The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are probably clients of Israeli spy ware maker Paragon Solutions, in keeping with a brand new technical report by a famend digital safety lab.
On Wednesday, The Citizen Lab, a gaggle of lecturers and safety researchers housed on the University of Toronto that has investigated the spy ware business for greater than a decade, revealed a report concerning the Israeli-founded surveillance startup, figuring out the six governments as “suspected Paragon deployments.”
At the top of January, WhatsApp notified round 90 customers that the corporate believed had been focused with Paragon spy ware, prompting a scandal in Italy, the place a few of the targets stay.
Paragon has lengthy tried to differentiate itself from opponents, comparable to NSO Group — whose spy ware has been abused in a number of international locations — by claiming to be a extra accountable spy ware vendor. In 2021, an unnamed senior Paragon government instructed Forbes that authoritarian or non-democratic regimes would by no means be its clients.
In response to the scandal prompted by the WhatsApp notifications in January, and in what was maybe an try to bolster its claims about being a accountable spy ware vendor, Paragon’s government chairman John Fleming instructed TechCrunch that the corporate “licenses its know-how to a choose group of worldwide democracies — principally, the United States and its allies.”
Israeli information retailers reported in late 2024 that U.S. enterprise capital AE Industrial Partners had acquired Paragon for at the least $500 million upfront.
In the report out Wednesday, Citizen Lab mentioned it was capable of map the server infrastructure utilized by Paragon for its spy ware instrument, which the seller codenamed Graphite, primarily based on “a tip from a collaborator.”
Starting from that tip, and after growing a number of fingerprints able to figuring out related Paragon servers and digital certificates, Citizen Lab’s researchers discovered a number of IP addresses hosted at native telecom firms. Citizen Lab mentioned it believes these are servers belonging to Paragon clients, partially primarily based on the initials of the certificates, which appear to match the names of the international locations the servers are positioned in.
According to Citizen Lab, one of many fingerprints developed by its researchers led to a digital certificates registered to Graphite, in what seems to be a big operational mistake by the spy ware maker.
“Strong circumstantial proof helps a hyperlink between Paragon and the infrastructure we mapped out,” Citizen Lab wrote within the report.
“The infrastructure we discovered is linked to webpages entitled ‘Paragon’ returned by IP addresses in Israel (the place Paragon relies), in addition to a TLS certificates containing the group identify ‘Graphite’,” the report mentioned.
Citizen Lab famous that its researchers recognized a number of different codenames, indicating different potential governmental clients of Paragon. Among the suspected buyer international locations, Citizen Lab singled out Canada’s Ontario Provincial Police (OPP), which particularly seems to be a Paragon buyer on condition that one of many IP addresses for the suspected Canadian buyer is linked on to the OPP.
Contact Us
Do you have got extra details about Paragon, and this spy ware marketing campaign? From a non-work machine, you may contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or through Telegram and Keybase @lorenzofb, or e mail. You can also contact TechCrunch through SecureDrop.
TechCrunch reached out to spokespeople for the next governments: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. TechCrunch additionally contacted the Ontario Provincial Police. None of the representatives responded to our requests for remark.
When reached by TechCrunch, Paragon’s Fleming mentioned that Citizen Lab reached out to the corporate and supplied “a really restricted quantity of data, a few of which seems to be inaccurate.”
Fleming added: “Given the restricted nature of the knowledge supplied, we’re unable to supply a remark right now.” Fleming didn’t reply when TechCrunch requested what was inaccurate about Citizen Lab’s report, nor responded to questions on whether or not the international locations recognized by Citizen Lab are Paragon clients, or the standing of its relationship with its Italian clients.
Citizen Lab famous that every one the those that had been notified by WhatsApp, who then reached out to the group to have their telephones analyzed, used an Android telephone. This allowed the researchers to determine a “forensic artifact” left by Paragon’s spy ware, which the researchers referred to as “BIGPRETZEL.”
Meta spokesperson Zade Alsawah instructed TechCrunch in a press release that the corporate “can verify that we consider that the indicator Citizen Lab refers to as BIGPRETZEL is related to Paragon.”
“We’ve seen first-hand how business spy ware may be weaponized to focus on journalists and civil society, and these firms have to be held accountable,” learn Meta’s assertion. “Our safety workforce is consistently working to remain forward of threats, and we’ll proceed working to guard peoples’ potential to speak privately.”
Given that Android telephones don’t at all times protect sure machine logs, Citizen Lab famous that it’s probably extra individuals had been focused by the Graphite spy ware, even when there was no proof of Paragon’s spy ware on their telephones. And for the individuals who had been recognized as victims, it’s not clear in the event that they had been focused on earlier events.
Citizen Lab additionally famous that Paragon’s Graphite spy ware targets and compromises particular apps on the telephone — with no need any interplay from the goal — somewhat than compromising the broader working system and the machine’s knowledge. In the case of Beppe Caccia, one of many victims in Italy, who works for an NGO that helps migrants, Citizen Lab discovered proof that the spy ware contaminated two different apps on his Android machine, with out naming the apps.
Targeting particular apps versus the machine’s working system, Citizen Lab famous, could make it more durable for forensic investigators to seek out proof of a hack, however could give the app makers extra visibility into spy ware operations.
“Paragon’s spy ware is trickier to identify than opponents like [NSO Group’s] Pegasus, however, on the finish of the day, there isn’t a ‘good’ spy ware assault,” Bill Marczak, a senior researcher at Citizen Lab, instructed TechCrunch. “
Maybe the clues are elsewhere than we’re used to, however with collaboration and data sharing, even the hardest instances unravel.”
Citizen Lab additionally mentioned it analyzed the iPhone of David Yambio, who works intently with Caccia and others at his NGO. Yambio acquired a notification from Apple about his telephone being focused by mercenary spy ware, however the researchers couldn’t discover proof that he was focused with Paragon’s spy ware.
Apple didn’t reply to a request for remark.
