Russians have been caught stealing personal data from Ukrainians using advanced new iPhone hacking tools

A group of hackers suspected of working at least in part for the Russian government has targeted iPhone users in Ukraine with a new set of hacking tools designed to steal their personal data, as well as potentially steal cryptocurrencies, according to cybersecurity researchers.

Researchers at Google and security firms iVerify and Lookout analyzed new cyberattacks against Ukrainians launched by a group identified only as UNC6353. Researchers at the hacked websites have looked into a hacking campaign they say is linked to one discovered earlier this month. This latest campaign used a hacking toolkit that the companies called Darksword.

The Darksword discovery, which comes on the heels of the discovery of a similar hacking toolkit, suggests that advanced, stealthy and powerful iPhone spyware may not be as rare as previously thought. Even then, Darksword only targeted users in Ukraine, implying some restraint in what could have been a large-scale hacking campaign targeting users around the world.

In early March, Google revealed details of an advanced iPhone hacking toolkit called Corona. The search giant said the tool was used first by a government client of a surveillance technology vendor, then by Russian spies targeting Ukrainians, and finally by Chinese cybercriminals looking to steal cryptocurrencies. As TechCrunch later revealed, the hacking toolkit was originally developed at the American defense company L3Harris, in particular by its hacking and surveillance technology division Trenchant.

Corona was originally designed for use by Western governments, particularly those part of the so-called Five Eyes intelligence alliance, which consists of Australia, Canada, New Zealand, the United States and the United Kingdom, according to former L3Harris employees with knowledge of the company’s iPhone hacking tools.

Now, researchers say they have discovered a related campaign using newer hacking tools that exploit various vulnerabilities.

The Darksword toolkit, according to researchers, is designed to steal personal information such as passwords; the pictures; WhatsApp, Telegram, and text messages; and browser history. Interestingly, Darksword was not designed for constant surveillance, but rather to infect victims, steal information, and quickly disappear.

“The duration Darksword remains on the device likely ranges from minutes, depending on the amount of data it detects and outputs,” Lookout researchers wrote.

For Rocky Cole, co-founder of iVerify, the most likely explanation is that the hackers were interested in learning about the victims’ lifestyle, which did not require them to conduct constant surveillance, but rather a smash-and-grab operation.

Darksword was also designed to steal cryptocurrencies from popular wallet apps, which is unusual for a suspected government hacking group.

“This may indicate that this threat actor is financially motivated, or may alternatively indicate that this (potentially) Russian state-aligned activity has expanded into financial theft targeting mobile devices,” Lookout wrote in its report.

But, Cole told TechCrunch, there was no evidence that the Russian hacking group was actually interested in stealing cryptocurrencies, just that it was possible to use malware to do so.

The malware was professionally developed to be modular and to make it easy to add new functionality, which shows it was professionally designed, according to Lookout. Cole said he believes it is possible that the same person who sold Corona to the Russian government hacking group also sold Darksword.

As for who was behind Darksword, according to Cole, “all signs point to the Russian government,” while Lookout said it was the same group that used Corona against the Ukrainians, and is also a suspected Russian government group.

“UNC6353 is a well-funded and connected threat actor that conducts attacks for financial gain and espionage in line with Russian intelligence requirements,” Justin Albrecht, principal security researcher at Lookout, told TechCrunch. “We believe it can be proven that UNC6363 is likely a Russian criminal agent, given the dual purpose of financial theft and intelligence gathering.”

As for the victims, Cole said the malware is designed to infect anyone who visits certain Ukrainian websites, as long as they visit them from within Ukraine, so it was not a particularly targeted campaign.