Kaspersky said it believed the infections began with an iMessage attachment without any user interaction, a vector similar to that used by Pegasus spyware vendor NSO Group and rivals that sell to government agencies around the world. A Kaspersky spokesperson told The Washington Post that researchers were still analyzing the campaign and did not have enough technical evidence to attribute it to anyone.
But the Federal Security Service (FSB) claimed that the effort ensnared thousands of victims, including diplomats stationed in that country; that the United States was behind it; and that the existence of the vulnerability showed that Apple had collaborated with U.S. government hackers.
Apple denied that charge, with a spokesperson proclaiming: “We have never worked with any government to insert a backdoor into any Apple product and never will.”
A Kremlin spokesman added that the government considered iPhones to be inherently unsafe.
The FSB said the hacked diplomats came from countries including China and Israel, whose foreign ministries did not respond to requests for comment.
Kaspersky said none of the impacted devices were running an operating system more recent than iOS 15.7, which was superseded in September 2022, and none of them were running in Lockdown Mode, an optional setting that reduces the number of ways that iPhones can be attacked, including by limiting the functionality of iMessage.
A high-end government spying operation would more typically take advantage of an unpublicized flaw, known as a zero-day, that works even against fully up-to-date software. The devices of diplomats and private security experts are constant targets of international spying.
The U.S. Office of the Director of National Intelligence declined to comment.
Kaspersky did not publish much that would allow Apple to figure out what vulnerability was used, and it notified the company just overnight, hours before the FSB announced its conclusions.
The security firm, which often works with Russian authorities, did publish a list of obscure websites that had been used to communicate with the infected phones, as well as technical indicators of compromise that users could use to check their own devices.
Natalia Abbakumova contributed to this report.
An earlier version of this article gave an incorrrect date for when iOS 15.7 had been superseded. It was September 2022. The article has been corrected.