A group of hackers suspected of working at least in part for the Russian government targeted iPhone users in Ukraine with a new set of hacking tools designed to steal their personal data, as well as potentially steal cryptocurrency, according to cybersecurity researchers.
Researchers at Google and security firms iVerify and Lookout analyzed new cyberattacks against Ukrainians which were launched by a group identified only as UNC6353. The researchers looked at compromised websites in a hacking campaign that, they say, is related to one uncovered earlier this month. This most recent campaign used a hacking toolkit the companies called Darksword.
The discovery of Darksword, which follows that of a similar hacking toolkit, suggests that advanced, stealthy, and powerful spyware for iPhones may not be as rare as previously thought. Even then, Darksword only targeted users in Ukraine, implying some restraint in what could have otherwise been a widescale hacking campaign targeting users worldwide.
In early March, Google revealed details of a sophisticated iPhone-hacking toolkit called Coruna. The search giant said that the tool was used first by a government customer of a surveillance tech vendor, then by Russian spies targeting Ukrainians, and finally Chinese cybercriminals looking to steal cryptocurrency. As TechCrunch later revealed, the hacking toolkit was originally developed at U.S. defense contractor L3Harris, in particular by its hacking and surveillance tech department Trenchant.
Coruna was originally designed for use by Western governments, in particular those part of the so-called Five Eyes intelligence alliance, made by Australia, Canada, New Zealand, the United States, and the United Kingdom, according to former L3Harris employees with knowledge of the company’s iPhone hacking tools.
Now, researchers said they uncovered a related campaign using more recent hacking tools exploiting different vulnerabilities.
The Darksword toolkit, according to the researchers, was built to steal personal information such as passwords; photos; WhatsApp, Telegram and text messages; and browser history. Interestingly, Darksword was not designed for persistent surveillance, but rather to infect victims, steal information, and quickly disappear.
Contact Us
Do you have more information about Darksword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
Darksword’s “dwell time on the device is likely in the range of minutes, depending on the amount of data it discovers and exfiltrates,” Lookout researchers wrote.
For Rocky Cole, the co-founder of iVerify, the most likely explanation is that the hackers were interested in learning about the victims’ pattern of life, which didn’t require them to do constant surveillance, but rather a smash-and-grab operation.
Darksword was also designed to steal cryptocurrency from popular wallet apps, something that is unusual for a suspected government hacking group.
“This may indicate that this threat actor is financially motivated, or alternatively it may indicate that this (likely) Russian state-aligned activity has expanded into financial theft targeting mobile devices,” Lookout wrote in its report.
But, Cole told TechCrunch, there is no evidence that the Russian hacking group actually cared about stealing crypto, only that the malware could have been used for that.
The malware was professionally developed to be modular and to make it easy to add new functionality, something that shows it was professionally designed, according to Lookout. Cole said he believes it’s possible that the same person who sold Coruna to the Russian government hacking group also sold Darksword.
In terms of who was behind Darksword, for Cole “all signs point to the Russian government,” while Lookout said it’s the same group that used Coruna against Ukrainians, also a suspected Russian government group.
“UNC6353 is a well-funded and connected threat actor conducting attacks for financial gain and espionage in alignment with Russian intelligence requirements,” Justin Albrecht, principal security researcher at Lookout, told TechCrunch. “We believe that a case can be made that UNC6363 is potentially a Russian criminal proxy, given the dual goals of financial theft and intelligence collection.”
As for victims, Cole said that the malware was designed to infect anyone visiting certain Ukrainian websites, as long as they were visiting them from within Ukraine, so it wasn’t a particularly targeted campaign.
