A recent mass hacking campaign targeting iPhone users in Ukraine and China employed tools that are believed to have originated from the U.S. Military contractor L3Harris. The toolkit, known as “Coruna,” was initially designed for Western intelligence operations but ultimately fell into the hands of various malicious actors, including Russian government operatives and Chinese cybercriminals.
According to findings released by Google, the Coruna toolkit comprises 23 distinct components that were reportedly used in highly targeted operations by an undisclosed government client from a surveillance vendor. This sophisticated hacking toolkit was later utilized by Russian spies against a limited number of Ukrainians and subsequently by Chinese hackers in broader campaigns aimed at stealing money, and cryptocurrency.
Independent analysis from the mobile cybersecurity firm iVerify suggested that Coruna may have been originally developed by a company that sold its tools to the U.S. Government. Two former employees of L3Harris confirmed that Coruna was partially created by the company’s hacking and surveillance division, Trenchant. These individuals, who wished to remain anonymous due to the sensitive nature of their work, indicated that Coruna was indeed an internal designation for one of the components.
“Coruna was definitely an internal name of a component,” stated one ex-employee familiar with iPhone hacking tools from their time at Trenchant. They added that many of the technical details outlined in Google’s report were familiar to them.
The tools developed by Trenchant are sold exclusively to the U.S. Government and its allies within the Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. The limited customer base raises concerns about how the Coruna toolkit transitioned from a government contractor to being exploited by foreign adversaries.
From Government Contractor to Cyber Criminals
The pathway through which Coruna migrated from L3Harris to malicious entities remains unclear. Although, it bears similarities to a recent case involving Peter Williams, a former general manager at Trenchant who sold eight hacking tools to a Russian broker known as Operation Zero. This operation is known for trading in zero-day exploits—security vulnerabilities previously unknown to the software vendor.
Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after admitting to selling these tools to Operation Zero for $1.3 million. The U.S. Government labeled Williams’s actions a betrayal, as he had full access to Trenchant’s networks and leaked tools that could potentially compromise millions of devices worldwide.
Operation Zero claims to exclusively work with the Russian government and local companies. The U.S. Treasury Department has stated that this broker sold Williams’ stolen tools to unauthorized users, which may explain how the Russian espionage group, identified by Google as UNC6353, came into possession of Coruna. This group deployed the toolkit on compromised Ukrainian websites, targeting specific iPhone users based on their geographic location.
Once Operation Zero obtained Coruna, We see suspected that they resold the toolkit, possibly to other brokers, nations, or even directly to cybercriminals. Reports similarly allege that members of the Trickbot ransomware gang collaborated with Operation Zero, further intertwining the toolkit’s journey with financially motivated hackers.
Link to Operation Triangulation
Google’s research has linked two specific exploits from the Coruna toolkit—named Photon and Gallium—to a sophisticated hacking campaign known as Operation Triangulation, which was reportedly employed against Russian iPhone users. This connection to Operation Triangulation was first disclosed by Kaspersky in 2023.
Rocky Cole, co-founder of iVerify, noted that the best current explanation indicates that Trenchant and the U.S. Government were the original developers and customers of Coruna, although he refrained from making definitive claims. He pointed to the timeline of Coruna’s leverage aligning with Williams’ leaks, similarities in the structure of the toolkit’s modules to those found in Operation Triangulation, and the reuse of some exploits.
According to Cole, individuals within the defense community have suggested that the Plasma module was also utilized in Operation Triangulation, although public evidence is lacking. The Coruna toolkit was designed to target iPhone models running iOS versions 13 through 17.2.1, which were released between September 2019 and December 2023, coinciding with the timeline of Williams’s leaks.
As noted by a former Trenchant employee, there was speculation among colleagues that at least one of the zero-days linked to Kaspersky’s findings was derived from the broader project that included Coruna.
Implications and Future Developments
The incident raises significant questions about cybersecurity and the control of hacking tools developed by government contractors. The leakage of such sensitive capabilities can have serious implications for international security and the integrity of software systems globally. As cybercriminals become increasingly sophisticated, the boundaries between state-sponsored espionage and criminal activities continue to blur.
The emergence of hacking toolkits like Coruna emphasizes the need for stricter controls on the development and distribution of surveillance technology. As the situation evolves, it will be crucial to monitor related developments, particularly concerning the actions of government contractors and the security measures that can be implemented to prevent such tools from falling into the wrong hands.
Readers are encouraged to share their thoughts on this evolving situation and the implications for cybersecurity in the comments section.
