Alexey Firsh, Kurt Baumgartner and Brian Bartholomew provided an indication of the seriousness with which they regarded this discovery, saying in a detailed blog post that while the watering hole itself was discovered early in January, they had already released two private reports outlining the spread, exploits, infrastructure and LightSpy implants.
Private reports are only provided to paying customers and, after the US Government came down heavily on Kaspersky for the firm's repeated exposure of advanced persistent threats — otherwise known as APTs or attacks crafted by nation-states — which were authored by the NSA, the Russian company only provides details of APTs in private reports.
LightSpy appeared to be designed to target users in Hong Kong, the three researchers said, leading the reader to assume that it would have had Chinese origins. Firsh, Baumgartner and Bartholomew said they had temporarily named the APT group TwoSail Junk, a further hint at Chinese origins.
"Considering that this LightSpy activity has been disclosed publicly by our colleagues from Trend Micro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies."
Trend Micro's research, carried out by Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu, said the watering hole had "several webpages disguised as local news pages [which were] then injected with an iframe that loads an iOS exploit.
"The iOS exploit flow was designed to exploit vulnerable iOS versions 12.1 and 12.2 on several models ranging from the iPhone 6S to the iPhone X. Users with unpatched iPhones that access the concerned links will be infected with an iOS malware that can spy on and take full control of the devices. We found that the campaign tricked users into clicking on the malicious news links by posting them on popular forums in Hong Kong."
The additional information that Kaspersky provided covered the deployment timeline, the way the implant spread, infrastructure, and an Android implant and a pivot to related infrastructure.
The researchers noted that after the initial discovery on 10 January, they had noted major modifications on 7 February and minor ones on 5 March.
As to the additional means of spreading, the trio said they had noted that, while in past campaigns the attackers had used social network platforms and direct messaging, more recently Telegram channels and Instagram posts were also being used as vectors. The first watering hole was designed a well-known Hong Kong newspaper, Apple Daily, by copying and pasting HTML source code from the original.
"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Firsh, Baumgartner and Bartholomew observed.
"This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and 'evora' backdoor use."