A new report from Bloomberg reveals that in the months leading up to the recent Israel-Iran war, there was a concerted and sophisticated effort to hack iPhones belonging to Iranians living within Iran and abroad. More than a dozen individuals were targeted, some of whom received messages from Apple alerting them to the attempt. The alerts are part of Apple’s threat notification program which we’ll address later on.
With regard to the attack at issue, the report relays that a human rights group estimated that they were only able to identify “a fraction of the total targets.” In other words, the hacking campaign appears to be expansive.
Of course, the next question is who exactly is behind the hacking campaign? Interestingly enough, this is where things get a little bit murky. Some of the targeted individuals work within the Iranian government, a fact which suggests that the campaign may have been an initiative launched by either Israel or the U.S. There’s also the possibility that the U.S. and Israel worked together. There is a precedent for this given the sophisticated Stuxnet attack which targeted Iran’s nuclear program and was developed jointly between U.S. and Israeli tech experts over the course of a few years.
Complicating matters, however, is that some of the targeted individuals are Iranian dissidents who are vocal in their opposition to the current Iranian regime. This, naturally, would suggest that the Iranian Government is behind the attacks. It’s worth noting that various state-affiliated Iranian hacking groups are known to be exceptionally sophisticated.
To this point, Lookout recently highlighted some of the sophisticated mobile hacking efforts initiated by MuddyWater, a hacking group with close ties to Iran’s Intelligence services. Indeed, Lookout noted that about a week into the recent Israel-Iran war, its researchers discovered several new samples of an advanced Android malware dubbed DCHSpy which has the “ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data.”
All told, it remains unclear who exactly is behind the attacks. What is clear, however, is that the attack itself was very advanced and relied upon various zero-day zero-click exploits which likely cost millions of dollars to research and develop. The report notes that the attack vectors themselves were “exceptionally rare.”
Apple’s threat notification program
Apple’s threat notification program began back in 2021. The program, in short, alerts individuals whenever Apple ascertains that their iPhone may have been compromised or targeted in an attack. Note that the program doesn’t aim to address run-of-the-mill malware, but rather well-orchestrated attacks that target individuals based on who they are and the political work they’re engaged in, such as journalists who report on repressive regimes.
Apple’s support document on its threat notification program reads in part: “Since 2021, we have sent Apple threat notifications multiple times a year as we have detected these attacks, and to date we have notified users in over 150 countries in total. The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.”
Apple also lays out how it informs potentially compromised users. When a threat is determined, Apple will email and text the targeted individual. And because threat actors are clever, Apple notes that users shouldn’t just take an email or text at face value. Rather, to confirm that such a warning is legitimate and comes from Apple, users are also instructed to log into their Apple account to be safe.
One suggested solution: Lockdown Mode
From there, it’s up to the user what steps they want to take. One potential response is for a user to enable Lockdown Mode. For those unfamiliar, Lockdown Mode debuted with iOS 16 and essentially strips away several iOS features in the interest of device security. For instance, an iPhone in Lockdown Mode can’t access message attachments.
Other changes are listed below:
- Web browsing – Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
- FaceTime – Incoming FaceTime calls are blocked unless you have previously called that person or contact within the past 30 days. Features such as SharePlay and Live Photos are unavailable.
- Apple services – Incoming invitations for Apple services, such as invitations to manage a home in the Home app, are blocked unless you have previously invited that person. Focus and any related status will not work as expected. Game Center is also disabled.
- Photos – When you share photos, location information is excluded. Shared albums are removed from the Photos app, and new Shared Album invitations are blocked. You can still view these shared albums on other devices that don’t have Lockdown Mode enabled.
Apple takes sophisticated malware very seriously
It’s no secret that Apple takes sophisticated malware very seriously. Recall, Apple back in 2021 sued the NSO Group over the development of its Pegasus spyware. As we’ve covered previously, the NSO Group is a security research group based out of Israel. Over a period of a few years, it has developed some of the more impressive and sophisticated hacking tools on the planet. In one particular case, an NSO Group hacking tool utilized a chain of three zero-day exploits to completely take over a targeted device with no user interaction at all.
Over the course of a few years, Apple and the NSO Group were engaged in a game of cat-and-mouse. NSO Group would release a malware tool. Apple would eventually get wind of it and issue a software patch. From there, the NSO Group would release a workaround, and the cycle would continue endlessly. Eventually, Apple got sick of the back and forth and decided to take the NSO Group to court.
At the time, Craig Federighi explained the impetus behind the lawsuit: “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change. Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
Apple opted to drop the lawsuit last year for a variety of reasons. Still, the company’s efforts to keep iPhones secure from prying eyes remains as vigilant as ever.
