A large-scale hacking campaign targeting iPhone users in Ukraine and China relied on tools likely originally developed by U.S. defence contractor L3Harris. Those tools, which appear to have been intended for Western intelligence services, eventually ended up being used by multiple hacking groups, including Russian state operatives and Chinese cybercriminals.
Last week, Google disclosed that it had uncovered a sophisticated iPhone exploitation toolkit during 2025, used in a series of attacks worldwide. The toolkit, called “Coruna” by its original developer, consisted of 23 separate components and was first deployed “in highly targeted operations” by an unnamed government client of an unspecified “surveillance vendor.” According to Google, it was later used by Russian government spies against a small number of Ukrainians and then by Chinese cybercriminals in “broad-scale” operations aimed at stealing money and cryptocurrency.
Researchers at mobile cybersecurity firm iVerify, which carried out its own analysis of Coruna, said they believed the toolkit may originally have been developed by a company that later sold it to the U.S. government.
Two former employees of government contractor L3Harris said Coruna was, at least in part, built by the company’s hacking and surveillance division, Trenchant. Both former employees had direct knowledge of the company’s iPhone exploitation tools. They spoke on condition of anonymity because they were not authorised to discuss their former work.
“Coruna was definitely an internal name of a component,” said one former L3Harris employee who had been familiar with iPhone hacking tools as part of their job at Trenchant.
“Looking at the technical details,” that person said, referring to some of the evidence Google published, “so many are familiar.”
The former employee said the broader Trenchant toolkit included multiple components, among them Coruna and related exploits. A second former employee also confirmed that some of the details included in the published hacking toolkit appeared to come from Trenchant.
L3Harris sells Trenchant’s surveillance and hacking tools exclusively to the U.S. government and to its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Because Trenchant has such a limited customer base, it is possible that Coruna was first acquired and used by one of those governments’ intelligence services before later ending up in unintended hands. Even so, it remains unclear how much of the Coruna toolkit, which was later published and analysed, was actually developed by L3Harris Trenchant.
An L3Harris spokesperson did not respond to a request for comment.
A globe-spanning iPhone hacking toolkit
Exactly how Coruna moved from a Five Eyes government contractor into the hands of a Russian state-linked hacking group, and later a Chinese cybercrime operation, remains unknown.
But some aspects of the case appear similar to what happened with Peter Williams, a former general manager at Trenchant. Between 2022 and his resignation in mid-2025, Williams sold eight company hacking tools to Operation Zero, a Russian company known for offering millions of dollars for zero-day exploits, meaning vulnerabilities unknown to the software vendor affected by them.
Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after admitting that he stole and sold the eight Trenchant hacking tools to Operation Zero in exchange for $1.3 million.
The U.S. government said Williams, who had “full access” to Trenchant’s internal networks, had “betrayed” both the United States and its allies. Prosecutors said he leaked tools that could have allowed whoever used them to “potentially access millions of computers and devices around the world,” suggesting the tools depended on vulnerabilities affecting widely used software such as iOS.
Operation Zero, which was sanctioned by the U.S. government last month, says it works exclusively with the Russian government and Russian companies. The U.S. Treasury said the Russian broker sold Williams’ “stolen tools to at least one unauthorised user.”
That could explain how the Russian espionage group Google tracks as UNC6353 obtained Coruna and deployed it on compromised Ukrainian websites, so that certain iPhone users in a specific geographic area would be hacked if they unknowingly visited the malicious pages.
It is possible that after acquiring Coruna, and potentially passing it to the Russian government, Operation Zero may also have resold the toolkit elsewhere — perhaps to another broker, another government, or even directly to cybercriminals. The Treasury has alleged that a member of the Trickbot ransomware gang worked with Operation Zero, linking the broker to financially motivated threat actors.
At that point, Coruna may have changed hands multiple times before ultimately falling into the hands of Chinese hackers. According to U.S. prosecutors, Williams later recognised code he had written and sold to Operation Zero being used by a South Korean broker.
Operation Triangulation
Google researchers said Tuesday that two specific Coruna exploits and their underlying vulnerabilities, known as Photon and Gallium by their original developers, were used as zero-days in Operation Triangulation, the highly sophisticated campaign allegedly targeting Russian iPhone users. Operation Triangulation was first disclosed by Kaspersky in 2023.
Rocky Cole, co-founder of iVerify, said that “the best explanation based on what’s known right now” points to Trenchant and the U.S. government as the original developers and users of Coruna. He stressed, however, that he was not claiming this “definitively.”
Cole said that the view is based on three factors. First, the timeline of Coruna’s apparent use aligns with the period when Williams was leaking tools. Second, the structure of three modules — Plasma, Photon, and Gallium — found within Coruna shows strong similarities to Operation Triangulation. Third, Coruna reused some of the same exploits that were seen in that campaign.
According to Cole, “people close to the defence community” have said Plasma was used in Operation Triangulation, though he noted that “there’s no public evidence of that.” Cole previously worked at the U.S. National Security Agency.
Google and iVerify both said Coruna was built to hack iPhone models running iOS 13 through iOS 17.2.1, versions released between September 2019 and December 2023. Those dates line up with both the timing of some of Williams’ leaks and the discovery of Operation Triangulation.
One of the former Trenchant employees said that when Operation Triangulation became public in 2023, other people inside the company believed at least one of the zero-day vulnerabilities Kaspersky had found “were from us, and potentially ‘ripped out’ of” the broader internal project that included Coruna.
Another clue pointing toward Trenchant, as security researcher Costin Raiu has noted, is the use of bird names for several of the 23 tools, including Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. In 2021, The Washington Post reported that Azimuth, one of two startups later acquired by L3Harris and merged into Trenchant, had sold a hacking tool named Condor to the FBI in the high-profile San Bernardino iPhone case.
After Kaspersky published its findings on Operation Triangulation, Russia’s Federal Security Service, or FSB, accused the NSA of hacking “thousands” of iPhones in Russia, with diplomats among the targets. At the time, a Kaspersky spokesperson said the company did not have information to support the FSB’s broader claims. The spokesperson did say, however, that the “indicators of compromise” identified by Russia’s National Coordination Centre for Computer Incidents matched the same evidence Kaspersky had found.
Boris Larin, a security researcher at Kaspersky, said by email that “despite our extensive research, we are unable to attribute Operation Triangulation to any known [Advanced Persistent Threat] group or exploit development company.”
Larin said Google linked Coruna to Operation Triangulation because both exploited the same two vulnerabilities, Photon and Gallium.
“Attribution cannot be based solely on the fact of exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available,” he said, arguing that anyone could have used them once they became known. He added that those two shared vulnerabilities “are just the tip of the iceberg.”
Kaspersky never publicly accused the U.S. government of being behind Operation Triangulation. Still, the logo the company used for the campaign — an Apple-like symbol composed of several triangles — closely resembles the L3Harris logo, while Trenchant’s own logo consists of two triangles. That may not be accidental. Kaspersky has, in the past, stopped short of directly naming the actor behind a hacking campaign while quietly hinting that it knew who was responsible or where the tools came from.
In 2014, for example, Kaspersky said it had uncovered a highly sophisticated and elusive government hacking group it called “Careto,” Spanish for “the Mask.” The company said only that the attackers appeared to speak Spanish. But the illustration of the mask in its report incorporated the red and yellow colours of Spain’s flag, along with bull’s horns and other suggestive imagery.
On Wednesday, cybersecurity journalist PatrickGreyy said on his Risky Business podcast that, based on “bits and pieces” he believed were reliable, the tools Williams leaked to Operation Zero were the same hacking kit later used in the Triangulation campaign.
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
