Israeli spyware again used to surveil journalists, opposition figures

By Michael Hernandez

WASHINGTON (AA) - Malware from Israeli tech firm QuaDream has been used to surveil journalists, opposition politicians and an NGO worker, compromising their iPhones, an analysis released Tuesday determined.

The findings from the University of Toronto's Citizen Lab, conducted in conjunction with Microsoft Threat Intelligence, found five targets in Europe, North America, the Middle East and Southeast Asia. It is just the latest example of an Israeli firm's spyware being used to comprise data on devices of civil society members worldwide.

None of the victims were publicly identified but Citizen Lab's analysis of QuaDream servers found spyware operators in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates and Uzbekistan.

KingsPawn, the malware identified by Citizen Lab and Microsoft, was a "zero-click" iOS exploit that adopted the same tactic as malware from fellow Israeli tech firm NSO Group.

That company manufactured the ForcedEntry exploit to deploy its infamous Pegasus spyware on phones worldwide, prompting lawsuits from Apple and Facebook parent company Meta. The US Department of Commerce later blacklisted NSO Group for supplying spyware to foreign governments that used it to surveil officials, journalists, businesspeople, activists, academics and embassy workers.

QuaDream is seen as a competitor to NSO Group and sells a spyware suite known as Reign that is used to compromise iPhones, gain access to their systems and steal data. A "zero-click" exploit allows for an individual's device to be hacked without action from the victim. QuaDream's software appears to have used invisible malicious iCloud calendar invitations from a spyware operator to the target. Those are then used to infiltrate the device and gain access to the data inside.

Microsoft Threat Intelligence assessed with "high confidence" that QuaDream is responsible for the KingsPawn software.

It could be used to carry out a number of malicious activities including recording phone call audio as well as audio from the device's microphone, taking pictures through the phone's camera accessing, exfiltrating items from the keychain and location tracking.