A shocking revelation has emerged in the world of cybersecurity, highlighting the potential risks and consequences of powerful hacking tools falling into the wrong hands. The story of 'Coruna' is a cautionary tale, one that should serve as a wake-up call for governments and security experts alike.
Coruna, a highly advanced iPhone hacking toolkit, has taken a disturbing journey from its initial use by Russian spies targeting Ukrainians to a cybercriminal operation aimed at stealing cryptocurrency from Chinese-speaking victims. But here's where it gets controversial: there are strong indications that this toolkit may have originated from a US contractor, sold to the American government, and then somehow ended up in the hands of foreign spies and criminals.
Security researchers at Google have released a detailed report on Coruna, describing it as a sophisticated collection of five hacking techniques capable of silently installing malware on iPhones. With 23 distinct vulnerabilities exploited, it's clear that this toolkit was developed by a well-resourced group, likely with state backing.
Google's report traces Coruna's components back to a 'customer of a surveillance company' in early 2023. Five months later, it was spotted in a suspected Russian spy operation targeting Ukrainians. And then, in a twist, it was used in a profit-driven campaign to infect Chinese-language crypto and gambling sites. The question remains: who was behind these campaigns, and how did they acquire such a powerful tool?
The mobile security company iVerify, which analyzed a version of Coruna, suggests that it may have been created for or purchased by the US government. Both Google and iVerify point to similarities between Coruna and a previous hacking operation known as 'Triangulation', which Russia claimed was the work of the NSA. This raises questions about the security and control of these tools, especially when they can be used by adversaries and cybercriminal groups.
Rocky Cole, cofounder of iVerify, describes Coruna's code as bearing the hallmarks of US government-attributed modules. He warns that this is the 'EternalBlue moment' for mobile malware, referring to the NSA tool that was leaked and led to devastating cyberattacks. Cole's statement is a stark reminder of the potential consequences when such powerful tools are compromised.
Google warns that the proliferation of Coruna through various hands suggests an active market for 'second-hand' zero-day exploits. This means that any hacker group could potentially acquire or adapt these techniques to target iPhone users. The report highlights the need for better control and security measures to prevent such tools from falling into the wrong hands.
Despite Apple patching the vulnerabilities in the latest iOS versions, Coruna's techniques are still effective against older versions. iVerify estimates that tens of thousands of phones may have been infected, with roughly 42,000 devices already hacked in the for-profit campaign alone. The true extent of Coruna's impact, including on Ukrainian targets, remains unknown.
iVerify's analysis of the cybercriminal version of Coruna revealed that the code had been altered to steal cryptocurrency and personal data. However, the underlying toolkit was impressively polished and modular, suggesting a high level of professionalism in its development. This contrast highlights the complexity and sophistication of the toolkit, and the potential dangers it poses.
While there are alternative explanations for the similarities between Coruna and Operation Triangulation, iVerify's Cole argues that the toolkit appears to have been created by a single, highly skilled author. He points to the industry of brokers who trade in zero-day exploits, suggesting that this is likely how Coruna ended up in the hands of non-Western exploit brokers and then sold to the highest bidder.
The story of Coruna raises important questions about the security and control of powerful hacking tools. As Cole puts it, 'The genie is out of the bottle.' This incident serves as a stark reminder of the potential consequences and the need for better oversight and security measures to prevent such tools from being misused.
