Apple is encouraging people to update their iPhones in light of new cybersecurity research that suggests that Russian intelligence, Chinese cybercriminals and other hackers have been using tools nicknamed DarkSword and Coruna to take over phones running older versions of the iOS operating system.
The tools, called exploit kits, have been detailed this month by Google and cybersecurity companies iVerify and Lookout. Both can give hackers deep remote access to victims’ phones and let them search through their contents.
On Wednesday, iVerify wrote in a news release: “DarkSword appears to be a surveillance and intelligence gathering tool, blanket pulling data including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data as well as health, notes and calendar databases.”
An Apple spokesperson, Sarah O’Rourke, said that the two tools can only work against devices running older versions of Apple’s operating system, reinforcing the need for people to regularly apply updates.
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” she said.
The news has prompted worry from industry experts that while Apple enjoys a reputation for producing devices that are safer from hackers than other brands, versions running on older software can still be vulnerable to takeover.
Research from three companies on the campaigns shows several groups of people targeted with the iPhone hacking tools: Ukrainians targeted by Russian intelligence; Chinese cryptocurrency users; and people in Saudi Arabia, Turkey and Malaysia.
While none of the companies reported evidence of Americans being targeted, the tools could also easily be used to hack anyone whose iOS is out of date, said John Scott-Railton, a senior researcher at Citizen Lab, a University of Toronto-sponsored cybersecurity lab.
“The barrier to entry for widespread, devastating mobile attacks has been decisively lowered,” Scott-Railton told NBC News. “It’s clear this problem is only going to grow.”
“The scary takeaway for regular users is they can’t spot this attack,” he said.
Apple’s latest operating system, iOS 26, was released in September and protects users against both hacking campaigns, according to the company. Last week, Apple made the unusual move of releasing a special update for iPhone users with older devices that cannot handle fully upgrading to iOS 26, specifically to block hackers from using the hacking tools.
The research on the campaigns shows they both infect phones through a so-called watering hole attack, where a website is designed or hacked to include code that exploits how phones process web traffic and can automatically infect vulnerable phones that visit it.
Hacking an iPhone is still a significant technical challenge, and the two campaigns rely on a complicated chain of hacks that work in tandem to take over a phone.
Coruna has a remarkable origin. Peter Williams, a former cyber executive of the military defense contractor L3Harris, pleaded guilty last year to selling his company’s hacking tools, which included Coruna, to a Russian broker.
That tool was deployed last summer by hackers associated with Russian intelligence groups, Google found, who targeted Ukranians, according to iVerify.
It’s unclear how, but by December, Chinese cybercriminals had obtained the tool and begun to create “a very large set of fake Chinese websites mostly related to finance,” Google said, with the intent of stealing cryptocurrency.
Bitcoin and other cryptocurrencies are a particularly enticing target for cybercriminals, as they can be quickly sent to a criminal’s possession, often without a victim having any means to get them back.
The origin of the second tool, nicknamed DarkSword, is unknown, but it was also used by the same Russian intelligence unit, Google said. Its use has spread and appears to have proliferated into several related versions affecting people in Ukraine, Malaysia, Saudi Arabia and Turkey.
Multiple companies that sell hacking tools to governments have adopted the tool, Google said. Since November, the company “has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns,” Google said.
Rocky Cole, iVerify’s chief operating officer, said the campaigns should puncture the idea that owning an iPhone alone is enough to protect from hackers.
“There’s been this perception in the security community that attacks against iPhones are like mythical beasts, they’re rare,” he said.
“Nah, we just don’t really have the tools to see these. I have a feeling that it’s more pervasive than people think.”
Leave a Reply