GoKawiilA group of hackers suspected of working at least in part for the Russian government targeted iPhone users in Ukraine with a new set of hacking tools designed to steal their personal data, as well as potentially steal cryptocurrency, according to cybersecurity researchers.
Researchers at Google and security firms iVerify and Lookout analyzed new cyberattacks against Ukrainians which were launched by a group identified only as UNC6353. The researchers looked at compromised websites in a hacking campaign that, they say, is related to one uncovered earlier this month. This most recent campaign used a hacking toolkit the companies called Darksword.
The discovery of Darksword, which follows that of a similar hacking toolkit, suggests that advanced, stealthy, and powerful spyware for iPhones may not be as rare as previously thought. Even then, Darksword only targeted users in Ukraine, implying some restraint in what could have otherwise been a widescale hacking campaign targeting users worldwide.
In early March, Google revealed details of a sophisticated iPhone-hacking toolkit called Coruna. The search giant said that the tool was used first by a government customer of a surveillance tech vendor, then by Russian spies targeting Ukrainians, and finally Chinese cybercriminals looking to steal cryptocurrency. As TechCrunch later revealed, the hacking toolkit was originally developed at U.S. defense contractor L3Harris, in particular by its hacking and surveillance tech department Trenchant.
Coruna was originally designed for use by Western governments, in particular those part of the so-called Five Eyes intelligence alliance, made by Australia, Canada, New Zealand, the United States, and the United Kingdom, according to former L3Harris employees with knowledge of the company’s iPhone hacking tools.
Now, researchers said they uncovered a related campaign using more recent hacking tools exploiting different vulnerabilities.
The Darksword toolkit, according to the researchers, was built to steal personal information such as passwords; photos; WhatsApp, Telegram and text messages; and browser history. Interestingly, Darksword was not designed for persistent surveillance, but rather to infect victims, steal information, and quickly disappear.
Contact Us Do you have more information about Darksword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or . Do you have more information about Darksword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email
Darksword’s “dwell time on the device is likely in the range of minutes, depending on the amount of data it discovers and exfiltrates,” Lookout researchers wrote.
For Rocky Cole, the co-founder of iVerify, the most likely explanation is that the hackers were interested in learning about the victims’ pattern of life, which didn’t require them to do constant surveillance, but rather a smash-and-grab operation.
... continue reading