\n<\/p>\n
A mass hacking campaign targeting iPhone users in Ukraine and China used tools that were likely designed by U.S. military contractor L3Harris, TechCrunch has learned. The tools, which were intended for Western spies, wound up in the hands of various hacking groups, including Russian government spooks and Chinese cybercriminals.<\/p>\n
Last week, Google revealed that over the course of 2025, it discovered that a sophisticated iPhone-hacking toolkit<\/a> had been used in a series of global attacks. The toolkit, dubbed \u201cCoruna\u201d by its original developer, was made of 23 different components first used \u201cin highly targeted operations\u201d by an unnamed government customer of an unspecified \u201csurveillance vendor.\u201d It was then used by Russian government spies against a limited number of Ukrainians and finally by Chinese cybercriminals \u201cin broad-scale\u201d campaigns with the goal of stealing money and cryptocurrency.\u00a0<\/p>\n Researchers at mobile cybersecurity company iVerify, which independently analyzed Coruna<\/a>, said they believed it may have been originally built by a company that sold it to the U.S. government.<\/p>\n Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company\u2019s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company\u2019s iPhone hacking tools.\u00a0Both spoke on condition of anonymity because they weren\u2019t authorized to talk about their work for the company.<\/p>\n \u201cCoruna was definitely an internal name of a component,\u201d said one former L3Harris employee, who was familiar with iPhone hacking tools as part of their work at Trenchant.\u00a0<\/p>\n \u201cLooking at the technical details,\u201d this person said, referring to some of the evidence Google published, \u201cso many are familiar.\u201d\u00a0<\/p>\n \t\t\tDo you have more information about Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email<\/a>.<\/a> \t\t<\/div>\n The former employee said the overarching Trenchant toolkit housed several different components, including Coruna and related exploits. Another former employee confirmed that some of the details included in the published hacking toolkit came from Trenchant.\u00a0<\/p>\n L3Harris sells Trenchant\u2019s hacking and surveillance tools exclusively to the U.S. government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given Trenchant\u2019s limited number of customers, it\u2019s possible that Coruna was originally acquired and used by one of these governments\u2019 intelligence agencies before falling into unintended hands, though it\u2019s unclear how much of the published Coruna hacking toolkit were developed by L3Harris Trenchant.<\/p>\n An L3Harris spokesperson did not respond to a request for comment.<\/p>\n How Coruna went from the hands of a Five Eyes government contractor to a Russian government hacking group and then to a Chinese cybercrime gang is unclear.\u00a0<\/p>\n But some of the circumstances appear similar to the case of Peter Williams<\/a>, a former general manager at Trenchant. From 2022 until he resigned in mid-2025, Williams sold eight company hacking tools<\/a> to Operation Zero, a Russian company that offers millions of dollars<\/a> in exchange for zero-day<\/a> exploits, meaning vulnerabilities that are unknown to the affected vendor.\u00a0<\/p>\n Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison<\/a> last month, after he admitted to stealing and selling the eight Trenchant hacking tools to Operation Zero for $1.3 million.\u00a0\u00a0<\/p>\n The U.S. government said Williams, who took advantage of having \u201cfull access\u201d<\/a> to Trenchant\u2019s networks, \u201cbetrayed\u201d the United States and its allies. Prosecutors accused him of leaking tools<\/a> that could have allowed whoever used them to \u201cpotentially access millions of computers and devices around the world,\u201d suggesting the tools relied on vulnerabilities affecting widely used software like iOS.\u00a0\u00a0<\/p>\n Operation Zero, which was sanctioned by the U.S. government<\/a> last month, claims to work exclusively with the Russian government and local companies. The U.S Treasury claimed that the Russian broker sold Williams\u2019 \u201cstolen tools to at least one unauthorized user.\u201d<\/p>\n That would explain how the Russian espionage group, which Google has only identified as UNC6353, acquired Coruna and deployed it on compromised Ukrainian websites so that it would hack certain iPhone users from a specific geolocation who unwittingly visited the malicious site.<\/p>\n It is possible that once Operation Zero acquired Coruna and potentially sold it to the Russian government, the broker then resold the toolkit to someone else, perhaps another broker, another country, or even directly to cybercriminals. The Treasury alleged that a member of the Trickbot ransomware gang worked with Operation Zero, tying the broker to financially motivated hackers.<\/p>\n At that point, Coruna may have passed to other hands until it reached Chinese hackers. According to U.S. prosecutors, Williams recognized code that he wrote and sold to Operation Zero later being used by a South Korean broker.<\/p>\n Google researchers wrote on Tuesday that two specific Coruna exploits and underlying vulnerabilities, called Photon and Gallium by their original developers, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed<\/a> by Kaspersky in 2023.\u00a0<\/p>\n Rocky Cole, the co-founder of iVerify, told TechCrunch that \u201cthe best explanation based on what\u2019s known right now\u201d points to Trenchant and the U.S. government being the original developers and customers of Coruna. Although, Cole added, he isn\u2019t claiming this \u201cdefinitively.\u201d<\/p>\n That assessment, he said, is based on three factors. The timeline of Coruna\u2019s use lines up with Williams\u2019 leaks; the structure of three modules \u2014 Plasma, Photon, and Gallium \u2014 found in Coruna bear strong similarities with Triangulation; and Coruna reused some of the same exploits used in that operation.<\/p>\n According to Cole, \u201cpeople close to the defense community\u201d claim Plasma was used in Operation Triangulation, \u201calthough there\u2019s no public evidence of that.\u201d (Cole previously worked at the U.S. National Security Agency.)<\/p>\n According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. Those dates line up with the timeline of some of Williams\u2019 leaks and the discovery of Operation Triangulation.\u00a0<\/p>\n One of the former Trenchant employees told TechCrunch that when Triangulation was first revealed in 2023, other employees at the company believed that at least one of the zero-days caught by Kaspersky \u201cwere from us, and potentially \u2018ripped out\u2019 of\u201d the overarching project that included Coruna.<\/p>\n Another breadcrumb that points to Trenchant \u2014 as security researcher Costin Raiu noted<\/a> \u2014 is the use of bird names for some of the 23 tools, such as Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. In 2021, The Washington Post revealed<\/a> that Azimuth, one of the two startups<\/a> later acquired by L3Harris and merged into Trenchant<\/a>, had sold a hacking tool called Condor to the FBI in the infamous San Bernardino iPhone cracking case<\/a>.\u00a0<\/p>\n After Kaspersky published its research on Operation Triangulation, Russia\u2019s Federal Security Service (FSB) accused the NSA of hacking \u201cthousands\u201d of iPhones in Russia, targeting diplomats in particular. A Kaspersky spokesperson said at the time that the company did not have information on the FSB\u2019s claims. The spokesperson did note that \u201cindicators of compromise\u201d \u2014 meaning evidence of a hack \u2014 identified by the Russian National Coordination Centre for Computer Incidents (NCCCI) were the same ones that Kaspersky had identified.<\/p>\n Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email that \u201cdespite our extensive research, we are unable to attribute Operation Triangulation to any known [Advanced Persistent Threat<\/a>] group or exploit development company.\u201d\u00a0<\/p>\n Larin explained that Google linked Coruna to Operation Triangulation because they both exploit the same two vulnerabilities \u2014 Photon and Gallium.\u00a0<\/p>\n \u201cAttribution cannot be based solely on the fact of exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available,\u201d and thus anyone could have taken advantage of them, he said, adding that those two shared vulnerabilities \u201care just the tip of the iceberg.\u201d\u00a0\u00a0<\/p>\n Kaspersky never publicly accused the U.S. government of being behind Operation Triangulation. Curiously, the logo that the company created for the campaign \u2014 an apple logo composed of several triangles<\/a> \u2014 is reminiscent of the L3Harris logo<\/a>, and Trenchant\u2019s own logo<\/a> is made of two triangles. It may not be a coincidence. Kaspersky has previously said it wouldn\u2019t attribute a hacking campaign publicly while quietly signaling that it actually knew who was behind it, or who provided the tools for it.<\/p>\n In 2014, Kaspersky announced<\/a> that it had caught a sophisticated and elusive government hacking group known as \u201cCareto\u201d (Spanish for \u201cthe Mask\u201d). The company only said the hackers spoke Spanish. But the illustration of a mask that the company used in its report included the red and yellow colors of Spain\u2019s flag, bull\u2019s horns and nose ring, and castanets.<\/p>\n As TechCrunch revealed last year<\/a>, Kaspersky researchers had privately concluded that \u201cthere was no doubt,\u201d as one of them put it, that Careto was run by the Spanish government.\u00a0<\/p>\n On Wednesday, cybersecurity journalist Patrick Gray said on an episode of his podcast Risky Business<\/a> that he thought \u2014 based on \u201cbits and pieces\u201d he was confident about \u2014 that what Williams leaked to Operation Zero was the hacking kit used in the Triangulation campaign.\u00a0\u00a0\u00a0<\/p>\n Apple, Google, and Operation Zero did not respond to requests for comment.<\/p>\nContact Us<\/h4>\n
Operation Triangulation<\/h2>\n