The governments of Australia, Canada, Cyprus, Denmark, Israel and Singapore are potential customers of Israeli Spyware Maker Paragon Solutions, according to a new technical report by a famous digital security lab.
On Wednesday, the Citizen Laboratory, a group of academics and security researchers housed at the University of Toronto who has explored the Spyware industry for more than a decade, posted a report On the start of Israel’s surveillance, identifying the six governments as “Paragon’s suspicion”.
At the end of January, WhatsApp informed about 90 users who believed that the company was targeting Paragon Spyware, causing a scandal in Italy, where some of the goals live.
Paragon has long tried to distinguish from competitors, such as the NSO group – whose spyware has been abused in many countries – claiming to be a more responsible spyware supplier. In 2021, an anonymous senior Paragon employee Said Forbes These authoritarian or non -democratic regimes would never be its clients.
Responding to the scandal caused by Whatsapp’s alerts in January and what was perhaps an attempt to strengthen her claims on the existence of Spyware Seller, Paragon Executive President John Fleming
Israeli news stores reported at the end of 2024 that US business capital Ae Industrial Partners had acquired Paragon for at least $ 500 million.
In report on Wednesday, Citizen Lab said it was able to map the server infrastructure used by Paragon for the Spyware tool, which the supplier coded graphite, based on “one end of a partner”.
Starting with this advice and after the development of several fingerprints capable of detecting relevant Paragon and digital certificates, Citizen Lab researchers found several IP addresses hosted by local telecommunications companies. Citizen Lab has said that they believe that they are servers belonging to Paragon customers, partly based on the initials of the certificates, which appear to match the names of the countries where the servers are.
According to Lab Lab, one of the fingerprints developed by his researchers led to a digital certificate registered with graphite, which seems to be an important operational mistake by the Spyware manufacturer.
“Strong occasions support a relationship between Paragon and the infrastructure we mapped,” Citizen Lab writes in the report.
“The infrastructure we found is linked to websites entitled” Paragon “returned by IP addresses to Israel (where it is based on the Paragon), as well as a TLS certificate containing the name of the” Graphite “organization, the report said.
Citizen Lab noted that his researchers found many other codenames, indicating other possible Paragon government clients. Among suspicious customer countries, Lab Citizen Lab reported Canada’s provincial police (OPP), which appears specifically to be a Paragon customer, as one of the IP addresses for the suspected Canadian customer is directly linked to OPP.
Contact us
Do you have more information about Paragon and this spyware campaign? From a non-work device, you can contact Lorenzo Franceschi-bicchierai safely on the signal on +1 917 257 1382, or via the telegraph and keybase @lorenzofb or email. You can also contact TechCrunch via securedrop.
TechCrunch has reached representatives for the following governments: Australia, Canada, Cyprus, Denmark, Israel and Singapore. Techcrunch also contacted Ontario provincial police. None of the representatives responded to our requests for comments.
When achieved by TechCrunch, Paragon’s Fleming said the citizen workshop arrived at the company and provided “a very limited amount of information, some of which seem to be inaccurate”.
Fleming added: “Given the limited nature of the information provided, we cannot give a comment right now.” Fleming did not respond when TechCrunch asked what was inaccurate about the Citizen Lab report, nor did he answer questions about whether the countries found by the Citizen Lab are Paragon customers or the regime of his relationship with his Italian customers.
Citizen Lab noted that all the people who were informed by Whatsapp, who then arrived at the organization to analyze their phones, used an Android phone. This allowed the researchers to identify a “forensic artifact” left by Paragon’s spyware, which the researchers called “Bigpretzel”.
Meta Zade Alsawah spokesman told TechCrunch in a statement that the company “may confirm that we believe that the Lab Lab is referred to as Bigpretzel is linked to Paragon”.
“We have seen firsthand how commercial spyware can be armed to target journalists and civil society, and these companies must be accountable,” Meta’s statement said. “Our security team is constantly working to stay ahead of threats and we will continue to work to protect people’s ability to communicate privately.”
Since Android phones do not always maintain certain device logs, Lab Citizen Lab noted that it is likely that more people target spyware graphite, even if there were no Spyware of Paragon on their phones. And for the people who were recognized as victims, it is not clear if they had targeted in previous cases.
Citizen Lab also noted that Paragon’s Spyware targets and compromise specific applications on the phone – without the need for any interaction from the target – instead of endangering the wider operating system and device data. In the case of Beppe Caccia, one of the victims of Italy, who works for an NGO that helps immigrants, the Citizen Lab found evidence that spyware was infected two other applications on the Android device without calling applications.
The targeting of specific applications, unlike the device operating system, noted the Lab Citizen Lab, can make it difficult for forensic researchers to find evidence of a hack, but can give applications more visibility in spyware.
‘Paragon’s spyware is more difficult to identify than competitors [NSO Group’s] Pegasus, but at the end of the day, is not a “perfect” Spyware attack, “said Bill Marczak, a senior researcher at Citizen Lab, TechCrunch.
The indications may be in different places than we used to, but with the cooperation and exchange of information, even the most difficult cases unfold. ”
Citizen Lab also said it has analyzed David Yambio’s iphone, which is working closely with Caccia and others in its NGO. Yambio received a notice from Apple on his phone targeted by Mercenary Spyware, but researchers could not find evidence that he was targeting Paragon’s Spyware.
Apple did not respond to a request for comments.
