upvote

points

by happyopossum4 hours ago |
comments
upvoteby tptacek3 hours ago|
next
[-]
The Google threat analysis report doesn't say anything about USG involvement; that it was found on compromised Ukrainian sites, has code written in "native English", but also signs of LLM authorship. The Google report says the kit they found can't compromise current iOS, which is a capability you'd assume USG would have --- though it's important remember that "USG" comprises dozens of different buyers each with different toolchains.

Maybe this was the Fisheries Department exploit toolkit.

iVerify, which spun out of Trail of Bits and presumably knows what they're talking about, says it bears "hallmarks" of being connected to USG CNE work. I believe it. But the USG is on net a buyer, not a producer, of CNE tooling. Whatever a given service agency or IC arm buys, dozens of other aligned countries are also buying.

(And, of course, the non-aligned countries have their own commercial supply chains).

reply
upvoteby bri3d3 hours ago|
parent|
next
[-]
I don't think the ancient nature of the exploit chain has much bearing on the origin. I think it points away from the actual 2025 campaigns being USG-attached, but I don't think anyone was suggesting that to start with - the Google report makes it pretty clear that they believe the same code was resold to several parties, either in parallel or sequentially, around this time frame.

I think the notion here is that either:

* There's a shared upstream origin or author between this toolkit and the Operation Triangulation toolkit ahead of the use in Operation Triangulation (ie - someone sold this chain to both the Operation Triangulation authors and a third party). I actually think that the uses of specifically structured code-names internally and the overall structure of the codebase described in the Google writeup make this theory less likely; building an exploit toolkit while using these practices to cosplay as a US-government affiliated engineer would be clever and fun, but it's not something we've really seen before.

* This toolkit originated from (whether it was leaked, compromised, or resold) the same actor who was responsible for Operation Triangulation.

reply
upvoteby tptacek2 hours ago|
parent|
[-]
Right, I agree with you; my thing is mostly just differentiating between CNE enablement packages the USG itself creates vs CNE enablement packages that are on offer to every USG-aligned country, of which there are a bunch.
reply
upvoteby tennex17 minutes ago|
parent|
prev|
[-]
> Maybe this was the Fisheries Department exploit toolkit.

buried lede, but hilarious

reply
upvoteby dang3 hours ago|
prev|
next
[-]
The title limit is 80 chars, if anyone wants to figure out a decent way to squeeze possibility back in there.
reply
upvoteby irishcoffee3 hours ago|
parent|
next
[-]
A US Govt iPhone-hacking suite is now possibly in criminal hands

15 chars to spare!

reply
upvoteby dang3 hours ago|
parent|
[-]
I think the "possibly" is supposed to mean "possibly produced by the US government"
reply
upvoteby irishcoffee3 hours ago|
parent|
[-]
Good point.
reply
upvoteby alwa3 hours ago|
parent|
prev|
[-]
“Possible US-Gov-made iPhone-hacking toolkit is now in foreign and criminal hands“ ?
reply
upvoteby dang3 hours ago|
parent|
[-]
We try to avoid abbreviations if possible. You spurred me to take another crack at it and I think it worked this time? Happy to edit again if not...
reply
upvoteby Simulacra3 hours ago|
prev|
next
[-]
Good point, that was also struck by the comment that it's infected "tens of thousands" phones. That's a minuscule rounding error.
reply
upvoteby aaron6953 hours ago|
prev|
[-]
[dead]
reply