Russians have been caught stealing personal data from Ukrainians with new advanced iPhone hacking tools

A hacking group suspected of working at least in part for the Russian government has targeted iPhone users in Ukraine with a new set of hacking tools designed to steal their personal data, as well as steal cryptocurrency, according to cybersecurity researchers.

Researchers from Google and security firms iVerify and Lookout have analyzed a new cyber attack on Ukrainians launched by a group identified only as UNC6353. Researchers are looking at vulnerable websites in a hacking campaign that, they say, is related to the one disclosed earlier this month. This latest campaign used a corporate hacking tool called Darksword.

The discovery of Darksword, which follows that of a similar hacking toolkit, suggests that an advanced, stealthy, and powerful spy for iPhones may not be as rare as previously thought. However, Darksword only targeted users in Ukraine, meaning it refrained from what could have been a wider hacking campaign targeting users around the world.

In early March, Google revealed details of a mysterious iPhone hacking toolkit called Coruna. The search giant said the tool was first used by a government customer of a surveillance technology vendor, then by Russian spies targeting Ukrainians, and finally by Chinese hackers looking to steal cryptocurrency. As TechCrunch later revealed, the hacking toolkit was originally developed by US defense contractor L3Harris, specifically through its Trenchant hacking and surveillance technology department.

Coruna was originally designed to be used by Western governments, especially those that are part of the so-called Five Eyes intelligence alliance, made up of Australia, Canada, New Zealand, the United States, and the United Kingdom, according to former L3Harris employees with knowledge of the company’s iPhone hacking tools.

Now, researchers say they have discovered a related campaign using the latest hacking tools that exploit various vulnerabilities.

The Darkword toolkit, according to researchers, is designed to steal personal information such as passwords; pictures; WhatsApp, Telegram and messaging; and browser history. Interestingly, Darksword was not designed for continuous surveillance, but rather to infect victims, steal information, and disappear quickly.

“Darkword’s residence time on a device is probably in the range of minutes, depending on the amount of data it receives and outputs,” Lookout researchers wrote.

For Rocky Cole, the founder of iVerify, the most likely explanation is that the criminals wanted to learn about the lifestyle of the victims, which did not require constant surveillance, but rather the work of smash and grab.

Darkword is also designed to steal cryptocurrency from popular wallet systems, something unusual for a group accused of government hacking.

“This may indicate that this threat actor is financially motivated, or alternatively it may indicate that this (potentially) Russian-backed activity has expanded into financial theft targeting mobile devices,” Lookout wrote in its report.

But, Cole told TechCrunch, there is no evidence that the Russian hacking group actually cared about stealing crypto, only that the malware could be used for that purpose.

The malware was professionally developed to be modular and make it easy to add new functionality, something that shows it was professionally designed, according to Lookout. Cole said he believes that the person who hacked Coruna to the Russian government may have also sold Darksword.

As for who was behind Darksword, for Cole “all signs point to the Russian government,” while Lookout says it’s the same group that used Coruna against the Ukrainian people, which is also suspected of being part of the Russian government.

“UNC6353 is a threat actor funded and linked to attacks for financial gain and espionage in line with Russian intelligence needs,” Justin Albrecht, principal security researcher at Lookout, told TechCrunch. “We believe a case can be made that UNC6363 may be a Russian criminal agent, given the dual goals of money laundering and intelligence gathering.”

As for the victims, Cole said the malware was designed to infect anyone visiting certain websites in Ukraine, as long as they were visiting Ukraine, so it wasn’t a specifically targeted campaign.