Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/4/2015
08:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Apple iOS Now Targeted In Massive Cyber Espionage Campaign

Attack campaign tied to Russia now zeroing in on mobile user's iPhones, iPads.

An extensive and sophisticated cyber espionage operation targeting mainly Western military, government, defense industry firms, and the media, now has a new weapon: a spyware app for Apple iPhones and iPads.

Operation Pawn Storm, which has been tied to Russia by at least one security research firm, is using a specially crafted iOS app to surreptitiously steal from the mobile device text messages, contact lists, pictures, geo-location information, WiFi status of the device, lists of installed apps and processes -- and to record voice conversations, according to new Trend Micro research.

"The Cold War has returned in cyberspace, and Apple has become the gateway to western elites," says Tom Kellermann, chief cyber security officer with Trend Micro. "Pawn Storm has evolved to now incorporate proximity attacks against Western victims."

Trend Micro researchers, who found the iOS malware while studying and tracking Operation Pawn, say they believe the Apple spyware gets installed on systems already compromised by the attackers. It's similar to the "next-stage" SEDINT malware they found targeting Microsoft Windows systems.

"We found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT," wrote Trend mobile threat analysts Lambert Sun and Brooks Hong and senior threat researcher Feike Hacquebord, in a blog post today.

"The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is live," they said.

When XAgent runs on iOS 7, its icon doesn't show up on the mobile device. It's hard to kill, too: When the researchers attempted to terminate the app's process, it restarted right away. When running on iOS 8, however, the icon is not hidden and doesn't automatically restart after it's killed. The researchers say this shows the malware was created before iOS 8's release in September of last year.

"We can see that the code structure of the malware is very organized. The malware looks carefully maintained and consistently updated," the researchers said.

Operation Pawn Storm cyberattacks have intensified in the wake of US-Russian tensions, and the organizations and regions targeted appear to point to Russia or Russian interests. The attackers are going after the US, NATO allies, and Russian dissidents. Among the targets of some phishing attacks used in the campaign are ACADEMI (the US defense contractor formerly known as Blackwater), SAIC, and the Organization for Security and Cooperation in Europe.

Trend Micro so far has stopped short of attributing the attacks to Russia. Researchers at FireEye, however, recently called out the Russian government as being behind the Operation Pawn Storm campaign--specifically the so-called APT28 hacking group. "This Russian government-backed type of espionage has been very mysterious and hard to nail down over all these years on the Internet," Dan McWhorter, lead researcher for the report and vice president of threat intelligence for FireEye, told Dark Reading in October.  "In my opinion after looking at our research, it confirms that yes, in fact, the Russian government is doing this, and it gives us a body of evidence to put against that assertion that wasn’t there previously."

Just how victims' Apple iOS devices get infected with the spyware is unknown thus far. In one case, the researchers found a "Tap Here to Install the Application" prompt to lure users into installing the app. Another possible vector, they say, is via a compromised Windows laptop when the iPhone is connected to it with a USB cable. The attackers employ Apple's "ad-hoc provisioning" method of distributing the app. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewH835
50%
50%
AndrewH835,
User Rank: Apprentice
4/3/2015 | 12:40:00 AM
Nice article
Just wanted to compliment the author on a good article. Kudos.
AppariganiS084
50%
50%
AppariganiS084,
User Rank: Apprentice
2/22/2015 | 10:03:33 AM
Re: "Gateway to Western Elites"?
I would tend to agree if the sought after data resides on those machines. The difficulty I'm having is with human behavior.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/9/2015 | 10:24:25 AM
Re: "Gateway to Western Elites"?
"especially since DoD computers and similar are going to have so many lockdowns on them that this malware most likely would never get there in the first place" Ordinarily, I would tend to agree if the sought after data resides on those machines. The difficulty I'm having is with human behavior. It is a given that some government officials use public web services such as gmail, etc. in the performance of their official duties. How far of a stretch would it be to think that government officials use connected personal devices to access those public services, or for accessing anything else in their official capacity?
ttueric
33%
67%
ttueric,
User Rank: Apprentice
2/8/2015 | 10:23:57 PM
Re: "Gateway to Western Elites"?
So on an Apple device, but only gets on through a Windows computer (probably jailbroken phones as well).  Not surprising.  Something they leave out though - how many devices might have this?  Guess it is probably a very small number, especially since DoD computers and similar are going to have so many lockdowns on them that this malware most likely would never get there in the first place.  So, this really isn't an Apple problem, or iOS problem at all.
jastroff
33%
67%
jastroff,
User Rank: Strategist
2/5/2015 | 4:25:21 PM
"Gateway to Western Elites"?
For all my sanctimonious Apple user friends who wouldn't get security when I asked them to because they felt Apple isn't Microsoft, and Apple won't get attacked cause they are the "good" guys.

This one's for you folks
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...