Ukrainska Pravda
Укр Рос Eng

Russia-linked hackers used new Darksword tool to hack Ukrainians’ iPhones, stealing data then vanishing

Andrii Rusanov - 19 March, 03:01
A hacker. Stock photo: Getty Images

Researchers from Google, together with security firms iVerify and Lookout, have analysed new cyberattacks against Ukrainians carried out by a hacker group identified as UNC6353 that is suspected of links to the Russian government. The campaign used a new tool called Darksword, exclusively targeting users in Ukraine.

Source: TechCrunch, an American global online newspaper about high-tech and startup companies

Details: According to the researchers, Darksword was designed to steal personal data such as passwords, photos, WhatsApp and Telegram messages, as well as browsing history. The tool was not intended for long-term surveillance, but rather to infect people's devices, extract the required information and then quickly disappear. The entire process took just a few minutes, depending on the volume of data targeted.

Darksword is also capable of stealing cryptocurrency from popular software wallets. However, there is currently no evidence that the hacker group actually carried out cryptocurrency theft – only that it had the technical capability to do so.

"This may indicate that this threat actor is financially motivated, or alternatively it may indicate that this likely Russian, state-aligned activity has expanded into financial theft targeting mobile devices," Lookout said in its report.

In early March, Google and iVerify reported on an iPhone hacking toolkit called Coruna. It was initially used on behalf of a US government client, then by Russian spies against Ukrainians, as well as by Chinese cybercriminals attempting to steal cryptocurrency. Apple later patched the vulnerability.

Darksword was built with a modular architecture, allowing new functions to be added easily, which researchers say points to a professional design. They believe the same people who sold Coruna to a Russian government-linked hacking group also sold Darksword. The new software was used by the same group, UNC6363. It targeted only users located in Ukraine and certain Ukrainian websites, indicating the operation's highly focused nature.

Support Ukrainska Pravda on Patreon!

cyber security
Top news of today
Explosion reported in Moscow, authorities claim drone attack – videos 4 May, 01:36
Putin begins to fear possible assassination attempt using drones 4 May, 09:16
Russia has twice asked Kyiv to hand over North Korean POWs 4 May, 12:45
Russian missile strike on Merefa in Kharkiv Oblast: four killed, 16 injured 4 May, 10:48
Zelenskyy outlines three goals of his meetings in Yerevan 3 May, 23:04
Russian general and first head of Russia's chemical defence troops found dead in Moscow 4 May, 19:15