Spyware Used Across 10 Countries, Says Citizen Lab, Microsoft

Spyware from an Israeli firm is once again the headlines after new research allegedly tracked its use across a number of countries.

Two reports on Tuesday from both Microsoft and Canadian internet watchdog Citizen Lab alleged the spyware has been been used against journalists, opposition figures and advocacy groups across at least 10 countries – including people in North America and Europe.

It should be noted that the spyware in question is not the infamous Pegasus from NSO Group (which is on the US Entity list), but rather is spyware from a lesser known Israeli surveillance software provider called QuaDream Ltd.

Spyware usage

The Citizen Lab report alleges that QuaDream’s “KingsPawn” malware was identified when the Apple iPhones of a handful of civil society victims were hacked.

“Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East,” said Citizen Lab.

“Victims include journalists, political opposition figures, and an NGO worker. We are not naming the victims at this time.”

Microsoft in its report said it believed with “high confidence” that the spyware was “strongly linked to QuaDream.”

“Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream,” said the software giant.

“QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.”

Citizen Lab said it was able to identify operator locations for QuaDream systems in the following countries: Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan.

Microsoft said it is sharing information about the spyware (the firm is codenamed DEV-0196 and the malware is codenamed KingsPawn) with its customers, industry partners, and the public “to improve collective knowledge of how PSOAs (private sector offensive actor) operate and raise awareness about how PSOAs facilitate the targeting and exploitation of civil society.”

Microsoft said basic cyber hygiene, including keeping the mobile device’s software updated to the latest version, enabling automatic software updates if available, using anti-malware software, and being vigilant about not clicking links in any unexpected or suspicious messages, is needed to combat this spyware.

“If you believe you may be targeted by advanced attackers and use an iOS device, we recommend enabling Lockdown Mode,” said Redmond. “Lockdown Mode offers enhanced security for iOS devices by reducing the attack surface available to threat actors.”

Citizen Lab meanwhile noted that QuaDream Ltd is an Israeli company that specialises in the development and sale of advanced digital offensive technology to government clients. It said the firm is known for its spyware marketed under the name “Reign”, which, like NSO Group’s Pegasus spyware, reportedly utilises zero-click exploits to hack into target devices.

Citizen Lab alleged that QuaDream has sold its products to a range of government clients including Singapore, Saudi Arabia, Mexico, and Ghana, and has pitched its services to Indonesia and Morocco.

Citizen Lab said that it had asked QuaDream questions about how it’s business practices take into account human rights and the potential for spyware abuse, but received no response as of publishing its report.

Shadow player?

In a statement, Microsoft Associate General Counsel Amy Hogan-Burney was quoted by Reuters as saying that mercenary hacking groups like QuaDream “thrive in the shadows” and that publicly outing them was “essential to stopping this activity.”

The Microsoft and Citizen Lab reports come after US President Joe Biden last month announced a crackdown on the international spyware industry.

The White House an executive order intended to curb the purchase of surveillance software by US agencies if the programs are also being used by repressive governments abroad.

In April last year, Citizen Lab at the University of Toronto, wrote that the Pegasus spyware from NSO Group may have allegedly been used by the UAE on the UK’s Downing Street and Foreign Office computer systems.