A group of hackers suspected of working at least in part for the Russian government has targeted iPhone users in Ukraine with a new set of hacking tools designed to steal their personal data, as well as potentially steal cryptocurrencies, according to cybersecurity researchers.
Researchers at Google and security companies iVerify and Stand-by analyzed new cyber attacks against Ukrainians launched by a group identified only as UNC6353. Investigators have examined compromised websites in a hacking campaign they say is related to one uncovered earlier this month. This most recent campaign used a hacking toolkit the companies called Darksword.
Darksword’s discovery, which follows that of a similar hacking toolkit, suggests that advanced, stealthy and powerful iPhone spyware may not be as rare as previously thought. Even then, Darksword only targeted users in Ukraine, implying some limitation on what could otherwise have been a wide-scale hacking campaign targeting users around the world.
In early March, Google revealed details of a sophisticated iPhone hacking toolkit called Coruna. The search giant said the tool was first used by a government client of a surveillance technology vendor, then by Russian spies targeting Ukrainians and finally by Chinese cybercriminals looking to steal cryptocurrency. As TechCrunch later revealed, the hacking toolkit was originally developed at US defense contractor L3Harris, specifically by its Trenchant hacking and surveillance technology division.
Coruna was originally designed for use by Western governments, particularly those parts of the so-called Five Eyes intelligence alliance, which consists of Australia, Canada, New Zealand, the United States and the United Kingdom, according to former L3Harris employees with knowledge of the company’s iPhone hacking tools.
Now, researchers said they have uncovered a related campaign using newer hacking tools that exploit different vulnerabilities.
The Darksword toolkit, according to researchers, was built to steal personal information such as passwords. photos; WhatsApp, Telegram and text messages. and browser history. Interestingly, Darksword was not designed for persistent tracking, but to infect victims, steal information, and disappear quickly.
Contact us
Do you have more information about Darksword, Coruna, or other government hacking and spyware tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
“Darksword’s residence time on the device is likely to range from minutes, depending on the amount of data it discovers and penetrates,” Lookout researchers wrote.
For Rocky Cole, the co-founder of iVerify, the most likely explanation is that the hackers were interested in learning about the victims’ lifestyles, which did not require them to do constant surveillance, but rather a “smash-and-grab” operation.
Darksword was also designed to steal cryptocurrencies from popular wallet apps, which is unusual for a suspected government hacking group.
“This may indicate that this threat actor is financially motivated, or alternatively may indicate that this (potential) Russian state activity has expanded into financial theft targeting mobile devices,” Lookout wrote in its report.
However, Cole told TechCrunch, there is no evidence that the Russian hacking group is actually interested in stealing crypto, only that the malware could have been used to do so.
The malware was professionally developed to be modular and easy to add new features, which shows it was professionally designed, according to Lookout. Cole said he thinks it’s possible the same person who sold Coruna to the Russian government hacking group also sold Darksword.
As for who was behind Darksword, for Cole “all signs point to the Russian government,” while Lookout said it’s the same group that used Coruña against Ukrainians, also a suspected Russian government group.
“UNC6353 is a well-funded and connected threat actor that conducts attacks for financial gain and espionage aligned with Russian intelligence requirements,” Justin Albrecht, principal security researcher at Lookout, told TechCrunch. “We believe it can be argued that UNC6363 is potentially a Russian criminal proxy given the dual objectives of financial theft and intelligence gathering.”
As for the victims, Cole said the malware was designed to infect anyone visiting specific Ukrainian websites, as long as they were visiting from Ukraine, so it wasn’t a particularly targeted campaign.
