Share this article on:
Cyber security firms in Russia have assigned the US government its very own advanced persistent threat (APT) designation after claiming it or government agencies had launched attacks against Russian Federation targets.
Russian intelligence firms are reportedly referring to the US government as “Sand Eagle”, according to a document shared by @vxunderground on X (formerly Twitter).
Russia-based Cyber Threat Intelligence firms have an APT name designated for the United States government: Sand Eagle pic.twitter.com/4eLuaE1lwJ
— vx-underground (@vxunderground) March 7, 2024
The shared document details an instance in which “American special services” launched a campaign against Russian devices, including those belonging to the government.
“On June 1, 2023, the FSB of Russia announced that as a result of an intelligence operation by American special services, several thousands iPhones, including devices of diplomatic missions in Russia, were infected with unknown malicious software,” the document read.
“Details about the actions that occurred after the infection of the devices, as well as the elimination of the detected ‘anomalies’ were not provided by the agency.
“Later that day, Kaspersky Lab specialists reported that they had found several iPhones with suspicious behaviour and examined their backups. The researchers called this harmful campaign ‘Operation Triangulation’.”
According to the document, a malware called TriangleDB is installed on accessed devices once the threat actor gains administrator privileges on it through a “kernel vulnerability”. The payload is installed in the device’s memory, meaning a reboot will eliminate any trace of the malware.
It also means that when the device is rebooted, the user will be forced to reinfect it through an iMessage with the malware attached to it.
The document provides no details as to what the “diplomatic missions” were.
It is also worth noting that Kaspersky Lab is a cyber security organisation that has been accused in the past of having connections with the Russian military.
Responding to @vxunderground on X, cyber researcher Bill Marczak said that Sand Eagle does not refer to this instance but instead to a Middle Eastern group.
“Qihoo 360 came up with the name in 2022, and it’s not linked to Triangulation (360 asserted a link then deleted their research). In this year’s threat report, 360 clarifies that Sand/Desert Eagle is actually a Middle East group not related to Triangulation,” his post said.
Additionally, researcher Dmitry Smilyanets asked X’s AI chatbot Grok what it knew about the Sand Eagle APT, and it provided information that backed Russia’s claims.
Grok knows something we don’t 🥲 pic.twitter.com/LACYSEuUxj
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) March 7, 2024