Russian Spies Used iPhone Hacking Tools Originally Developed by American Defense Contractor

Sophisticated iPhone Exploitation Framework Traced to U.S. Military Supplier

Intelligence researchers have determined that a complex iPhone hacking operation targeting users in Ukraine and China originated from tools developed by American defense contractor L3Harris. These cyber weapons, initially created for Western intelligence agencies, eventually found their way into the hands of Russian government operatives and Chinese criminal organizations.

Google’s cybersecurity team disclosed earlier this month that they had identified a comprehensive iPhone exploitation framework throughout 2025. This sophisticated toolkit, internally designated “Coruna” by its creators, consisted of 23 distinct components initially deployed in precision intelligence operations by an undisclosed government client of a surveillance technology vendor.

The hacking suite subsequently appeared in operations conducted by Russian intelligence services against select Ukrainian targets, before being adopted by Chinese cybercriminals for large-scale financial theft campaigns targeting cryptocurrency assets.

Defense Contractor Connection Revealed

Mobile security firm iVerify conducted an independent technical analysis of the Coruna toolkit and concluded it likely originated from a commercial vendor serving U.S. government clients. Two former L3Harris employees with direct knowledge of the company’s iPhone exploitation capabilities confirmed to investigators that Coruna was developed, at least partially, by the contractor’s specialized hacking division known as Trenchant.

Both former employees, speaking anonymously due to confidentiality restrictions, recognized technical elements and internal naming conventions from their work on iPhone penetration tools. One former Trenchant operative specifically identified Coruna as an internal component designation within the company’s broader exploitation framework.

L3Harris markets Trenchant’s surveillance and penetration testing tools exclusively to U.S. government agencies and Five Eyes intelligence alliance partners, including Australia, Canada, New Zealand, and the United Kingdom. This limited customer base suggests the toolkit was initially acquired by one of these intelligence organizations before being compromised and redistributed.

Insider Theft Enables Tool Proliferation

The pathway from legitimate government use to criminal exploitation appears linked to Peter Williams, a former Trenchant general manager who systematically stole company assets. Between 2022 and mid-2025, Williams sold eight proprietary hacking tools to Operation Zero, a Russian broker specializing in zero-day vulnerability trading.

Williams, an Australian citizen, received $1.3 million for providing these tools to the Russian intermediary. He was sentenced to seven years imprisonment last month after admitting to the theft. U.S. prosecutors described his actions as a betrayal of American national security interests, noting that the stolen tools could potentially compromise millions of devices worldwide.

Operation Zero, which claims exclusive relationships with Russian government entities and domestic companies, was sanctioned by the U.S. Treasury Department. Intelligence assessments indicate the broker redistributed Williams’ stolen tools to unauthorized users, explaining how Russian espionage group UNC6353 acquired and deployed Coruna against Ukrainian targets.

Global Distribution Network

The toolkit’s journey from Russian intelligence to Chinese criminal organizations likely involved multiple intermediaries. Treasury officials noted connections between Operation Zero and members of the Trickbot ransomware organization, demonstrating the broker’s ties to financially motivated threat actors.

Google researchers identified two specific Coruna exploits, designated Photon and Gallium, being utilized in Operation Triangulation, a sophisticated campaign targeting Russian iPhone users first discovered by Kaspersky in 2023. This connection suggests the tools experienced further redistribution after their initial theft.

iVerify co-founder Rocky Cole assessed that available evidence strongly points to Trenchant and U.S. government agencies as Coruna’s original developers and customers. This conclusion relies on timeline correlations with Williams’ activities, structural similarities between Coruna modules and Triangulation components, and shared exploitation techniques.

Technical Capabilities and Timeline

The Coruna framework was engineered to compromise iPhone models running iOS versions 13 through 17.2.1, covering devices released between September 2019 and December 2023. This timeframe aligns with both Williams’ theft activities and the emergence of Operation Triangulation.

Security researchers noted the toolkit’s use of bird-themed naming conventions for various components, including Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. This pattern mirrors previous L3Harris products, such as the Condor tool sold to the FBI for the San Bernardino iPhone case.

When Operation Triangulation was initially disclosed, former Trenchant employees reportedly suspected that discovered zero-day vulnerabilities originated from their company’s development projects. This internal recognition further supports the connection between the leaked tools and subsequent criminal exploitation campaigns.

The case illustrates the significant security risks posed by insider threats within the cybersecurity industry, particularly when sensitive government tools fall into adversarial hands and proliferate through underground markets.