Security Market Segment LS
Friday, 24 March 2017 05:56

WikiLeaks claims CIA loading malware on iPhones since 2008 Featured


The CIA has been infecting the Apple iPhone supply chain of one of its targets with malware since at least 2008, WikiLeaks claims in a fresh dump of documents which it says are again from the American spy organisation.

The manual for "NightSkies 1.2", a "beacon/loader/implant tool" for the Apple iPhone, indicates the tool had reached this version by 2008. It is designed to be physically installed onto factory fresh iPhones, WikiLeaks said.

The second tranche of documents from WikiLeaks' CIA trove, this one dubbed Vault 7: Dark Matter, contained material on how the spy outfit attacks Apple/Mac devices and was released overnight on Thursday.

The documents spell out how the CIA gains "persistence" on Apple/Mac devices, including Macs and iPhones, and also provides details on the use of EFI/UEFI and firmware malware.

Two weeks ago, WikiLeaks released about 8000 CIA documents, which it called Vault 7, and said that it was just the tip of the iceberg. In an interview with Al Jazeerah's Yosri Fouda a couple of days ago, WikiLeaks publisher Julian Assange said Vault 7 constituted 1% of the total documents leaked to it.

One of the projects described in the latest leak is named Sonic Screwdriver. According to the CIA, it provides a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting".

This permits an attacker to boot attack software, for example, from a USB stick "even when a firmware password is enabled".

The Screwdriver gets stored on an Apple Thunderbolt-to-Ethernet adaptor where the firmware has been changed.

Another implant described is named "DarkSeaSkies". It persists in the EFI firmware of an Apple MacBook Air computer and consists of "DarkMatter", "SeaPea" and "NightSkies". These are respectively EFI, kernel-space and user-space implants.

Other documents included in this release provide details about the "Triton" Mac OSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStarke".

The DerStarke 1.4 manual dates to 2013 but other documents show the CIS continues to rely on it and update it; DerStarke2.0 is said to be under production.

"While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organisation's supply chain including by interdicting mail orders and other shipments (opening, infecting, and re-sending) leaving the United States or otherwise," the organisation said.

Apple has been contacted for comment.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments