Home/Threat Actor/Operation Triangulation
Threat Actor

Operation Triangulation

operation_triangulation · unattributed_apt_nation_state_speculation · active since 2019

Operation Triangulation (canonical Kaspersky operation naming + TriangleDB implant naming per Kaspersky GReAT June 1, 2023 Securelist canonical disclosure by Igor Kuznetsov + Boris Larin + Leonid Bezvershenko + Georgy Kucherin) is a sophisticated state-sponsored cyber espionage campaign discovered by Kaspersky at the start of 2023 through analysis of infected employee devices at a Moscow embassy and Kaspersky headquarters, operationally one of relatively few major nation-state- tier mobile zero-click campaigns in publicly-tracked industry analysis that has not been formally attributed to a specific named actor or country despite extensive forensic and technical analysis (Russian FSB June 2023 claimed US intelligence services were behind the intrusion with Apple's full knowledge and support, claim not independently verified per Computer Weekly; Kaspersky operates with operational non-attribution stance)

active publicly since at least 2019 per forensic traces (multi-year sustained campaign predating 2023 public discovery by ~4 years operationally consistent with state-actor-level operational tempo investment); signature operational tradecraft is TriangleDB memory- resident iOS implant (Kaspersky-named persistent implant operating only in smartphone's memory, erased after reboot, attackers re-infect via iMessage.

4-module capability: microphone recording + iCloud Keychain extraction + SQLite database data theft from various apps + victim location estimation.

additional CRConfig class with populateWithFieldsMacOSOnly method indicates macOS device targeting capability)

signature 4-zero-day exploit chain (CVE-2023-32434 iOS kernel integer overflow enabling arbitrary code execution with kernel privileges + CVE-2023-32435 WebKit browser engine arbitrary code execution + CVE-2023-38606 iOS kernel Page Protection Layer bypass via signature undocumented hardware MMIO registers + CVE-2023-41990 FontParser undocumented ADJUST TrueType font instruction exploitation exclusive to Apple)

signature undocumented Apple A12- A16 Bionic hardware register exploitation (cluster- defining state-actor-tier technical achievement, exploit writes to MMIO registers not described in documentation and not used by iOS applications or iOS operating system, modifies hardware-protected area of iOS kernel memory; Kaspersky hypothesis "this mechanism was probably created to debug the processor itself".

per experts "very few, if any, outside of Apple and chip suppliers like ARM Holdings" could know about this feature, operationally suggesting state-actor-level offensive cyber capability investment at the FORCEDENTRY-class tier)

iMessage zero- click attachment delivery vector with backuprabbit canonical C2 domain + multi-stage binary validator architecture (cross-platform iOS + macOS targeting capability) + signature forensic-evasion tradecraft (initial message + exploit attachment deletion post- exploitation + crash log + database file deletion + memory-only implant defeats forensic recovery via reboot but enables re-infection via iMessage re-send); operationally targeting Russian-affiliated personnel including diplomats + military officers + government officials + Kaspersky cybersecurity researchers specifically in Central Asia + Middle East + Russia (Kaspersky self-targeting may operationally suggest campaign sponsor specifically interested in neutralizing Russia-headquartered threat-research capability, or alternatively that Kaspersky targeting was incidental to broader Russian-affiliated personnel campaign)

Apple patched the chain in two waves June 21 + July 24, 2023 (iOS 15.7.7 + iPadOS 15.7.7 + iOS 16.5.1 + iPadOS 16.5.1 + subsequent CVE-2023-38606 + CVE-2023-41990 patches); per Kaspersky 37th Chaos Communication Congress Hamburg December 2023 presentation: "the most sophisticated attack chain" Kaspersky researchers had yet seen, operationally placing Operation Triangulation in the same tier as NSO Group's FORCEDENTRY (CVE-2021-30860) in technical sophistication.

fills the sophisticated-mobile- zero-click nation-state-cluster cell in the curated corpus operationally distinct from cyber-mercenary cluster cells (NSO Group + Candiru + Intellexa + Paragon Solutions + DarkMatter UAE + QuaDream all curated separately), operationally significant as the most- recent publicly-disclosed FORCEDENTRY-class iOS zero- click campaign with sophistication comparable to or exceeding sibling cyber-mercenary capabilities, but without commercial attribution, operationally indicating that nation-state offensive cyber capability tiers continue developing beyond the commercial cyber-mercenary ecosystem.

unattributed_apt_nation_state_speculation confidence: high 12 aliases
Sigma rules200 YARA rules1 Live IOCs0 CVEs exploited5

Profile

Operation Triangulation (canonical Kaspersky operation naming + TriangleDB implant naming per June 1, 2023 Securelist canonical disclosure) is a sophisticated state-sponsored cyber espionage campaign discovered by Kaspersky GReAT (Igor Kuznetsov + Boris Larin + Leonid Bezvershenko + Georgy Kucherin) at the start of 2023 through analysis of infected employee devices at a Moscow embassy and Kaspersky headquarters, operationally one of relatively few major nation-state-tier mobile zero-click campaigns in publicly-tracked industry analysis that has not been formally attributed to a specific named actor or country despite extensive forensic and technical analysis. Active publicly since at least 2019 (per Kaspersky forensic analysis traces) with primary operational mission objectives of sophisticated intelligence collection against Russian-affiliated personnel including diplomats + military officers + government officials + Kaspersky employees specifically, in regions including Central Asia and the Middle East. Attribution remains publicly contested: (a) Russian FSB June 2023 attribution claim: Russian Federal Security Service publicly blamed US intelligence services for the operation, alleging Apple's full knowledge and support, not independently verified per Computer Weekly + contemporaneous reporting.

(b) Kaspersky non-attribution operational stance: Kaspersky-as-organization operates with operational non- attribution stance per industry norms. (c) Operational sophistication suggests state-actor- tier sponsorship: signature undocumented Apple A12-A16 Bionic hardware MMIO register knowledge operationally suggests information typically only available to Apple and chip suppliers like ARM Holdings, consistent with state-actor-level offensive cyber capability investment at the FORCEDENTRY-class tier. Operational phases: (1) EARLIEST ACTIVITY (2019).

Forensic traces back to at least 2019 per Kaspersky analysis, multi-year sustained campaign predating 2023 public discovery by 4 years. (2) KASPERSKY SELF-TARGETING DISCOVERY (Early 2023). Kaspersky discovered campaign through analysis of infected employee devices at Moscow embassy + headquarters.

(3) KASPERSKY CANONICAL PUBLIC DISCLOSURE (June 1, 2023). Operation Triangulation + TriangleDB naming established. (4) TRIANGLEDB IMPLANT TECHNICAL DISCLOSURE (June 21, 2023).

Apple released first patch wave addressing CVE-2023-32434 + CVE-2023-32435. (5) RUSSIAN FSB ATTRIBUTION CLAIM (June 2023). FSB blames US intelligence services + Apple cooperation, unverified.

(6) APPLE SECOND PATCH WAVE (July 24, 2023). CVE-2023- 38606 (signature undocumented A12-A16 hardware MMIO register exploitation) + CVE-2023-41990 (signature FontParser ADJUST TrueType instruction exploitation) mitigated. (7) MULTI-STAGE VALIDATOR DISCLOSURE (October 23, 2023).

Cross-platform iOS + macOS targeting capability disclosed. (8) 37TH CHAOS COMMUNICATION CONGRESS PRESENTATION (December 2023). "Most sophisticated attack chain" yet seen. Cluster-defining undocumented Apple hardware register exploitation documented.

(9) CONTINUED UNATTRIBUTED STATUS (2024-2026). Operation Triangulation remains publicly unattributed.

Signature operational tradecraft
  • TriangleDB memory-resident iOS implant (cluster- defining): Kaspersky-named persistent implant operating only in smartphone's memory (erased after reboot, attackers re-infect via iMessage). 4-module capability: microphone recording + iCloud Keychain extraction + SQLite database data theft + victim location estimation. Additional CRConfig class with populateWithFieldsMacOSOnly method indicates macOS device targeting capability.
  • Signature 4-zero-day exploit chain (cluster- defining): CVE-2023-32434 (iOS kernel integer overflow kernel-privilege arbitrary code execution) + CVE-2023- 32435 (WebKit browser engine arbitrary code execution) + CVE-2023-38606 (iOS kernel Page Protection Layer bypass via undocumented hardware MMIO registers) + CVE-2023- 41990 (FontParser undocumented ADJUST TrueType font instruction exploitation exclusive to Apple).
  • Undocumented Apple A12-A16 Bionic hardware register exploitation (signature unique technical achievement): cluster-defining state-actor-tier capability, exploit writes to MMIO registers not described in documentation and not used by iOS applications or iOS operating system. Modifies hardware-protected area of iOS kernel memory. Kaspersky hypothesis: mechanism probably created to debug processor itself. Per experts: "very few, if any, outside of Apple and chip suppliers like ARM Holdings" could know about this feature.
  • iMessage zero-click attachment delivery vector: victim receives invisible iMessage attachment containing zero-click exploit which silently opens unique URL on backuprabbit canonical C2 domain.
  • Multi-stage binary validator architecture: validator implements actions for both iOS and macOS systems, cross-platform targeting capability. Validator deletes traces of received iMessage and loads TriangleDB.
  • Signature forensic-evasion tradecraft: initial message + exploit in attachment deletion post- exploitation + crash log + database file deletion to cover forensic trail + memory-only implant defeats forensic recovery via reboot but enables re-infection via iMessage re-send.
  • "Most sophisticated attack chain" assessment per Kaspersky 37th CCC December 2023: operationally placing Operation Triangulation in the same tier as NSO Group's FORCEDENTRY in terms of technical sophistication.
  • Russian-affiliated personnel targeting profile: diplomats + military officers + government officials + Kaspersky cybersecurity researchers in Central Asia + Middle East + Russia. The cluster fills the sophisticated-mobile-zero-click nation-state-cluster cell in this curated corpus operationally distinct from cyber-mercenary cluster cells (nso_group_pegasus, candiru_sourgum, intellexa_predator, paragon_solutions_graphite, darkmatter_uae_project_raven, quadream_reign, all curated separately). Operationally significant as the most-recent publicly-disclosed FORCEDENTRY-class iOS zero-click campaign with sophistication comparable to or exceeding sibling cyber- mercenary capabilities, but without commercial attribution, operationally indicating that nation-state offensive cyber capability tiers continue developing beyond the commercial cyber-mercenary ecosystem.

Aliases

12
operation_triangulationoperation triangulationtriangulation_operationtriangledbtriangle_dbtriangle dbtriangledb_implantkaspersky moscow ios zero-click campaigntriangledb apt campaignoperation_triangulation_aptadvanced persistent threat ios zero-click 2023ios 16 zero-click sophisticated unattributed nation state

Notable Campaigns

10
2024-2026Continued Unattributed Status (2024-2026)
2023Kaspersky Self-Targeting Discovery (Early 2023)
2023Kaspersky Canonical Public Disclosure (June 1, 2023)
2023Kaspersky TriangleDB Implant Technical Disclosure (June 21, 2023)
2023Russian FSB Attribution Claim to US Intelligence Services (June 2023)
2023Apple Second Patch Wave, CVE-2023-38606 + CVE-2023-41990 (July 24, 2023)
2023Kaspersky Multi-Stage Validator Disclosure (October 23, 2023)
2023Kaspersky 37th Chaos Communication Congress Presentation (December 2023)
2023Undocumented Apple Hardware Register Exploitation (Signature Technical Achievement)
2019Operation Triangulation Earliest Activity (2019)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical June 1 2023 + June 21 2023 + October 23 2023 + 37th Chaos Communication Congress December 2023 disclosures)Igor Kuznetsov (Kaspersky researcher, canonical TriangleDB analysis)Boris Larin (Kaspersky researcher, A12-A16 hardware register exploitation analysis)Leonid Bezvershenko (Kaspersky researcher)Georgy Kucherin (Kaspersky researcher)Apple Security Research (CVE-2023-32434 + CVE-2023-32435 + CVE-2023-38606 + CVE-2023-41990 vulnerability advisories)Russian Federal Security Service FSB (June 2023 attribution claim to US intelligence services + Apple cooperation allegation, not independently verified)Paul Ducklin (Sophos principal research scientist)Microsoft Threat Intelligence CenterMandiant / Google Threat Intelligence GroupThe Hacker NewsDark ReadingComputer WeeklyCSO OnlineSymantec / Broadcom Threat Hunter Team
Key reporting
reportKaspersky GReAT (Igor Kuznetsov + Boris Larin + Leonid Bezvershenko + Georgy Kucherin): Operation Triangulation, iOS devices targeted with previously unknown malware (Securelist, June 1, 2023), canonical Operation Triangulation disclosure
reportKaspersky GReAT: Dissecting TriangleDB, a Triangulation spyware implant (Securelist, June 21, 2023), canonical TriangleDB technical analysis
reportKaspersky GReAT: Operation Triangulation, The Last Hardware Mystery (Securelist + 37th Chaos Communication Congress Hamburg December 2023), canonical undocumented Apple A12-A16 hardware MMIO register exploitation analysis
reportKaspersky GReAT: Multi-stage validator binary analysis (October 23, 2023)
reportApple Security Research: CVE-2023-32434 + CVE-2023-32435 advisories (June 21, 2023 iOS 15.7.7 + iPadOS 15.7.7 + iOS 16.5.1 + iPadOS 16.5.1)
reportApple Security Research: CVE-2023-38606 + CVE-2023-41990 advisories (July 24, 2023)
reportRussian Federal Security Service FSB: Attribution Claim to US Intelligence Services + Apple Cooperation Allegation (June 2023), not independently verified
reportPaul Ducklin (Sophos principal research scientist): Operation Triangulation risk analysis
reportMicrosoft Threat Intelligence Center: Operation Triangulation adjacent tracking
reportMandiant / Google Threat Intelligence Group: Operation Triangulation operational context
reportMITRE ATT&CK: TriangleDB software entries
reportMalpedia Software Profile: TriangleDB

Operational

State sponsor

Attribution remains publicly contested, operationally one of relatively few major nation-state-tier mobile zero-click campaigns in publicly-tracked industry analysis that has not been formally attributed to a specific named actor or country despite extensive forensic and technical analysis. Attribution scenarios per public sourcing: (a) Russian FSB attribution claim to US intelligence services (June 2023): per Computer Weekly + multiple contemporaneous reporting: "in June of this year [2023], the Russian federal security agency, the FSB, claimed that the US intelligence services were behind the intrusion, and operated with Apple's full knowledge and support. None of these claims have been verified." The FSB June 2023 attribution claim operationally aligns with Russian state security service framing of the campaign as US-sponsored offensive cyber operation against Russian targets. Apple released patches for the two zero-day vulnerabilities (CVE-2023-32434 and CVE-2023-32435) on June 21, 2023, with no acknowledgment of FSB allegations. (b) Kaspersky non-attribution operational stance: per Kaspersky canonical analysis: "Kaspersky rarely if ever makes firm attributions of threat activity, and has kept quiet as to who may have been behind Operation Triangulation." Kaspersky-as-organization operates with operational non-attribution stance consistent with its threat-research industry positioning (Kaspersky is Russian- headquartered, operationally avoiding attribution to Western or other state actors). (c) Public attribution speculation: industry analysts have speculated about nation-state attribution scenarios based on signature operational sophistication including undocumented Apple A12-A16 Bionic hardware register knowledge, per Wikipedia compilation: "Some experts believe that 'very few, if any, outside of Apple and chip suppliers like ARM Holdings' could know about this feature." The Apple hardware register knowledge operationally suggests state-actor-level offensive cyber capability investment at the tier of FORCEDENTRY-class operations. Operational targeting profile per Kaspersky disclosure: (a) Kaspersky Moscow employees (primary discovery target): Kaspersky discovered the campaign through analysis of infected employee devices at a Moscow embassy, with Kaspersky itself becoming one of the targets at the start of the year (2023) prompting it to launch the comprehensive investigation. Per Computer Weekly: campaign deployed against Russian iOS devices operationally suggests campaign was specifically targeting Russian-affiliated personnel. (b) Diplomats + military officers + government officials: per Wikipedia compilation: "the attacks primarily targeted high-value individuals such as diplomats, military officers, and government officials in regions including Central Asia and the Middle East." (c) Geographic distribution: documented infections across Central Asia and the Middle East, plus Kaspersky Moscow employees specifically, with infection traces back to at least 2019 per forensic analysis. Operational capability + technical sophistication attribution at high confidence per multiple convergent sources: (1) Kaspersky canonical June 1, 2023 public disclosure: Kaspersky researchers publicly disclosed Operation Triangulation on June 1, 2023, through a detailed report on their Securelist blog and a corresponding press release, describing it as an advanced persistent threat (APT) campaign employing a chain of zero-day vulnerabilities to infect iOS devices without user interaction. The revelation highlighted the use of a previously unknown implant called TriangleDB, capable of extracting sensitive data such as geolocation, photos, and microphone recordings. (2) 4-zero-day exploit chain (signature): Operation Triangulation chained four undisclosed iOS zero-day vulnerabilities: CVE-2023-32434 (iOS kernel integer overflow enabling arbitrary code execution with kernel privileges) + CVE-2023-32435 (WebKit browser engine arbitrary code execution) + CVE-2023-38606 (iOS kernel vulnerability enabling Page Protection Layer / memory protection bypass via undocumented hardware MMIO registers) + CVE-2023-41990 (FontParser font processing undocumented ADJUST TrueType font instruction exploitation). Apple patched the chain in two waves: June 21, 2023 (CVE-2023-32434 + CVE-2023-32435 via iOS 15.7.7 + iPadOS 15.7.7 + iOS 16.5.1 + iPadOS 16.5.1) + July 24, 2023 (CVE-2023-38606 + CVE-2023-41990). (3) Undocumented Apple A12-A16 Bionic hardware register exploitation (signature unique technical achievement): per Wikipedia + Dark Reading + Kaspersky 37th Chaos Communication Congress December 2023 presentation: "To bypass the memory protections in recent generations of Apple processors (A12-A16), the exploit for the CVE-2023-38606 kernel vulnerability uses undocumented hardware features of the processors. The exploit writes to MMIO registers, which are not described in the documentation and are not used by iOS applications or the iOS operating system itself. As a result, the exploit code can modify the hardware-protected area of the iOS kernel memory. Kaspersky researchers have suggested that this mechanism was probably created to debug the processor itself." Per Kaspersky: "the most sophisticated attack chain" they had yet seen being used in the operation, operationally placing Triangulation in the same tier as NSO Group's FORCEDENTRY in terms of technical sophistication. (4) TriangleDB implant capabilities (signature): TriangleDB is a memory-resident implant (operates only in smartphone's memory, erased after reboot, attackers can resend iMessage and re-infect victim) with 4 documented modules: (a) microphone recording.

(b) iCloud Keychain extraction.

(c) SQLite database data theft from various apps.

(d) victim location estimation. Implant uses CRConfig class with populateWithFieldsMacOSOnly method indicating macOS device targeting capability also exists. Initial actions include establishing communication with C2 server + sending heartbeat + receiving commands to delete crash log and database files to cover up forensic trail and hamper analysis. (5) iMessage attachment delivery vector: zero-click exploit chain delivered via malicious iMessage attachments. Per Kaspersky: "in the first stage of the campaign, the victim receives the invisible iMessage attachment containing the zero-click exploit, which silently opens a unique URL on the backuprabbit domain." Successful exploitation results in initial message and exploit in attachment being deleted (forensic-evasion tradecraft). Operational classification: nation-state-tier APT campaign operating with offensive cyber capability at the tier of FORCEDENTRY-class operations, operationally distinct from commercial cyber-mercenary clusters in this curated corpus through (a) state-actor-level sophistication including undocumented Apple hardware register knowledge.

(b) unattributed public attribution profile.

(c) operationally targeted at Russian-affiliated personnel including Kaspersky employees specifically (operationally suggesting Western or pro-Western adversary-of-Russia state-actor sponsorship if FSB attribution claim is accepted, or alternatively a different state-actor sponsor entirely if FSB attribution claim is rejected). The cluster fills the sophisticated-mobile-zero-click nation-state-cluster cell in this curated corpus operationally distinct from the cyber-mercenary cluster cells. Operationally significant as the most-recent publicly-disclosed FORCEDENTRY-class iOS zero-click campaign with sophistication comparable to or exceeding sibling cyber-mercenary capabilities, but without commercial attribution.

Motivations
sophisticated_state_actor_offensive_cyber_capability_for_intelligence_collection, russian_affiliated_personnel_targeting_at_high_value_individual_tier, diplomats_military_officers_government_officials_intelligence_collection, kaspersky_employees_specific_targeting_potentially_to_neutralize_attribution_capability, undocumented_apple_hardware_register_offensive_capability_demonstration, ios_15_16_zero_click_capability_deployment, central_asia_middle_east_government_intelligence_collection, memory_resident_implant_with_forensic_evasion_tradecraft
Sectors
kaspersky_employeescybersecurity_research_personneldiplomatsmilitary_officersgovernment_officialsrussian_affiliated_personnelcentral_asia_government_targetsmiddle_east_government_targets
Regions
russiarussian_diplomatic_missionscentral_asiamiddle_east

Techniques Used

60
T1003T1005T1010T1012T1016T1020T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.005T1059.006T1059.007T1068T1070T1070.001T1070.002T1070.004T1071T1071.001T1074T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1119T1123T1125T1129T1140T1190T1203T1213T1218T1430T1497T1539T1543T1547T1548T1552T1555T1555.001T1557T1562

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)26/60 · 43%
Runtime / container (Falco)9/60 · 15%
File / malware (YARA)1/60 · 1%
Network (Suricata/Snort)13/60 · 21%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MEMORY-ONLY IMPLANT ERASED ON REBOOT DEFEATS FORENSIC RECOVERYMMIO REGISTERS NOT DESCRIBED IN DOCUMENTATIONMODULE 1 MICROPHONE RECORDINGMODULE 2 ICLOUD KEYCHAIN EXTRACTIONMODULE 3 SQLITE DATABASE DATA THEFTMODULE 4 VICTIM LOCATION ESTIMATIONSILENTLY OPENS UNIQUE URL ON BACKUPRABBIT DOMAIN

CVEs Exploited

5
CVECVE-2021-30860
CVECVE-2023-32434
CVECVE-2023-32435
CVECVE-2023-38606
CVECVE-2023-41990
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin