Kaspersky's Zero-Click Hack Discovery Spurs Controversy with Apple Over Bug Bounty

In June 2023, Kaspersky Lab reported that iPhones used by several of its employees were hacked using highly sophisticated methods that exploited iOS vulnerabilities. The attackers, identified as nation-state hackers, utilized a zero-click iMessage vulnerability to infiltrate and steal confidential information.

Kaspersky's investigation revealed that the attackers had been lurking in their systems since at least 2019. This long-term infiltration and the use of advanced techniques pointed to a high level of expertise and resources, typical of state-sponsored hacking groups. The attack was dubbed "Operation Triangulation" (IOSTriangulation) by Kaspersky.

Upon discovering the vulnerability, Kaspersky promptly informed Apple, which led to several updates being issued to patch the security flaws. According to Apple's bug bounty program, the reported vulnerabilities should have entitled Kaspersky to a $1 million reward. However, Apple has refused to pay the bounty.

While $1 million is not a significant amount for Kaspersky, the company intended to donate the reward to charity. After Apple's refusal, Kaspersky suggested that Apple donate the amount directly to a charitable organization. Apple, citing internal policies, declined both the payment to Kaspersky and the donation, without providing a specific reason.

After numerous unsuccessful attempts to resolve the issue privately, Kaspersky has gone public with the dispute, hoping to pressure Apple into either explaining their decision or making the donation. Given Apple's financial standing, the refusal to pay or donate the $1 million has raised questions and criticism.