[luch]

no way in hell the NSA forcibly tries to reinfect targets over and over, that's not their modus operandi. Instead they would have spend money to find a persistence on the infected device.

The fact that the attacker has almost a full-chain but no persistence screams to me "second fiddle", probably a nation state that have access to 0-days brokers but no in-house engineering.

[saagarjha]

Persistence on iOS is really, really hard.

[luch]

I agree with you on that, but the USA (and probably China) is the nation state least likely to skimp on iOS persistence when targeting Russian AV analysts :D

[saagarjha]

I can only guess at motivations but I would think that when targeting security researchers you’d aim to not have persistence since that would make require leaving evidence of infection on the device.

[cvalka]

This is not the first time the NSA infiltrated Kaspersky. Avoiding persistence was one of the desired requirements of the attack.

[munchinator]

It wasn't clear to me from reading the blogpost that persistence _wasn't_ achieved?

[saagarjha]

They mentioned that the suspicious traffic stopped after a restart.

[munchinator]

I'm not seeing that mentioned in this blogpost, was it mentioned in one of the other ones?

[qup]

https://securelist.com/operation-triangulation/109842/

They talk about it here, under "what we know so far"

[teachrdan]

FTA: "Once the device rebooted, all the suspicious activity stopped."