Apple has refused to issue a bug bounty to Russian cybersecurity firm Kaspersky Lab after revealing four zero-day vulnerabilities in iPhone software that were allegedly used to spy on Kaspersky employees as well as Russian diplomats.
A Kaspersky Lab spokesperson told Recorded Future News that the company’s research team believes their work is “eligible for Apple’s Bug Bounty awards. However, when we were asked about it, we were denied by Apple’s security team, citing the special policy.”
Apple had no comment when contacted by Recorded Future News.
Bug bounties are a common way for companies to encourage researchers to disclose vulnerabilities to them, rather than monetize them by selling them to malicious actors who can exploit them.
Kaspersky publicly disclosed an alleged highly sophisticated spying campaign last year, with the company’s CEO and namesake Eugene Kaspersky describing it as an “extremely sophisticated, professionally targeted cyberattack” affecting “several dozen iPhones of company employees — both senior and middle management.” . ”
Operation Triangulation, as the spying campaign was called, was “by far the most complex chain of attacks we’ve ever seen,” Kaspersky researchers said, explaining it included 13 separate points.
Due to the complexity of the way the vulnerabilities were exploited and the limited targeting of the attackers – looking for intelligence material, not financial details – it is suspected to be state-sponsored.
On the same day as the Kaspersky disclosure, Russia’s Federal Security Service (FSB) accused the United States and Apple of colluding to allow the US to spy on Russian diplomats.
The FSB has provided few public details about the alleged operation involving diplomats, but Russia’s computer security agency separately said the compromise indicators of the two campaigns were the same.
The key issue potentially indicating collaboration was a vulnerability tracked as CVE-2023-38606. According to Kaspersky, this affected a particularly unusual hardware feature that wasn’t actually used by any iOS firmware. As such, the researchers speculate that it may have been intended for debugging or testing purposes, or was included in the iPhone’s operating system by mistake.
“We don’t know how the attackers learned to use this unknown hardware feature or what its original purpose was.” Nor do we know whether it was developed by Apple or a third-party component,” Kaspersky said.
At the time, an Apple spokesperson disputed accusations that it colluded with a country to enable spying on its customers, saying: “We have never worked with any government to insert a backdoor into any Apple product and we never will.’
Once bitten, twice shy
The allegation that Apple has refused to pay a bounty for Kaspersky’s mistakes comes amid a heightened period of antagonism between the United States and the Russian Federation following Moscow’s all-out invasion of Ukraine.
In a statement in March, Apple said: “We are deeply concerned about the Russian invasion of Ukraine and stand with all the people who are suffering as a result of the violence.”
The company, which is an American multinational company, announced that as a result of the invasion, it was suspending all its product sales in Russia and removing the apps of state-controlled media organizations from its App Store, as well as restricting access to services such as Apple Pay for existing customers.
Although Kaspersky has not been specifically sanctioned in the United States in connection with the conflict in Ukraine, the Department of Homeland Security previously banned its products for government use on security grounds because of the level of control that antivirus software requires of a computer and the risks attached to that control. for a company based in Russia.
Kaspersky has also been accused of allowing the FSB to use its anti-virus software to scan computers for intelligence material, although no public evidence of this has been produced and Kaspersky has denied the claims, saying that if its team ever found classified material then orders it to be deleted immediately.
Speaking to Russian-language media agency RTVI, Kaspersky’s head of research, Dmitry Galov, said that typically cybersecurity companies like Kaspersky nominate a charity to receive the Apple Bug Bounty program funds, rather than collecting the proceeds themselves.
He added that although Kaspersky was convinced the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which country might be behind the attack.
A Kaspersky spokesman did not say whether it had nominated a charity when it initially contacted Apple, or whether the company’s refusal to issue an award would affect its decision to disclose vulnerabilities found in the future.
A recorded future
Intelligence Cloud.
Find out more.
