Coruna Case Shows How Misattribution Could Lead to a Strategic Mistake
A leaked hacking toolkit looked like a U.S. intelligence operation. In reality, it ended up in the russian hands and was used against Ukraine – a case that shows why attribution sometimes matters
(What follows is my opinion on the Andy Greenberg’s excellent piece for WIRED which very much deserves your time.)
Attribution in cyber operations is a thankless business. It is slow, expensive, often inconclusive, and usually pointless. Even when analysts are confident about who is behind an attack, the result is rarely anything stronger than suspicion, indictments, or symbolic sanctions. For that reason most practitioners will tell you the same thing: focus on defence, not on who hacked you.
And most of the time they are right. But the Coruna case is a good reminder that sometimes attribution matters a lot.
Google recently discovered a sophisticated iPhone exploitation toolkit embedded in Ukrainian websites. The toolkit contained five exploit chains and targeted twenty-three vulnerabilities. Victims were infected through a drive-by download in Safari. The malicious code was hidden inside ordinary website visitor counters – the kind of element that almost nobody pays attention to.
Technically, the operation had all the hallmarks of a major geopolitical cyber actor.
The toolkit also contained components from Operation Triangulation – the famous iPhone espionage campaign that russia publicly blamed on the NSA. The code itself was written by English-speaking developers, and security company iVerify openly stated that the tool looks very much like a U.S. government capability.
Now imagine the following situation. You are investigating compromised smartphones belonging to Ukrainian officials or military personnel. You extract the malware, analyze the code, and see clear indicators pointing to an American origin – NSA components, English-language development patterns, familiar exploitation techniques.
Without deeper attribution the conclusion looks obvious: the United States hacked Ukraine. Except that is not what happened.
The toolkit appears to have leaked from the zero-day broker ecosystem through an insider who is now facing prosecution. From there it ended up in the hands of russian intelligence, which used it against Ukrainian targets. The technical artefacts point in one direction, but the operational reality points in the exact opposite one.
Without proper attribution this would not just be a technical mistake in a report. It could easily become a diplomatic crisis. It could damage trust between allies. And it would be a perfect narrative for russian information operations: “Look, America is spying on Ukraine.”
There is another lesson here. Operation Triangulation operated for years without being detected. It only surfaced in 2023 on devices belonging to Kaspersky employees – and even that happened only because the tools had apparently spread beyond their original owner. If the toolkit had remained strictly controlled by its initial user, the campaign might still be running today, or at least would have lasted much longer.
Which leads to the final paradox. The greatest threat to cyber weapons is often not defenders, but the market surrounding them. Brokers, resellers, and intermediaries introduce instability into systems that were designed to remain secret. In the Coruna story, a leak inside the zero-day trade ecosystem ultimately exposed capabilities that might otherwise have remained invisible.
It is unlikely that the broker involved spent much time thinking about geopolitical consequences while collecting what was reportedly a fairly modest payment for the toolkit. Money may not even have been the primary motivation. The real story behind that transaction is far more complicated – and worth reading about separately.
But the strategic takeaway is simple. Sometimes attribution is not about naming and shaming attackers. Sometimes it is about preventing the wrong war from starting over the wrong conclusion.
And occasionally, a leak in the cyber-weapons market ends up revealing more than any threat hunter ever could.