnerabilities for US intelligence agencies? It makes more sense for a company to close gaps than to leave them open as a gesture of goodwill, risking attackers taking advantage of weaknesses. This version is partially confirmed by the comments under the Kaspersky Lab study, according to which one of the vulnerabilities, probably used in Operation Triangulation, is already known and was closed in iOS 16.2.
As for the American intelligence services, their possible involvement in the attack looks much more plausible. The NSA, traditionally responsible for electronic intelligence, is actively engaged in cyber espionage. In addition, intelligence operations in cyberspace are carried out by the CIA and other structures. From the same Snowden revelations, it became known that the NSA had formed several teams to look for ways to hack into popular systems and devices, including the iPhone and its operating system.
Given the capabilities of the United States, intelligence agencies do not have to collude with Apple. The NSA or another agency can independently discover vulnerabilities in products of interest and develop means to exploit them, or acquire such information from contractors, and keep the manufacturer in the dark. A clear example of this was the situation around EternalBlue, a tool for cracking a vulnerability in Windows. The NSA reported it to Microsoft only after it learned about the theft of its cyber arsenal by the hacker group The Shadow Brokers.
And, of course, Russia is of obvious interest to the American intelligence community. Moreover, as it became known from the leak of secret Pentagon documents, a significant part of the intelligence about Russian plans and actions comes to the American intelligence services precisely through the interception of communications, including digital ones.
However, it is quite difficult to prove the involvement of state hackers in cyber attacks. This may be indicated by such signs as the choice of targets, the use of known and associated with a particular special service means or infrastructure, information about the personnel involved, language and other artifacts. But the FSB press release does not provide such arguments, and it is suggested that the conclusions drawn be taken at their word.
However, even if evidence were presented, they would not force the Americans to publicly admit their guilt. Despite the increasing prevalence of government cyber operations and surveillance, governments almost never take responsibility for them. The United States, for example, admitted its involvement only in Operation Glowing Symphony to hack the electronic resources of ISIS members (a terrorist organization banned in Russia). In other cases, American officials, at best, limited themselves to general words or anonymous leaks to the press.
Blame Policy
With all the caveats made to date, the FSB statements referring to the Kaspersky Lab study are probably the most specific Russian accusation against the United States of conducting malicious activities in cyberspace. This is particularly noteworthy given the fact that at the international level Russia has for many years taken and continues to uphold the position that identifying the perpetrators of cyber attacks is problematic, if not impossible. And public attribution is also dangerous, because it can be used as a pretext for hostile actions against the accused state.
In May, Russian diplomats submitted to the UN General Assembly the concept of a convention on ensuring international information security, which also recorded a critical attitude towards attribution. Thus, the threats in the document include “the impossibility of accurately identifying the source of computer attacks.” In addition, it emphasizes the inadmissibility of baseless accusations of states in cyber attacks and the need to substantiate the accusations made.
Russian criticism of the Western practice of publicly attributing cyberattacks has intensified since 2016, when, against the backdrop of the US presidential election and the victory of Donald Trump, Washington and its allies increasingly began to file accusations against Russian intelligence services. However, this did not prevent Russian officials from time to time from calling the United States the main source of cyber threats for our country.
Since 2022, when Russia faced an avalanche of cyberattacks from pro-Ukrainian groups and, probably, hackers working for other states due to the “special operation” *, the number of accusations against the West has only increased. Russian agencies, including the Foreign Ministry and the FSB, have repeatedly stated that the United States and its allies have unleashed cyber aggression against Russia and are using Ukraine as a springboard for attacks.
In this context, Russia’s allegations of Apple’s involvement in espionage should be seen as another milestone, as this is the first time the allegation concerns a single campaign, rather than malicious activity in general.
Such a move could serve several purposes at once. For example, providing effective protection against cyber threats. One can talk in diplomatic forums about attribution of cyberattacks as some kind of dangerous practice. But in everyday life, the defending side needs to have as much information as possible about threats and their possible sources. Therefore, warning about a new attack vector is a logical step for an organization responsible for information security on a national scale. However, this goal can hardly be considered as the main one, if only because the statements of government agencies did not contain the technical details necessary for cybersecurity specialists.
It is obvious that the statement about the collusion of American intelligence agencies and Apple also pursues a propaganda goal – to strengthen the reputation of the United States as a source of cyber threats and undermine confidence in American companies. In this regard, Russian policy is in tune with China: in April, the National Computer Virus Response Center and local security firm Qihoo 360 published a report titled “Hacker Empire” exposing CIA operations on the Internet. Chinese diplomats are already using the term “hacker empire” when responding to the latest US allegations of hacking.
Finally, another possible goal of the FSB’s public statements is to add arguments to supporters of computer import substitution. The import of Apple products to Russia continues through parallel imports, which runs counter to the general policy of using domestic products. By emphasizing that the devices of the American company are allegedly unsafe, the security forces are actually helping to strengthen the position of local manufacturers. It is symbolic that on the same day as the revelations of the FSB, it became known about the government’s plans to purchase up to 2 million phones for civil servants on the Russian Aurora operating system.
However, one must keep in mind that domestic products are not a panacea, since they may contain bugs that open up opportunities for attacks and surveillance. And if you imagine that US intelligence agencies find a vulnerability in a Russian phone, then they can use it with a light heart, without worrying about the need to notify the manufacturer and that Americans may be in danger.