Kaspersky Under Attack: Behind the Scenes of Operation Triangulation

Or listen on:

             

Delve into Operation Triangulation: a sophisticated, unparalleled cyberattack on Kaspersky, a leading cybersecurity lab.

Kaspersky Cybersecurity, a world-renowned cybersecurity research and software development company, recently found itself at the center of an incredibly complex and sophisticated cyberattack. Known for its exceptional research and widely used cybersecurity tools, Kaspersky’s Russian origins have also stirred controversy amidst accusations of being an agent for the Russian government – a claim that many, including cybersecurity experts, dispute.

For our part, we believe that the information produced by Kaspersky, especially the research it generates (which also tends to be peer reviewed), is very high quality. While we do not use, nor do we recommend, any of Kaspersky’s actual products, we know of no American businesses who have had any security issues due to their use of Kaspersky systems, nor of any publicly available evidence that they have been used as a tool of intelligence gathering by the Russian government.

The Incident: Operation Triangulation Unfolds

Dubbed “Operation Triangulation,” this cyberattack on Kaspersky was anything but ordinary. It represented a new level of sophistication in cyberattacks, targeting specific researchers within the company. The depth and complexity of this operation suggested the involvement of a highly skilled entity, potentially a nation-state, given the advanced techniques and significant resources deployed.

Technical Breakdown: The Complex Attack Chain

  1. Zero-Click iMessage Exploit

The initial attack vector was a zero-click iMessage exploit, a sophisticated technique that does not require user interaction in order to trigger the malicious effects. In this case, the exploit relied on the iMessage system itself, allowing the malware to bypass potential discovery by a more cybersecurity-aware user.

  1. The Malicious Payload

The iMessage exploit triggered the downloading of a malicious PDF file that leveraged a vulnerability in Apple’s TrueType font system. Without any user interaction, the payload in this malicious file was triggered by the font system. This vulnerability, CVE-2023-41990, the first of the four zero-day vulnerabilities used in this attack, has apparently existed since the mid 1990s, but has now been patched.

The exploit targeted a specific Apple-only font instruction within a PDF file, which allowed remote code execution. This step demonstrated a nuanced understanding of Apple’s systems and their vulnerabilities.

  1. Use of Extensive JavaScript

The attack utilized around 11,000 lines of JavaScript, a clear indication of the attack’s complexity. This code was written to hide its size and to make it completely unreadable and was designed not only to facilitate further exploits but also to conceal the attackers’ activities. The code was written so that it could be employed against old and new iPhones, including those protected by the Pointer Authentication Code.

  1. Kernel-Level Exploits

Relying on the second and third zero-day exploits used in the attack, CVE-2023-32434 and CVE-2023-38606, the attackers gained high-level control over the devices, with effectively unlimited authority to read and write the device command processor. Interestingly, the attackers did not immediately avail themselves of this authority. Instead, they launched two separate processes: 1) an agent that opened Safari (to validate its existence on the device) and connecting it to a web page containing script that both verifies the identity of the device and downloads instructions for the next exploit; and 2) an agent that cleaned any evidence of the prior steps.

Gaining access at the kernel level is akin to having the ‘master key’ to the system. This allowed the attackers to manipulate the system at the most fundamental level, providing them with almost unrestricted access and control.

  1. Safari Exploit and System-Level Control

The script downloaded from the webpage opened by the agent in the prior step triggered the fourth zero-day vulnerability used in this attack, CVE-2023-32435. The vulnerability allowed the attackers to execute shellcode, enabling them to run system-level commands. Relying on the same zero-day exploits used to first gain Kernel-level access, CME-2023-32434 and 38606, the attackers re-gain Kernel-level access, this time with no detectable connection to the initial point of entry. The code used in this level of the attack was also massive, but bore little resemblance to the 11,000-line JavaScript code used earlier in the attack.

  1. Final Validation of Victim

Once full Kernel-level control was re-established, the attackers once again verified the identity of the device under their control. Failure of the validation step would abandon the attack. This target verification served two purposes: 1) to ensure that the attack reached its very specific intended targets, and 2) to reduce the potential that the attack would be discovered by tightly limiting its deployment. Only after validation had been completed and affirmatively confirmed was the next stage triggered.

  1. Final Malware Deployment

The final phase involved deploying malware and spyware of various types, many of which have not yet been confirmed or fully disclosed. The specificity and sophistication of the malware we have been able to identify were indicative of the calculated nature of the operation.

 

The Implications of the Attack

Resource and Skill Intensity

The complexity of the attack, evident in the number and nature of exploits used and the extensive coding involved, pointed to an operation supported by significant resources, likely beyond the capabilities of ordinary cybercriminal groups. Writing and de-bugging that much code is not generally within the means of most cybercriminals, nor is it usually necessary for the vast majority of cyberattacks now in use.

Strategic Precision

This operation was characterized by its precision, targeting specific, high-value individuals within Kaspersky. Evidence of the precision can be found in the willingness of the attackers to abandon the system level control they initially obtain in order to cover their tracks and the multiple validation steps the attack relies on, the failure of any one immediately halted the process. This strategic focus contrasts with more common broad-spectrum cyberattacks, emphasizing clear objectives and careful target selection. It is generally not in the interest of most cyberattacks to severely limit the number of potential targets for their attacks.

Likely Nation-State Involvement

Given the operation’s sophistication and resource demands, the involvement of a nation-state is a strong possibility. While we believe that many nations had the general capabilities to carry out this attack, the nature of the attack, contrasted to the typical cyberattacks specific nations tend to carry out, leads us to narrow the suspects to a 5-Eyes Nation, Russia, or China. However, attributing such attacks to specific actors remains challenging.

Kaspersky’s Robust Response

Despite the sophistication of the attack, Kaspersky’s ability to dissect and analyze the breach underscores its high level of expertise in cybersecurity.

Broader Implications for the Cybersecurity Landscape

This attack on Kaspersky is a stark reminder of the evolving landscape of cyber threats. It demonstrates the lengths attackers are willing to go to, especially when targeting high-profile cybersecurity entities. The sophistication and resources involved point towards a new era of cyber warfare, where traditional defense mechanisms may be inadequate.

And yet, the response by Kaspersky (and other) researchers leaves room for some hope. This attack was meticulously designed to conceal or erase all evidence of how it gained system access. The Kaspersky researchers have been able to overcome some remarkable obstacles to rebuild the entire attack chain and identify the exploits used to gain access to their system. Hopefully, white hat hackers can again defend us against the next Operation: Triangulation.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.

Episode Resources:

We aim…

to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.

Contact Us

©2024 Fearless Paranoia