返回 TI 主页
A zero-day attack targeting iOS spy weapon developers led to the downfall of L3Harris, a top 10 US government contractor.

By 红雨滴团队 | 安全事件

Introduction

The incident originated from 2025/10/23 . Based on a reply to a post by the famous user @jsrailton on x, it can be seen from the lines that Trenchant, a company suspected of developing cyber weapons for the Five Eyes Alliance , had an information leak. Speaking of the leak of cyber weapons, the last large-scale leak of cyber weapons was the CIA in 2017, The Shadow Brokers leak incident, in which the leaked data included a large number of 0days , weapon frameworks, and internal information of the US CIA , directly led to a major upgrade in the entire cybersecurity industry. The infamous Wannacry ransomware was the technical product behind it, so this news immediately attracted the attention of the Qi'anxin Threat Intelligence Center.


October 23 - iOS under attack 0day researchers

@jsrailton The prototype of this post actually comes from an article in Techrunch " Apple-alerts-exploit-developer-that-his-iPhone- was-targeted-with-government-spyware".

The protagonist of the article, Jay Gibson, is an iOS 0day researcher employed by Trenchant, specializing in developing surveillance spyware related to the iOS platform. He received a notification from Apple on March 5, 2025, informing him that "state-sponsored spyware attacks targeting your iPhone have been detected." This might very well become the first recorded case where someone developing exploits and spyware themselves became the target of a spyware attack.

It should be added here that Apple's security research department will notify the victims as soon as they discover a 0-day or spyware attack in the wild against Apple. What's interesting is that Jay Gibson is not the company's only victim. At least three other victims of the company have received corresponding security notifications from Apple.

At this point, one might think this is a 0day attack against a cyber weapon supplier. However, that is not the case. It turns out that Jay Gibson had been fired by the company a month before receiving the notification. The reason was a conversation he had with General Manager Peter Williams on February 3. Peter Williams informed Jay Gibson that the company suspected him of dual employment, leading to his suspension and subsequent termination after a two-week investigation.

Later, Jay Gibson learned from his former colleagues that it was likely the Chrome browser 0day project developed by Trenchant that had been leaked. As a result, the company blamed him and subsequently fired him. However, Jay Gibson believes that since he was engaged in iOS 0day development, which has no overlap with the Chrome 0day project, it is impossible that he caused the leak.

It should be noted that such security research teams, especially those related to defense, do have a high degree of isolation in each research direction. This is particularly true considering the threat and significant value of 0day vulnerabilities themselves.

Having sorted out all the timelines here, we can roughly come up with the following order:

At this point, we can basically summarize the entire process of this article. Trenchant, the company, had at least an iOS-related attack two months ago, with at least four victims. There was at least one Chrome 0day data breach within Trenchant. iOS 0day developer Jay Gibson was later considered the culprit of the leak and was fired in mid-February. It seems more likely that he was a scapegoat. The incident appears to be concluded at this point. However, from an intelligence perspective, we can continue to dig deeper. The point of excavation is the notification Jay Gibson received from Apple on March 5.

Generally, when Apple's systems are attacked and Apple sends a notification, such an attack event must involve a 0day attack. And Apple issues corresponding advisories for each 0day vulnerability. If Jay Gibson received the notification from Apple on March 5th, then there must have been a related in-the-wild 0day patched around March. Checking Qi'AnXin Threat Intelligence Center's vulnerability intelligence, we can see that Apple indeed released a patch for a WebKit in-the-wild exploited 0day, CVE-2025-24201, around March 11th. This event is only 6 days apart from Jay Gibson receiving the notification on March 5th, which basically matches time-wise.

Readers familiar with iOS vulnerabilities should understand that modern iOS vulnerability exploits are basically impossible to complete with just a single vulnerability. Therefore, it is almost certain that if Apple catches the entire exploit chain, the related vulnerabilities will be fixed around March. Thus, the CVE-2025-24085 and CVE-2025-24200 we screened out may be related to this incident.

Intelligence from Qi'AnXin Threat Intelligence Center indicates that the CVE-2025-24201 0day attack incident was reported in the article "Glass Cage Attack: The Stealth Nation-State Backdoor." The attack occurred in December 2024 and utilized CVE-2025-24201 and CVE-2025-24085. It is speculated that CVE-2025-24200 may have also been used. The article elevated the incident to the level of NSO's "Pegasus Operation" or "Triangle Operation." Given that the victim of the operation is a cyber weapon supplier for the Five Eyes Alliance, such as Trenchant, this classification is well-deserved. Interestingly, the article was deleted shortly after it was published. Further analysis suggests that the article was most likely generated by an LLM. However, the vulnerability in Jay Gibson's attack and CVE-2025-24085/CVE-2025-24200/CVE-2025-24201 are indeed likely related.

At this point, we update the entire timeline again, and the entire incident seems to have been sorted out. Trenchant was attacked, and some 0day vulnerabilities were stolen.


October 24th - A Plot Twist with the Emergence of the Dossier

However, a reversal occurred on the following day, October 24, 2025. A post by @carrot_c4k3 on X mentioned that a U.S. company appears to be suspected of leaking vulnerability data to Russia. Through @carrot_c4k3's sharing, we found a docket filed with the U.S. District Court for the District of Columbia on October 14, 2025.

The core content of the case is as follows: The defendant, Peter Williams, sold trade secrets generated by COMPANY ONE and COMPANY TWO outside the United States, particularly to Russian buyers. Does this name sound familiar? Isn't Peter Williams the same person as the General Manager Peter Williams mentioned in the Trenchant attack case who fired Jay Gibson?

His property worth US$1.3 million was confiscated.

It includes houses and many precious luxury items.

Many students here may have questions. Is this Peter Williams the same as the Peter Williams in Trenchant? On the one hand, the names are indeed the same, and later @jsrailton even pointed out on his X that many of the exhibits were the proceeds of the transaction at that time. As a senior researcher at Citizenlab, @jsrailton's news channel has a high level of credibility.

In addition, there are some reasons why the Qi'AnXin Threat Intelligence Center finds the inference reasonable. The lawsuit mentioned that the trade secrets sold by them were generated and belonged to COMPANY ONE and COMPANY TWO, that is, this is a project data jointly developed by two companies, and Trenchant meets this condition.

The official account of Trenchant on X is as follows:

Clicking on his official link, you can see that it eventually redirects to https://www.l3harris.com/trenchant-articles .

L3Harris Technologies, Inc. (hereinafter referred to as L3Harris) is a global aerospace and defense technology innovation company headquartered in Melbourne, Florida, USA. It was established in 2019 through the merger of L3 Technologies and Harris Corporation. It is a major U.S. defense contractor and information technology service provider, focusing on providing end-to-end technology solutions to government, defense, and commercial sectors to meet the challenges of a rapidly changing world. The company's business covers air, land, sea, space, and cyber domains. It is particularly worth noting that the cyber domain mainly involves network and intelligence tools, including vulnerability research, zero-day exploitation, and endpoint intelligence solutions.

L3Harris' mission is "Fast. Forward.," emphasizing agile response to risks and providing reliable national security solutions. With significant annual revenue, the company is one of the top ten U.S. government contractors.

Trenchant was established in 2018. L3 Technologies (the predecessor of L3Harris) acquired Azimuth Security (founded in 2008 by software security experts Mark Dowd and John McDonald, specializing in deep software analysis, threat modeling, and source code review) and Linchpin Labs (founded in 2007 by former intelligence officers, focusing on cross-platform low-level system development and zero-day vulnerability development). After the acquisition, the two companies were merged into Trenchant, an elite team specializing in computer network operations, vulnerability research, and the development of hacking and surveillance tools for Western governments (such as the Five Eyes intelligence agencies).

Therefore, COMPANY ONE and COMPANY TWO here should refer to L3Harris and Trenchant. Although we found that Trenchant was established in 2018, it likely began formal operations around 2021 after the acquisition was completed.

At the time of writing this article, the latest article from Techcrunch titled "US accuses former L3Harris cyber boss of stealing and selling secrets to Russian buyer" confirmed that the Peter Williams in the docket was indeed the cyber director of L3Harris. Here, it can also be seen that Peter Williams became the general manager on October 23, 2024, and was fired on August 21, 2025. The previous scapegoat, Jay Gibson, was also likely wrongfully dismissed.

At this point, the entire timeline of the incident has been basically clarified. The process not only involves corporate espionage, national security, and 0day attacks but also includes suspenseful plots of escaping and finding scapegoats. It can be said that it perfectly fits the plot of an American blockbuster.


Epilogue

However, who is behind the attack remains a mystery. Did Peter Williams really sell the leaked data? Or did the attack actually lead to information leakage? Here, we tend to lean towards the idea that the attack on Jay Gibson and others should have led to the actual vulnerability data leakage, which occurred around December 2024 (after all, Apple did issue a warning notice). Peter Williams might have tried to use Jay Gibson as a scapegoat to appease the incident, but unexpectedly, Peter was found during the final investigation. Williams is a significant insider, but the attribution of the attack is also a determining factor in the case's characterization. For example, the attack could have originated from internal evidence collection at the top of the FBI. I won't speculate further here.

At the beginning of this article, the Shadow Brokers leak incident was mentioned, which triggered a major escalation in the cybersecurity industry. While the incident may appear to have a relatively minor impact, with no zero-days compromised, it nonetheless represents a significant threat to the United States. First, it is certain that L3Harris, one of the top ten U.S. government contractors, was compromised by a zero-day attack. While the full extent of the data leak remains uncertain, it is likely a significant number of zero-day tools. Second, there are concerns that an insider within L3Harris, one of the top ten U.S. government contractors, may have been selling zero-day data. This poses a significant risk to the company's credibility.


Reference

[1].https://techcrunch.com/2025/10/21/apple-alerts-exploit-developer-that-his-iphone-was-targeted-with-government-spyware/

[2].https://storage.courtlistener.com/recap/gov.uscourts.dcd.285896/gov.uscourts.dcd.285896.1.0.pdf

[3].https://techcrunch.com/2025/10/23/u-s-government-accuses-former-l3harris-cyber-boss-of-stealing-trade-secrets/

[4].https://find-and-update.company-information.service.gov.uk/officers/MM6HsvOwfzBes-88T7OQD0ID4LM/appointments

[5].https://x.com/jsrailton/status/1980729390263595065

[6].https://x.com/carrot_c4k3/status/1981046493877350904

[7].http://web.archive.org/web/20250618065646/

[8].https://weareapartyof1.substack.com/p/glass-cage-zero-day-imessage-attack

0DAY ATTACK DATA BREACH
首页
A zero-day attack targeting iOS spy weapon developers led to the downfall of L3Harris, a top 10 US government contractor.