Threat Intel - TA446 Uses DarkSword iOS Exploit Kit
Basically, a Russian hacking group is using a new tool to trick iPhone users into giving up their information.
A new spear-phishing campaign by TA446 is targeting iOS devices using the DarkSword exploit kit. This attack could affect various sectors, raising serious security concerns. Users should stay alert and update their devices promptly.
The Threat
TA446, a Russian state-sponsored hacking group, has recently been linked to a targeted email campaign utilizing the DarkSword iOS exploit kit. This group is known for its spear-phishing tactics aimed at harvesting credentials from high-profile targets. The latest campaign involves fake emails that appear to be legitimate invitations, specifically spoofing the Atlantic Council. This method is designed to deliver malware to unsuspecting victims.
The DarkSword exploit kit is particularly concerning because it allows attackers to exploit vulnerabilities in iOS devices. This marks a notable shift in TA446's operations, as they have not previously targeted Apple devices in such a manner. The campaign's high volume of emails suggests a strategic expansion in their targeting approach, reaching a broader audience than usual.
Who's Behind It
TA446 has been attributed with high confidence to Russia's Federal Security Service (FSB). This group is also known under various names, including Callisto, COLDRIVER, and Star Blizzard. Their history of spear-phishing campaigns has shown a focus on high-value targets, including government officials and organizations involved in policy-making.
The recent activities have raised alarms, especially since one of the email recipients was Leonid Volkov, a prominent Russian opposition politician. This indicates that the group's tactics are not only aimed at general credential harvesting but also at political espionage.
Tactics & Techniques
The DarkSword exploit kit is being used to deploy GHOSTBLADE malware, which is designed to extract sensitive data from compromised devices. The emails sent by TA446 were crafted to look like legitimate discussion invitations, which increases the chances of recipients clicking on them. Once the link is clicked, the exploit kit attempts to execute malicious code on the victim's device.
Proofpoint has noted that the targeting observed in this campaign is much wider than previous efforts. The group is now aiming at various sectors, including government, education, finance, and legal entities. This shift suggests that TA446 is leveraging new capabilities to conduct broader intelligence collection.
Defensive Measures
In response to this emerging threat, Apple has begun notifying users of potential vulnerabilities in older versions of iOS. These notifications urge users to update their devices to protect against web-based attacks. The unusual step of sending Lock Screen notifications indicates the seriousness of the threat posed by the DarkSword exploit kit.
Experts warn that the release of the DarkSword kit on platforms like GitHub could democratize access to these sophisticated tools. This means even less skilled hackers could potentially use them, escalating the risk of mobile attacks. Users are advised to remain vigilant about suspicious emails and to ensure their devices are updated to the latest software versions to mitigate risks.
The Hacker News