Advanced iPhone Exploit Kit "Coruna" Traces Back to U.S. Defense Contractor, Spreads Globally
A sophisticated iOS exploit toolkit called Coruna has become a focal point in cybersecurity circles after evidence linked its origins to L3Harris, a U.S. defense contractor, before falling into the hands of Russian intelligence and Chinese cybercriminals. The case underscores the risks of government-grade hacking tools leaking into broader cybercrime and espionage operations.
Google’s Threat Intelligence Group revealed that Coruna leverages 23 exploits across five attack chains, targeting iPhones running iOS 13 through 17.2.1 via watering-hole attacks. A single visit to a compromised website can trigger remote code execution, sandbox escape, and kernel compromise, enabling attackers to steal data, spy on victims, and drain cryptocurrency wallets.
Originally deployed in highly targeted operations by an unnamed government client of a commercial surveillance vendor, Coruna was later repurposed by Russian state hackers against Ukrainian users and, subsequently, by a Chinese cybercrime group for financial theft. This progression reflects a common pattern: elite zero-day exploits, once leaked, rapidly enter underground markets as "second-hand" tools.
TechCrunch reported that two former employees of L3Harris’ hacking division, Trenchant, identified Coruna’s artifacts and internal naming conventions, suggesting the toolkit was developed in-house and sold exclusively to the U.S. government and Five Eyes allies. Separately, researchers at iVerify assessed that Coruna was likely built by a U.S. government contractor, though they did not confirm attribution.
The timeline aligns with a 2023 insider theft case involving Peter Williams, Trenchant’s former general manager, who was sentenced for stealing and selling eight offensive tools including those targeting iOS to Russian exploit broker Operation Zero for $1.3 million. U.S. prosecutors warned these tools could compromise millions of devices. Operation Zero, now sanctioned by the U.S. Treasury, has ties to Russian intelligence and unauthorized buyers, facilitating Coruna’s spread to state-backed hackers and cybercriminals.
Coruna’s codebase also overlaps with exploits used in Operation Triangulation, a 2023 campaign disclosed by Kaspersky that targeted iPhones, including those within Russia. Shared modules such as Photon, Gallium, and Plasma suggest a connection between the two frameworks, reinforcing concerns about the proliferation of high-end iOS exploits.
Source: https://cyberpress.org/iphone-hacking-toolkit-used-by-russian/
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
L3Harris Technologies cybersecurity rating report: https://www.rankiteo.com/company/l3harris-technologies
"id": "APPL3H1773147416",
"linkid": "apple, l3harris-technologies",
"type": "Breach",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Defense/Aerospace',
'location': 'United States',
'name': 'L3Harris (Trenchant division)',
'type': 'Defense contractor'},
{'location': 'Ukraine',
'name': 'Ukrainian users',
'type': 'Individuals/Government entities'},
{'customers_affected': 'Millions (potential)',
'location': 'Global',
'name': 'General iPhone users',
'type': 'Individuals'}],
'attack_vector': ['Watering-hole attacks', 'Zero-day exploits'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Cryptocurrency wallet data',
'Personally identifiable '
'information',
'Sensitive user data']},
'description': 'A sophisticated iOS exploit toolkit called Coruna has been '
'linked to L3Harris, a U.S. defense contractor, before being '
'repurposed by Russian intelligence and Chinese '
'cybercriminals. The toolkit leverages 23 exploits across five '
'attack chains, targeting iPhones running iOS 13 through '
'17.2.1 via watering-hole attacks, enabling remote code '
'execution, sandbox escape, and kernel compromise. Originally '
'deployed in highly targeted operations, Coruna was later used '
'by Russian state hackers against Ukrainian users and by a '
'Chinese cybercrime group for financial theft.',
'impact': {'brand_reputation_impact': ['L3Harris', 'U.S. government'],
'data_compromised': ['Cryptocurrency wallets',
'Sensitive user data'],
'identity_theft_risk': 'High',
'legal_liabilities': ['Potential sanctions violations',
'Insider theft'],
'payment_information_risk': 'High (cryptocurrency wallets)',
'systems_affected': ['iPhones (iOS 13-17.2.1)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via Operation Zero)',
'entry_point': 'Watering-hole attacks',
'high_value_targets': ['Ukrainian users',
'Government entities']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the risks of government-grade '
'hacking tools leaking into broader cybercrime and '
'espionage operations, as well as the rapid proliferation '
'of elite zero-day exploits in underground markets.',
'motivation': ['Espionage', 'Financial theft', 'Surveillance'],
'post_incident_analysis': {'corrective_actions': ['Sanctions against '
'Operation Zero',
'Legal action against '
'insider (Peter Williams)',
'Increased scrutiny of '
'commercial surveillance '
'vendors'],
'root_causes': ['Insider theft (Peter Williams)',
'Leakage of government-grade '
'hacking tools',
'Proliferation via exploit brokers '
'(Operation Zero)']},
'recommendations': ['Strengthen insider threat programs for defense '
'contractors',
'Enhance monitoring of exploit broker activities',
'Improve collaboration between private sector and '
'government to track exploit proliferation',
'Increase transparency around commercial surveillance '
'tools'],
'references': [{'source': 'Google’s Threat Intelligence Group'},
{'source': 'TechCrunch'},
{'source': 'iVerify'},
{'source': 'Kaspersky (Operation Triangulation)'},
{'source': 'U.S. Department of Justice (Peter Williams case)'}],
'regulatory_compliance': {'legal_actions': ['Peter Williams (insider theft '
'case)'],
'regulations_violated': ['Potential U.S. sanctions '
'(Operation Zero)']},
'response': {'third_party_assistance': ['Google’s Threat Intelligence Group',
'iVerify',
'Kaspersky']},
'threat_actor': ['Russian state hackers',
'Chinese cybercrime group',
'Operation Zero (Russian exploit broker)',
'U.S. government (original client)'],
'title': "Advanced iPhone Exploit Kit 'Coruna' Traces Back to U.S. Defense "
'Contractor, Spreads Globally',
'type': ['Espionage', 'Cybercrime', 'Exploit Proliferation'],
'vulnerability_exploited': ['23 exploits across five attack chains (iOS '
'13-17.2.1)',
'Remote code execution',
'Sandbox escape',
'Kernel compromise']}