Google’s Project Zero security task force reported that it uncovered an “indiscriminate” hacking operation that targeted iPhones for at least two years to gain access to personal files, messages, and real-time location data. According to Motherboard, it could be one of the largest attacks conducted against iPhone users—or is it? New developments indicate that the campaign affected more platforms than Project Zero claimed initially.
The operation involving a group of websites, called a watering hole, was first discovered by Google’s Threat Analysis Group. Watering holes typically infect devices with malware by targeting websites that are frequently visited by a certain group of visitors. In this case, Project Zero claimed that the exploit did not discriminate between targets.
On Thursday, August 29, Project Zero’s Ian Beer revealed in a blog post that “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.” The team did not, however, reveal the specific websites. Project Zero and TAG discovered exploits for 14 security flaws, which exposed everything from the iPhone’s web browser to its kernel, the core of its operating system. At least one of the exploits was considered a zero-day vulnerability, which means it was unpatched at the time of discovery.
This exploit installed malicious software that, according to Beer, “primarily focused on stealing files and uploading live location data,” accessing even encrypted messenger apps like Telegram, WhatsApp and iMessage. After retrieving the data, the software would send it to a “command and control server” every 60 seconds. The vulnerability was discovered on every iPhone operating system from iOS 10 through to the current iOS 12 version, which the researchers claim indicates that the attackers had been attempting to hack users’ phones for at least two years.
Despite Project Zero’s claims that the attack only targeted iPhone users, newly discovered information indicates otherwise. TechRadar reported that, according to sources speaking to Forbes, the attacks may have, in fact, been part of a long-running campaign originating from China. Furthermore, the sources also revealed that the hacked websites targeted devices used by the Uighur Muslim ethnic group in the country as part of a crackdown by the Chinese state. The attackers ensured that specific users could be targeted by utilizing Uighur-interest sites to draw in victims from the region. In recent years, Uighurs have been targeted by high levels of surveillance from Chinese authorities, particularly across Xinjiang province. Recent figures from a United Nations human rights committee indicate that over a million Uighurs have been detained. One source told Tech Crunch that the attacks also affected non-Uygurs who inadvertently accessed these domains because they were indexed in Google search, which led to the FBI alerting Google to ask for the site to be removed from its index to prevent infections.
Not only that, but the sources also claimed that Google’s own Android operating system and Microsoft Windows PCs were also targeted in the campaign via the same websites as iOS, directly contradicting the information disclosed by the security researchers. While Project Zero did not deny the possibility of multiple operating systems being affected, the fact that they only mentioned the iPhone’s vulnerabilities led the public to initially believe that no other platforms were targeted.
According to Tech Crunch, A Google spokesperson would not comment beyond the published research, so it’s still unclear whether Google knew or disclosed to anyone that the websites were also targeting other operating systems. An FBI spokesperson said they could neither confirm nor deny any investigation and did not comment further. According to Forbes, a Microsoft spokesperson stated that “Google Project Zero was very specific in its blog post that the recently publicized attacks used unique iPhone exploits and they have not disclosed similar information to us” and that “Microsoft has a strong commitment to investigate reported security issues and, should new information be disclosed, we will take appropriate action as needed to help keep customers protected.”
This new information paints a completely different picture compared to Project Zero’s initial statement. The researchers’ statement implied that the attack targeted iPhone users when in reality it seems to be a completely different issue, specifically China’s surveillance of the Uighurs. While no less worrying, this revelation takes the spotlight away from Apple, while Project Zero’s blog post focused only on the iPhone vulnerabilities. Of course, only time will reveal the full, objective picture.