A shocking revelation has emerged, highlighting the potential risks associated with government-developed hacking tools. The story of Coruna, a highly advanced iPhone hacking toolkit, is a cautionary tale that underscores the dangers of such powerful tools falling into the wrong hands.
The Dark Journey of Coruna
Coruna, a sophisticated iPhone hacking toolkit, has taken a disturbing path from its initial deployment by Russian spies to target Ukrainians to its use by cybercriminals aiming to steal cryptocurrency from Chinese-speaking victims. What's even more concerning is the suggestion that this toolkit may have originated from a US contractor and was sold to the American government.
Security researchers at Google have released a detailed report on Coruna, describing it as a highly sophisticated collection of hacking techniques capable of bypassing iPhone defenses and silently installing malware. With 23 distinct vulnerabilities exploited, Coruna is a rare and powerful tool, likely developed by a well-funded, state-sponsored hacking group.
The toolkit's journey began with a 'customer of a surveillance company,' as Google puts it, and then made its way into the hands of suspected Russian spies. Five months later, it reappeared in a cybercriminal campaign targeting Chinese-language crypto and gambling sites. This rapid and unexpected proliferation raises serious concerns about the control and security of such advanced hacking tools.
A Controversial Origin Story
While Google's report doesn't name the original 'customer,' iVerify, a mobile security company, suggests that Coruna may have been created for or purchased by the US government. Both Google and iVerify note the toolkit's similarities to a previous hacking operation, 'Triangulation,' which targeted Kaspersky, a Russian cybersecurity firm. The Russian government claimed that Triangulation was the work of the NSA, but the US government remained silent on the matter.
iVerify's cofounder, Rocky Cole, emphasizes the sophistication and cost of developing Coruna, estimating it to be in the millions of dollars. He believes that Coruna's code, written by English-speaking coders, bears the hallmarks of US government-attributed modules. Cole warns that this is the first instance of likely US government tools spinning out of control and being used by adversaries and cybercriminal groups.
The EternalBlue Parallel
Google warns that the proliferation of Coruna through various hands, from Russian spies to cybercriminals, highlights an active market for 'second-hand' zero-day exploits. This situation is reminiscent of the EternalBlue moment, where a Windows-hacking tool stolen from the NSA led to catastrophic cyberattacks, including the WannaCry worm and the NotPetya attack.
Cole refers to Coruna as the EternalBlue moment for mobile malware, emphasizing the potential impact and reach of such tools when they fall into the wrong hands. The question of how Coruna, if indeed a US government tool, ended up in the hands of adversaries and criminals remains a mystery, but Cole points to the industry of brokers who trade in zero-day exploits for espionage, cybercrime, and cyberwar.
The Impact and Limitations
While Apple has patched the vulnerabilities exploited by Coruna in the latest iOS versions, the toolkit's techniques are confirmed to work against older versions, from iOS 13 to 17.2.1. iVerify estimates that Coruna has already infected tens of thousands of phones, with roughly 42,000 devices hacked in the for-profit campaign alone. The true extent of Coruna's impact, including on Ukrainian targets, remains unclear.
In iVerify's analysis of the cybercriminal version of Coruna, they found that the code had been altered to steal cryptocurrency, photos, and emails. However, these additions were poorly written compared to the polished and modular Coruna toolkit, suggesting that the cybercriminals who obtained the code made these modifications.
A Single Author, A Single Story
iVerify's Cole notes that while there is an alternative explanation for the similarities between Coruna and Operation Triangulation, the likelihood is that Coruna was created by a single author. Many components of Coruna are unique, and the toolkit appears to be a cohesive whole, not pieced together from different sources.
The case of Peter Williams, an executive of the US government contractor Trenchant, sentenced to prison for selling hacking tools to a Russian zero-day broker, highlights the potential risks and the lack of control over the sale and distribution of such tools. Cole warns that brokers often sell to the highest bidder without exclusivity arrangements, which is likely what happened with Coruna.
A Call for Discussion
The story of Coruna raises important questions about the development, control, and security of government-developed hacking tools. As Cole concludes, 'The genie is out of the bottle.' What are your thoughts on this matter? Do you think there should be stricter regulations and oversight for such powerful tools? Or is this an inevitable consequence of the digital age? We'd love to hear your opinions in the comments.
