Following up on its first profile on the group back in October, anti-virus and cloud security firm Trend Micro has found that those behind the ‘Operation Pawn Storm' espionage group have been using spyware against iOS devices to track economic, political, military, government and media entities, in order to steal personal data and monitor telephone conversations.
The spyware, which is related to the SEDNIT malware family previously found on Windows systems, is delivered via the malicious iOS apps Xagent and Madcap and crucially represents a change in tactics for the attackers.
Rather than attempt to install the malware directly onto the target's device, they look to target their acquaintances, or “pawns” as Trend Micro calls them.
XAgent app is not visible on iOS 7 and restarts immediately if an attempt is made to kill the process. However, there seems to have been some improvement in the more recent iOS 8 operating system as the app's icon is clearly visible and it will not restart automatically if shutdown. Crucially though, XAgent can work on non-jailbroken devices.
The other spyware app, Madcap, carries the same name as a legitimate game on iOS and while similar to XAgent, it can only be installed on jailbroken devices in order to record audio. The two spyware applications combined can scoop up everything from text messages, contact books and photos to geolocation data and lists of running processes and installed apps.
Having collected this information, the spyware sends it back to the remote command and control (C&C) server, which remains active at the time of writing.
It is unclear how these devices get infected, although one lure asks the user to “tap here to install application” – outside of the App Store. Trend Micro researchers say that the espionage group could then use Apple's ad hoc app provisioning system – often used to distribute apps out to developers and small enterprise teams – to spread onto other devices.
The firm added that a user could also be infected after connecting to their iPhone to a compromised or infected Windows laptop via USB, while other Trend Micro staff said that phishing emails and social engineering were other ways in for the attacker.
Veteran security researcher Graham Cluley says that users, particularly those in enterprise, should beware unusual communications on their iOS devices.
“As always, if you feel that your organisation may be at risk, be sure to remind your users to be on their guard against unusual communications, and to be extremely wary of any messages encouraging them to install apps onto their devices,” he wrote on the Intego website.
“Ensure that you are running up-to-date software on your gateways, and on your desktops and laptops, to reduce the chances of a hack being successful.”
Speaking to SCMagazineUK.com earlier today, Steve Santorelli, director of intelligence and outreach at Team Cymru, said that the malware is disciplined, but easier to spot on more recent versions of Apple's iOS mobile operating system.
“It's disciplined and very capable but it's relatively easy to spot on the latest version of your iPhone software, at least as far as the version seen is concerned. One of the versions Trend analysed will only work on jailbroken phones,” he said via email.
“It also hides traffic in port 80 (http, web traffic) and it also does a few other tricks to camouflage itself so once it's on your iOS 7 iPhone, you're in serious trouble.
“The further down side is that it's easy to get infected by simply clicking on a link or perhaps just connecting it to an infected Windows machine with a USB cable: although it's important to remember that the targets are not necessarily and specifically the average person in the street.”
He added that the threat was ‘novel' and dangerous but said that users could mitigate the risk by patching software, adding security software, and understand the risks of jail-breaking. “It can broaden your exposure to malware risks unless you are very careful.”
Trend Micro continues to research into Operation Pawn Storm, which has been linked to the Russian government.
Back in October, the firm indicated that the group has targeted several high-profile establishments, including the US Department of State, the Ministry of Defence in France and Hungary, Polish government employees and US defence contractor ACADEMI (formerly Blackwater).
Fellow security company FireEye is also believed to have identified the group – albeit under a different name, ‘APT28', and it says that it has been active since 2007. Towards the end of last year, the firm said that the group was carrying out “long-standing, focused operations that indicate a government sponsor – specifically, a government based in Moscow”.
Since then, the cyber-espionage group is said to have attacked the Polish and Hungarian governments, Georgia's Ministries of Defence and Internal Affairs, as well as western targets such as NATO and the OSCE Organisation for security and Cooperation in Europe.