A group of hackers, suspected to be affiliated with the Russian government, targeted iPhone users in Ukraine using new hacking tools aimed at stealing personal data and potentially cryptocurrency, cybersecurity researchers report.
Researchers from Google, iVerify, and Lookout analyzed new cyberattacks against Ukrainians, executed by a group known as UNC6353. They identified compromised websites in a hacking campaign related to a previous one, utilizing a toolkit named Darksword.
The discovery of Darksword suggests that advanced spyware for iPhones may be more common than assumed. However, it specifically targeted users in Ukraine, indicating limited scope compared to potential global threats.
Earlier in March, Google disclosed details about Coruna, a sophisticated iPhone-hacking toolkit initially used by a government client of a surveillance vendor, then by Russian spies targeting Ukrainians, and later by Chinese hackers for cryptocurrency theft. TechCrunch later revealed it was originally developed at U.S. defense contractor L3Harris by its department Trenchant.
Coruna was intended for use by Western governments, notably those in the Five Eyes alliance, comprising Australia, Canada, New Zealand, the United States, and the United Kingdom, according to former L3Harris employees.
Researchers now uncover a related campaign using newer tools exploiting different vulnerabilities. Darksword was designed to steal personal information such as passwords, photos, messages, and browsing history. It was not intended for continuous surveillance but for quick data theft.
Darksword’s “dwell time on the device is likely in the range of minutes, depending on the amount of data it discovers and exfiltrates,” Lookout researchers noted.
Rocky Cole, co-founder of iVerify, suggests the hackers focused on understanding the victim’s lifestyle without ongoing surveillance, opting for quick data theft.
Darksword also aimed to steal cryptocurrency from popular wallet apps, unusual for a suspected government hacking group.
“This may indicate financial motivation, or suggest that Russian state-aligned activity has shifted toward financial theft targeting mobile devices,” Lookout reported.
However, Cole told TechCrunch there is no evidence the Russian hackers desired to steal crypto, only that the malware capable of it existed.
The malware’s design shows professional development, with modular features allowing easy updates, indicating an advanced creation, according to Lookout. Cole speculates that the seller who provided Coruna to the Russian hacking group might have sold Darksword too.
In terms of responsibility, Cole believes “all signs point to the Russian government,” while Lookout attributes it to the same group that used Coruna, also suspected of being Russian government-affiliated.
“UNC6353 is a well-funded, connected threat actor conducting financially and espionage-aligned attacks with Russian intelligence needs,” Justin Albrecht of Lookout told TechCrunch. “There’s potential the group is a Russian criminal proxy, given its dual objectives of financial theft and intelligence collection.”
Victims included anyone visiting certain Ukrainian websites from within Ukraine, indicating a non-specific targeting strategy.