Russian Spies Used an iPhone Exploit Toolkit Russian spies and Chinese cybercriminals have gained access to a potent iPhone exploit kit called "Coruna," which was first developed for Western intelligence by American contractor L3Harris. The 23 distinct hacking components in the Coruna toolkit are intended to compromise Apple iPhones. The hacking division of U.S. military contractor L3Harris was first created by Trenchant for use by the US and its Five Eyes intelligence partners.

However, eight of the company's tools were stolen by former Trenchant general manager Peter Williams, who acted as an insider threat and caused the toolkit to leak. Williams sold these exploits to Operation Zero, a Russian exploit broker under sanctions, for $1.3 million between 2022 and 2025.

Operation Zero allegedly resold the spyware to unauthorized users after obtaining the pilfered tools. This made it possible for a Russian espionage group known to Google as UNC6353 to use Coruna in specific watering-hole attacks against iPhone users in Ukraine. Later, the sophisticated toolkit changed hands once more before ending up in the hands of Chinese cybercriminal gangs who started widespread operations to steal cryptocurrency and money from gullible victims.

Operation Triangulation and Exploits Coruna targets iPhone models running iOS 13 through 17.2, according to Google and security company iVerify.First. The toolkit is remarkably similar to Operation Triangulation, a sophisticated iPhone hacking scheme that Kaspersky revealed in 2023. In particular, Photon and Gallium, two significant internal exploits that were used as zero-day vulnerabilities in the Triangulation attacks, were reused by Coruna.

These particular Coruna exploit names were linked by security researchers to known iOS vulnerabilities. "Photon" is a privilege-escalation vulnerability that affects iOS versions 14.5 to 15.7.6 and is associated with CVE-2023-32434. It involves an integer overflow in memory mapping.

"Gallium" is a hardware-focused vulnerability that can be used to get around Apple's Page Protection Layer (PPL) and is associated with CVE-2023-38606. It affects roughly iOS versions 14.x through 16.6. The bird-themed internal names of Coruna's modules, like Cassowary and Sparrow, correspond with the naming patterns of L3Harris's hacking units, as independent security researcher Costin Raiu pointed out and TechCrunch emphasized. Additionally, Kaspersky's unique logo for Operation Triangulation subtly alludes to the contractor's involvement by resembling the geometric L3Harris logo.

The leak emphasizes the serious risks when nation-state cyberweapons end up in the criminal underground, even though the precise route the exploits took is still unknown. X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.