Potential US-built hacking tools obtained by foreign spies and cybercriminals, research says

A powerful iPhone hacking toolkit that researchers say may have originated as a U.S.-built capability has surfaced in the hands of foreign espionage actors and financially motivated criminal groups, according to new analyses from Google and mobile security firm iVerify.

The toolkit, dubbed Coruna, contains multiple exploits capable of surreptitiously compromising Apple devices running older versions of iOS. Researchers say the codebase appears as a professionally developed platform, raising concerns that a tool originally built for covert government use may have escaped controlled channels.

Both iVerify and Google’s Threat Intelligence Group identified five exploit chains leveraging more than 20 vulnerabilities across iOS 13 through 17.2.1 — older versions of the iPhone operating system released between September 2019 and December 2023. The codebase contains extensive inline documentation and explanatory notes written in native-level English.

“We found a tool that was very likely developed by a nation state … very likely developed by or for the U.S. government, that has been on a strange journey through zero day brokers around the world,” iVerify cofounder Rocky Cole said in a Tuesday webinar that detailed the findings.

“I think it is a good bet, though certainly not a sure bet, that at least the framework and the exploits may have had … origin in the U.S.,” he later said. iVerify has not contacted the NSA or U.S. Cyber Command — common users of government-linked cyber exploits — and Cole said “they would not say anything anyway.”

The hacking tools can be delivered through malicious web content that could fingerprint a target device and deploy tailored code to achieve remote code execution, bypassing key iOS security mitigations. The hacking tools’ trail suggests it was first used by Russian intelligence against Ukrainian targets before being adopted by a cybercrime organization to steal cryptocurrency from Chinese-speaking victims. While Apple has patched the underlying flaws, older versions of iOS could still be impacted by the tooling. 

According to Google, fragments of Coruna first appeared in February last year in operations tied to an unnamed “customer of a surveillance company.” Months later, researchers observed a more mature version deployed in what they assess to be a Russian espionage campaign, with the exploit code embedded in a routine web analytics tool on Ukrainian websites.

Google and iVerify noted that parts of Coruna were also used in the 2023 “Triangulation” campaign, which Russian officials alleged was conducted by the NSA.

iVerify, which described the activity as the “first known mass iOS attack” campaign of its kind, said the exploit kit appeared to have transitioned from what may have been a state-aligned surveillance capability into a broadly deployed criminal tool. In samples recovered from Chinese-language scam infrastructure, the firm observed implants designed to harvest financial credentials and cryptocurrency wallet data.

If the exploits are indeed tied to the U.S., the case would echo previous instances in which high-end offensive cyber tools — including those developed by Western governments — later appeared in unauthorized hands. The NSA-developed Windows exploit EternalBlue was stolen and exposed in 2017, eventually enabling destructive operations like North Korea’s WannaCry attack and Russia-linked NotPetya hacks. 

U.S. intelligence and defense agencies maintain secret offensive cyber capabilities used to gather foreign intelligence, monitor adversaries and disrupt hostile networks. The tools often exploit previously unknown software vulnerabilities — known as zero days — to gain covert access to targeted systems. Officials argue such capabilities are essential to modern national defense, though their development carries inherent risk if the underlying exploits are exposed or reused outside government control.

Nextgov/FCW has asked the NSA and Apple for comment.

What’s known for certain is that U.S. exploits have recently been distributed in the wild. Peter Williams, a former employee of L3Harris-owned Trenchant, pleaded guilty in October to selling at least eight of the company’s exploits to a Russian broker believed to be known as Operation Zero. Operation Zero was sanctioned by the Treasury Department last month.