Kaspersky Lab, an international cybersecurity firm based in Russia, said Apple has refused to pay a security bounty for its 2023 work in identifying a sophisticated system vulnerability potentially connected to US espionage activity.
Big tech companies commonly issue security bounties to those who help discover and address system vulnerabilities. For Apple, the bounty ranges from $5,000 to $1 million.
JOIN US ON TELEGRAM
Follow our coverage of the war on the @Kyivpost_official.
Apple did not provide a comment when contacted by tech media Recorded Future News. Dmitry Galov, head of the Russian research center at Kaspersky Lab, also said Kaspersky proposed that Apple donate the bounty to charity but this was rejected without explanation.
“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job. Essentially, we reported a vulnerability to them, for which they must pay a bug bounty… Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told Russian news outlet RTVI.
The cyber threat in question, identified by Kaspersky as “Operation Triangulation” in June 2023, is a spyware that exploited a series of obscure vulnerabilities in Apple’s ecosystem “to gain complete control over the targeted device and access user data,” according to a Kaspersky report.
Kaspersky’s CEO Eugene Kaspersky said in a blog post at the time that the threat was working discreetly, and the company started its investigations when it “detected an anomaly in [its] network coming from Apple devices.”
HUR Hacks Russian Financial Sector
He also said he was “confident” that Kaspersky was not the target of the attack, though devices of the company’s middle and top management were affected.
When Kaspersky announced the finding, Russia’s cyber agency also released a report that accused Washington of targeting Russian diplomatic personnel who use Apple devices worldwide. Ivan Kwiatkowski, then a researcher for Kaspersky, confirmed that the two incidents were related.
“In addition to domestic subscribers, cases of infection have been identified among foreign numbers and subscribers using SIM cards registered to diplomatic missions and embassies in Russia, including NATO countries and the former Soviet Union, as well as Israel, Syria and China,” read the Russian report.
A Kaspersky report issued in late December 2023 outlined a series of vulnerabilities utilized in the attack chain, particularly one categorized as CVE-2023-38606 that the company implied might require Apple insider knowledge or involvement, a notion that Apple denied.
“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake. Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.
“We are publishing the technical details, so that other iOS security researchers can confirm our findings and come up with possible explanations of how the attackers learned about this hardware feature,” read the Kaspersky report.
The authenticity of the threat was confirmed, and it has since been addressed by Apple. However, Kaspersky researcher Galov noted that the attack was not financially motivated, though he said there are not enough details to identify the source of the attack.
“The purpose of that attack was espionage. Collection of any information from devices: geolocation, cameras, microphones, files, contacts. In general, all the data that can be represented on the device.
“Developments of this level are divided into either commercial or state sponsored. Which state might be interested in this and might pay money for it is an open question. We do not have technical data to speculate on this topic,” Galov told RTVI.
You can also highlight the text and press Ctrl + Enter