Operation Triangulation is the code name given by Kaspersky in June 2023 to a sophisticated iOS spyware campaign that had been targeting Kaspersky employees and other Russian government and academic personnel since 2019. The campaign used four zero-day exploit chains against iOS, chained through iMessage to achieve silent infection. Kaspersky’s analysis revealed an exceptionally complex multi-stage implant that Russian authorities subsequently attributed publicly to US intelligence services in a press briefing.
What it means in practice
Operation Triangulation delivered its payload through invisible iMessage attachments that processed automatically without victim interaction. The implant achieved full device compromise: microphone, camera, location, keychain, photos, messages, and persistent post-reboot operation. Kaspersky’s forensic analysis required custom tooling, including the development of a triangulation check utility distributed publicly to allow other potentially affected users to scan their devices. Apple released patches in mid-2023 addressing the four CVEs used by the chain.
Specific things to know
The campaign is notable for its technical sophistication relative to the commercial spyware market: the chain abused a previously unknown CPU-level mechanism related to GPU memory access that Kaspersky’s analysts described as undocumented and possibly known only to a small number of researchers. The technical complexity, combined with the targeting of Russian intelligence and counter-intelligence personnel, has led most independent analysts to attribute the campaign to a state actor rather than a commercial vendor. Kaspersky did not publicly assert attribution.
Change today
Keep iOS devices updated immediately when patches are available. Enable Lockdown Mode for any plausible high-risk target. The structural lesson of Operation Triangulation is that even highly sophisticated state actors leave forensic indicators, and that the patience and tooling required to find those indicators is the bottleneck rather than the technical capability of the adversary. For most users, the practical defence is the same as against commercial spyware: hardened device configuration, disciplined behaviour, and timely patching.
Related articles
See our coverage of the Kaspersky Triangulation disclosure, the technical analysis of the iMessage zero-click chain, and the broader question of state versus commercial mercenary spyware capabilities.
