NextFin News - A sophisticated suite of iPhone hacking tools developed by U.S. defense giant L3Harris has been deployed by Russian intelligence services against targets in Ukraine, marking one of the most significant blowbacks in the history of American cyber-warfare. The revelation, confirmed by technical forensics from Google’s Threat Analysis Group and internal sources at L3Harris, centers on a toolkit codenamed "Coruna." Originally designed by Trenchant, a specialized hacking division within L3Harris, the software was intended for use by Western intelligence agencies but instead surfaced in the hands of the Kremlin’s spies and Chinese cybercriminal syndicates.
The breach of containment was not a result of a sophisticated hack against L3Harris, but rather a calculated betrayal from within. Peter Williams, a former executive at the firm, was sentenced to seven years in prison last month after admitting to selling eight proprietary zero-day exploits to Operation Zero, a St. Petersburg-based broker with deep ties to the Russian government. Between 2022 and his resignation in mid-2025, Williams funneled these high-value vulnerabilities—including those dubbed "Photon" and "Gallium"—to Russian intermediaries for millions of dollars. These tools were subsequently integrated into "Operation Triangulation," a multi-year espionage campaign that compromised tens of thousands of iPhones through invisible iMessage exploits requiring no user interaction.
U.S. President Trump’s administration now faces a diplomatic and security crisis as American-made "cyber-munitions" are actively used to undermine allies in Kyiv. While the Treasury Department has moved to sanction Sergey Sergeyevich Zelenyuk and his firm, Operation Zero, the damage to the U.S. military-industrial complex’s reputation is already profound. The incident echoes the 2017 leak of the NSA’s EternalBlue exploit, which powered the global NotPetya attacks, but the L3Harris case is arguably more damaging because it involves the deliberate commercial sale of active, high-end mobile exploits by a trusted contractor executive.
For Apple, the discovery is a sobering reminder that even the most fortified hardware remains vulnerable to the financial incentives of the "exploit broker" market. The Coruna toolkit allowed Russian operatives to embed malware within routine web analytics tools on Ukrainian websites, effectively turning the digital infrastructure of the war zone against its own defenders. Security researchers at Kaspersky, who first flagged the technical mechanics of the campaign, noted that the precision of the exploits suggested a level of resource and deep-system knowledge typically reserved for state-funded development labs. The fact that these resources were funded by U.S. taxpayers only to be turned against Western interests has sparked calls for a fundamental overhaul of how the Pentagon monitors its private-sector cyber partners.
The fallout extends beyond the battlefield in Ukraine. Google’s researchers also identified fragments of the Coruna code in the hands of Chinese threat actors, suggesting that once a cyber weapon enters the gray market, its proliferation is impossible to control. L3Harris, which has built a lucrative business providing offensive capabilities to the U.S. government, now finds itself at the center of a federal inquiry into its internal oversight and personnel vetting. The company’s stock fell 2.35% following the report, as investors weighed the risk of losing sensitive government contracts. As the digital frontlines of the Ukraine conflict continue to evolve, the Coruna leak serves as a definitive proof that in the world of high-stakes cyber espionage, the line between a weapon and a liability is dangerously thin.
Explore more exclusive insights at nextfin.ai.
