US Military Contractor Likely Built iPhone Hacking Tools Used By Russian Spies in Ukraine

Researchers have been tracking a sophisticated iPhone exploit toolkit called Coruna, which contains more than 20 exploits capable of compromising iPhones running versions of iOS from 13 through 17.2. The toolkit has been observed in multiple campaigns, including operations tied to Russian espionage activity and financially motivated cybercrime groups.

The Google Threat Intelligence report on this is pretty thorough, and check out this video of security researcher Billy Ellis, who infected one of his phones to see what would happen.

What’s becoming clearer is where those exploits may have come from. Evidence suggests the toolkit may have originated inside a U.S. military contractor that builds hacking tools for Western intelligence agencies. From there, a leak involving a former employee appears to have helped push those capabilities into the wider hacking ecosystem — eventually putting them in the hands of foreign intelligence services and cybercriminal groups.

Trenchant, L3Harris and an Exploit Bonanza

We’re talking about something like 23 different exploits targeting iPhones running versions of iOS all the way up through 17.2. That’s already a big deal.

But what makes this story really interesting is where the toolkit appears to have come from.

According to reporting and analysis from researchers and former employees, parts of Coruna may have originally been developed by Trenchant, a hacking and surveillance technology division of the U.S. defense contractor L3Harris.

Trenchant builds exploitation tools for government customers, typically the United States and allied intelligence agencies.

In other words, these capabilities were never supposed to end up circulating in the wild.

Big Picture Getting Clearer

Here’s where the story starts weaving together with another one we talked about months ago:

A former executive at that same division, Peter Williams, was accused of stealing several hacking tools and selling them to a Russian exploit broker called Operation Zero. Prosecutors say he sold eight tools for about $1.3 million, and he was later sentenced to prison.

So you’ve got stolen hacking tools leaving a defense contractor.

At the same time, researchers start discovering a sophisticated iPhone exploit kit showing up in multiple campaigns.

And now new reporting suggests those two stories may be connected.

Researchers believe the Coruna toolkit may have been used by a Russian espionage group targeting Ukrainian victims through compromised websites. In those attacks, visiting a malicious page could trigger an exploit chain designed specifically for the victim’s iPhone.

That kind of targeting is typical of nation-state operations, but here’s where things get even weirder: The same exploit toolkit didn’t stay confined to espionage operations.

Researchers also found components of Coruna being used by financially motivated cybercriminal groups, including campaigns involving fake cryptocurrency exchanges aimed at stealing funds from victims. That’s unusual.

Normally, government-grade exploits stay inside intelligence circles. They’re expensive to develop and extremely valuable, so they tend to be tightly controlled. But once those tools leak, they can start spreading through brokers and underground markets.

That’s exactly what appears to have happened here.

One theory is that once the exploits were stolen and sold, they passed through multiple intermediaries — possibly brokers or government customers — before eventually reaching criminal groups.

At that point, the same capabilities that might have been used for espionage operations start showing up in fraud campaigns.

Google researchers also linked two vulnerabilities associated with the Coruna toolkit to Operation Triangulation, a sophisticated iPhone hacking campaign that previously targeted Russian users.

So now you’ve got a single set of exploit capabilities touching multiple parts of the cyber ecosystem:

• Government surveillance tools

• Nation-state espionage operations

• Financially motivated cybercrime

We’ve been covering all of these pieces separately: The stolen tools from a defense contractor, the discovery of a sophisticated iPhone exploit kit, different campaigns using advanced mobile exploits, and now the research and reporting are tying those threads together into one larger picture.

It’s a pretty stark reminder of how quickly powerful cyber capabilities can spread once they escape controlled environments.

Something built for intelligence agencies can eventually end up circulating all over the world, sometimes in the hands of actors the original developers never intended to empower.

Once that happens, there’s no putting the genie back in the bottle.