U.S. military contractor likely built iPhone hacking tools used by Russian spies in Ukraine

A wide hacking run targeting iPhone users successful Ukraine and China utilized tools that were apt designed by U.S. subject contractor L3Harris, TechCrunch has learned. The tools, which were intended for Western spies, coiled up successful the hands of assorted hacking groups, including Russian authorities spooks and Chinese cybercriminals.

Last week, Google revealed that implicit the people of 2025, it discovered that a blase iPhone-hacking toolkit had been utilized successful a bid of planetary attacks. The toolkit, dubbed “Coruna” by its archetypal developer, was made of 23 antithetic components archetypal utilized “in highly targeted operations” by an unnamed authorities lawsuit of an unspecified “surveillance vendor.” It was past utilized by Russian authorities spies against a constricted fig of Ukrainians and yet by Chinese cybercriminals “in broad-scale” campaigns with the extremity of stealing wealth and cryptocurrency. 

Researchers astatine mobile cybersecurity institution iVerify, which independently analyzed Coruna, said they believed it whitethorn person been primitively built by a institution that sold it to the U.S. government.

Two erstwhile employees of authorities contractor L3Harris told TechCrunch that Coruna was, astatine slightest successful part, developed by the company’s hacking and surveillance tech division, Trenchant. The 2 erstwhile employees some had cognition of the company’s iPhone hacking tools. Both spoke connected information of anonymity due to the fact that they weren’t authorized to speech astir their enactment for the company.

“Coruna was decidedly an interior sanction of a component,” said 1 erstwhile L3Harris employee, who was acquainted with iPhone hacking tools arsenic portion of their enactment astatine Trenchant. 

“Looking astatine the method details,” this idiosyncratic said, referring to immoderate of the grounds Google published, “so galore are familiar.” 

The erstwhile worker said the overarching Trenchant toolkit housed respective antithetic components, including Coruna and related exploits. Another erstwhile worker confirmed that immoderate of the details included successful the published hacking toolkit came from Trenchant. 

L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the U.S. authorities and its allies successful the alleged Five Eyes quality alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given Trenchant’s constricted fig of customers, it’s imaginable that Coruna was primitively acquired and utilized by 1 of these governments’ quality agencies earlier falling into unintended hands, though it’s unclear however overmuch of the published Coruna hacking toolkit were developed by L3Harris Trenchant.

An L3Harris spokesperson did not respond to a petition for comment.

How Coruna went from the hands of a Five Eyes authorities contractor to a Russian authorities hacking radical and past to a Chinese cybercrime pack is unclear. 

But immoderate of the circumstances look akin to the lawsuit of Peter Williams, a erstwhile wide manager astatine Trenchant. From 2022 until helium resigned successful mid-2025, Williams sold 8 institution hacking tools to Operation Zero, a Russian institution that offers millions of dollars successful speech for zero-day exploits, meaning vulnerabilities that are chartless to the affected vendor. 

Williams, a 39-year-old Australian citizen, was sentenced to 7 years successful prison past month, aft helium admitted to stealing and selling the 8 Trenchant hacking tools to Operation Zero for $1.3 million.  

The U.S. authorities said Williams, who took vantage of having “full access” to Trenchant’s networks, “betrayed” the United States and its allies. Prosecutors accused him of leaking tools that could person allowed whoever utilized them to “potentially entree millions of computers and devices astir the world,” suggesting the tools relied connected vulnerabilities affecting wide utilized bundle similar iOS.  

Operation Zero, which was sanctioned by the U.S. government past month, claims to enactment exclusively with the Russian authorities and section companies. The U.S Treasury claimed that the Russian broker sold Williams’ “stolen tools to astatine slightest 1 unauthorized user.”

That would explicate however the Russian espionage group, which Google has lone identified arsenic UNC6353, acquired Coruna and deployed it connected compromised Ukrainian websites truthful that it would hack definite iPhone users from a circumstantial geolocation who unwittingly visited the malicious site.

It is imaginable that erstwhile Operation Zero acquired Coruna and perchance sold it to the Russian government, the broker past resold the toolkit to idiosyncratic else, possibly different broker, different country, oregon adjacent straight to cybercriminals. The Treasury alleged that a subordinate of the Trickbot ransomware pack worked with Operation Zero, tying the broker to financially motivated hackers.

At that point, Coruna whitethorn person passed to different hands until it reached Chinese hackers. According to U.S. prosecutors, Williams recognized codification that helium wrote and sold to Operation Zero aboriginal being utilized by a South Korean broker.

the logo Kaspersky made for Operation Triangulation adjacent to the L3Harris logo.Image Credits:Kaspersky and L3Harris

Operation Triangulation

Google researchers wrote connected Tuesday that 2 circumstantial Coruna exploits and underlying vulnerabilities, called Photon and Gallium by their archetypal developers, were utilized arsenic zero-days successful Operation Triangulation, a blase hacking run allegedly utilized against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky successful 2023. 

Rocky Cole, the co-founder of iVerify, told TechCrunch that “the champion mentation based connected what’s known close now” points to Trenchant and the U.S. authorities being the archetypal developers and customers of Coruna. Although, Cole added, helium isn’t claiming this “definitively.”

That assessment, helium said, is based connected 3 factors. The timeline of Coruna’s usage lines up with Williams’ leaks; the operation of 3 modules — Plasma, Photon, and Gallium — recovered successful Coruna carnivore beardown similarities with Triangulation; and Coruna reused immoderate of the aforesaid exploits utilized successful that operation.

According to Cole, “people adjacent to the defence community” assertion Plasma was utilized successful Operation Triangulation, “although there’s nary nationalist grounds of that.” (Cole antecedently worked astatine the U.S. National Security Agency.)

According to Google and iVerify, Coruna was designed to hack iPhone models moving iOS 13 done 17.2.1, released betwixt September 2019 and December 2023. Those dates enactment up with the timeline of immoderate of Williams’ leaks and the find of Operation Triangulation. 

One of the erstwhile Trenchant employees told TechCrunch that erstwhile Triangulation was archetypal revealed successful 2023, different employees astatine the institution believed that astatine slightest 1 of the zero-days caught by Kaspersky “were from us, and perchance ‘ripped out’ of” the overarching task that included Coruna.

Another breadcrumb that points to Trenchant — as information researcher Costin Raiu noted — is the usage of vertebrate names for immoderate of the 23 tools, specified arsenic Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. In 2021, The Washington Post revealed that Azimuth, one of the 2 startups aboriginal acquired by L3Harris and merged into Trenchant, had sold a hacking instrumentality called Condor to the FBI in the infamous San Bernardino iPhone cracking case. 

After Kaspersky published its probe connected Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones successful Russia, targeting diplomats successful particular. A Kaspersky spokesperson said astatine the clip that the institution did not person accusation connected the FSB’s claims. The spokesperson did enactment that “indicators of compromise” — meaning grounds of a hack — identified by the Russian National Coordination Centre for Computer Incidents (NCCCI) were the aforesaid ones that Kaspersky had identified.

Boris Larin, a information researcher astatine Kaspersky, told TechCrunch successful an email that “despite our extended research, we are incapable to property Operation Triangulation to immoderate known [Advanced Persistent Threat] radical oregon exploit improvement company.” 

Larin explained that Google linked Coruna to Operation Triangulation due to the fact that they some exploit the aforesaid 2 vulnerabilities — Photon and Gallium. 

“Attribution cannot beryllium based solely connected the information of exploitation of these vulnerabilities. All the details of some vulnerabilities person agelong been publically available,” and frankincense anyone could person taken vantage of them, helium said, adding that those 2 shared vulnerabilities “are conscionable the extremity of the iceberg.”  

Kaspersky ne'er publically accused the U.S. authorities of being down Operation Triangulation. Curiously, the logo that the institution created for the run — an pome logo composed of respective triangles — is reminiscent of the L3Harris logo. It whitethorn not beryllium a coincidence. Kaspersky has antecedently said it wouldn’t property a hacking run publically portion softly signaling that it really knew who was down it, oregon who provided the tools for it.

In 2014, Kaspersky announced that it had caught a blase and elusive authorities hacking radical known arsenic “Careto” (Spanish for “the Mask”). The institution lone said the hackers spoke Spanish. But the illustration of a disguise that the institution utilized successful its study included the reddish and yellowish colors of Spain’s flag, bull’s horns and chemoreceptor ring, and castanets.

As TechCrunch revealed past year, Kaspersky researchers had privately concluded that “there was nary doubt,” arsenic 1 of them enactment it, that Careto was tally by the Spanish government. 

On Wednesday, cybersecurity writer Patrick Gray said connected an occurrence of his podcast Risky Business that helium thought — based connected “bits and pieces” helium was assured astir — that what Williams leaked to Operation Zero was the hacking kit utilized successful the Triangulation campaign.   

Apple, Google, and Operation Zero did not respond to requests for comment.

This station primitively published astatine 6:56 p.m. PT