Coruna, a highly advanced hacking software, has been linked to operations by Russian spies and Chinese cyber-criminals. This deeply concerning connection illustrates the enormous security risks of hackable tools with intelligence or military origins. Trenchant division of defense contractor L3Harris designed the toolkit as a surveillance and intelligence-gathering asset. Ever since it has been usurped by bad actors.
Coruna consists of 23 different components and operates through a modular structure comprising three main modules: Plasma, Photon, and Gallium. This complex, surprisingly simple toolkit exploits publicly-known vulnerabilities including those that were exploited in operations like Operation Triangulation. Misusing this technology presents grave risks outside of national security. These reports suggest that it’s already been used in far-reaching campaigns focused primarily on grave financial hacking and cryptocurrency crime.
Origins and Components of Coruna
Trenchant designed Coruna for a confidential government client. This decision highlights the delicate dance between surveillance technology and cybersecurity. The toolkit’s modular design is comprised of three main modules: Plasma, Photon, and Gallium, each tailored to functions that empower hackers to operate.
The product includes an extensive schema that performs robustly across all types of attack vectors for a full attack surface. This even includes them revealed in the infamous Operation Triangulation. This operation is outstanding for its complexity and sophistication, and yet Google has tied Coruna to this operation. Whether or not they have been exploited creates deeply concerning implications. It raises the specter of how we responsibly use and more importantly share hacking tools deliberately created for government purposes.
“Despite our extensive research, we are unable to attribute Operation Triangulation to any known APT group or exploit development company.” – Boris Larin
Coruna’s participation in these operations is an alarming trend. That’s what makes this so dangerous. It demonstrates how our intelligence tools can be turned against us for malicious ends. It stands, we hope, as a cautionary tale against the dangers of commercializing the governments’ spread of cutting edge hacking tools.
Misuse by Malicious Actors
Coruna was initially developed by and for Western intelligence services. Today, it is being hijacked by UNC6353, a group of Russian spies, as well as by Chinese cybercriminals. The Russian group’s use of the toolkit is said to focus on individual iPhone users depending on their geolocation, showcasing the toolkit’s ability to conduct precision attacks. At the same time, Chinese cybercriminals have used Coruna in large-scale, automated waves to steal bank accounts and cryptocurrencies.
The trajectory of Coruna from government-issued tool to an asset exploited by criminal enterprises underscores the vulnerabilities within cybersecurity frameworks. According to the report, one of the intelligence agencies in the Five Eyes alliance was the first to obtain the toolkit. Its remarkable potential soon made it an intelligence goldmine. The subsequent sale to Operation Zero further muddies its legacy. This Russian company is perhaps best known for offering large bounties for zero-day exploits.
“Looking at the technical details, so many are familiar.” – Former L3Harris employee
The shift from legitimate use to exploitation creates troubling ethical and security dilemmas. Further, it raises important issues about accountability in the creation and dissemination of surveillance technologies.
The Legal Fallout
Peter Williams, the former general manager at Trenchant, was instrumental in illegally marketing Coruna and other hacking tools worldwide. His actions undeniably did a lot to shape the current environment surrounding cybercrime. Fogel eventually sold eight proprietary hacking tools to Operation Zero for a total of $1.3 million. This single act led to his conviction for misappropriating corporate assets and selling them leading to a 7 year prison sentence.
The legal consequences of Williams’s actions serve as a strong reminder that it is crucial to protect sensitive technological developments from exploitation. L3Harris sells Trenchant’s tools solely to U.S. government customers and partners within the Five Eyes alliance. Today, that same company is under a great deal of scrutiny for allowing such advanced technologies to get into the hands of adversaries.
“Attribution cannot be based solely on the fact of exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available.” – Boris Larin
The case serves as a cautionary tale about the potential consequences of inadequate oversight in the tech industry, particularly when it comes to technologies with dual-use capabilities.