Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 3 January 2024 (Bart & Jill from the North Woods)

Deep Dive — Operation Triangulation

TL;DR — Kaspersky labs have discovered that they, and Russian government officials, were targeted by very advanced iOS malware that completely took over iOS devices for the last 4 years. Apple have patched all the exploited vulnerabilities, regular users were not targeted, and Kaspersky say there is not enough evidence to link the exploit to any particular group or government.

The Ars Technica Writeup by Dan Goodin linked below gives the best-detailed summary I have read, so I won’t try duplicating it, instead, I want to highlight the key facts we know:

  1. The attacks were in use and went undetected for 4 years

  2. The attacks were very tightly targeted to keep them secret for as long as possible, this is why regular users don’t need to worry.

  3. The attacks were delivered via iMessage, and the malware was able to infect the device without any user interaction, i.e. they were zero-click

  4. The attacks did not survive a reboot, but victims were regularly re-infected with fresh malicious iMessages

  5. Because of how many layers of security Apple have added to iOS, the attackers needed four zero-day vulnerabilities to work around Address Space Layout Randomisation and hardware kernel protections — a bug in TrueType, a kernel bug, a previously unknown un-documented hardware feature/bug, and a Safari bug

  6. The hardware feature/bug is the most mysterious, here is what Kaspersky concluded:

    “Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake”

  7. Apple have patched all four vulnerabilities, including the hardware bug

  8. Security researchers are describing this as the most advanced attack they have ever seen, so this is clearly a big operation backed by very substantial resources, so probably a nation-state or a group of nation-states, but no one knows who. This is the most Kaspersky would conclude:

    “Currently, we cannot conclusively attribute this cyberattack to any known threat actor … The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage”

More details may emerge as time goes on, but for now, any claims that a specific government or group were responsible, or any assertions that Apple did this intentionally are pure speculation, so don’t fall for the click-bait.

Also note that the fact that this was so difficult to pull off proves how hard Apple are working to harden the iPhone.

Finally, remember that the probability than any NosillaCastaway was in any way affected by these vulnerabilities is so low as to be effectively zero — billion dollar exploits are not wasted on regular folk like us!


❗ Action Alerts

Worthy Warnings

Notable News

  • An example of a trend in modern ransomware attacks we should be aware of — ransoming the exposed users when the company doesn’t pay up: Integris Health patients get extortion emails after cyberattack —… (OK’s biggest not-for-profit healthcare network)

  • Google Chrome’s Safety Check feature is being expanded and will run automatically in the background on desktop versions of the browser —…

    Safety Check compares login credentials against those exposed in data leaks. It also checks for weak and easy-to-guess passwords that expose users to brute-force attacks or password-cracking attempts.

    Google will broaden Safety Check’s functionality to automatically revoke permissions, such as access to the users’ location or microphone, for websites that haven’t been visited for a long time


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

2 thoughts on “Security Bits — 3 January 2024 (Bart & Jill from the North Woods)

  1. […] Security Bits — 3 January 2024 (Bart & Jill from the North Woods) […]

  2. PDX_Kurt - January 25, 2024

    I thought this was a great segment of the podcast! Kudos to Jill for asking some very pertinent questions, and relating her own “restart Windows every day” best practice. I tend to think that the lead story probably involves an NSA back door that was intentional, with the fact that the registers were undocumented providing Apple with plausible deniability.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top