The report did not disclose the names of the victims of the latest Israeli spyware
New spyware by Israeli firm QuaDream has been abused by at least 10 countries as part of efforts to target journalists and activists, experts at Citizen Lab unveiled on Tuesday.
By analysing samples by Microsoft Threat Intelligence, the research entity was able to trace back a suspected zero-click exploit that would provide invisible iCloud calendar invitations to victims.
“The company is known for its spyware marketed under the name ‘Reign’, which, like NSO Group’s Pegasus spyware, reportedly utilises zero-click exploits to hack into target devices,” the Toronto-based entity said.
The investigation found that victims include journalists, political opposition figures, and an NGO worker.
The main operators of the servers were in Israel, the United Arab Emirates, Bulgaria, Czech Republic, Hungary, among other countries. Last year, reports by Reuters and other media entities found that Saudi Arabia was among a list of clients for the company.
Israel’s government is also suspected of abusing QuaDream’s spyware to target Palestinian activists.
“The firm has common roots with NSO Group, as well as other companies in the Israeli commercial spyware industry, and the Israeli government’s own intelligence agencies,” the report said, referring to the notorious Israeli spyware company.
QuaDream maintains a low profile and reports say employees are told not to mention the company on social media. Some of the key officials identified in the company include co-founder and major shareholder Ilan Dabelstein, who is also a former Israeli military official.
Functionality
The Citizen Lab experts found that the Israeli spyware records audio from calls, records from the microphone, captures photos from the front and back cameras, tracks locations – all while removing all of its traces.
“The functions appear to be executed when a special cleanup command is received from the spyware’s command-and-control server. The cleanup command includes an email address that specifies the scope of the cleanup,” the report said.
It said suspicious calendar events were a crucial element in the probe, as they often displayed the title “meeting” and description “note”.
“Any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the user’s calendar[…]we are unsure why the events are overlapping, though there may be a specific behaviour triggered by overlapping events,” the report said.
Citizen Lab was able to identify more than 600 servers and 200 domain names that it claimed is “highly confident” are related to QuaDream’s activities between late 2021 and early 2023.
Last year, Citizen Lab emailed Vibeke Dank, QuaDream’s legal counsel, over the company’s business practices in line with human rights. However, it has not received a response.
Reports pointed to Dank’s role in providing legal assistance to similar spyware companies including NSO Group.
Meanwhile, Zvi Fischler was also identified in connection to the company. He previously worked in the Israeli military’s intelligence unit for 16 years, per his LinkedIn page.
A 2019 Intelligence Online report found that Fischler “was QuaDream’s head of sales for a long time.”
“QuaDream’s obscurity reflects an effort to avoid media scrutiny that was successful, for a time. Yet once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists,” Citizen Lab said.
The latest report offers yet another glimpse into the abuse of Israeli spyware by governments in an attempt to crackdown on vocal opponents and the press.
The most prominent investigation to date is Amnesty International investigation into Pegasus which identified some 180 journalists across 20 countries were selected for potential targeting between 2016 and June 2021, including many across the Arab world.
Among them were Emirati activist Alaa Al-Siddiq, who passed away in 2021 in a tragic accident while exiled in London, as well as renowned Qatari businessman and beIN chief Nasser Al Khelaifi.
Al Jazeera employees were also among the victims of the data breach and lawsuits were filed in 2018 by the Qatar-based broadcaster’s journalists.
Pegasus allows governments to discreetly hack into mobile phones without knowledge of the user, essentially providing access to crucial information such as messages, location tracking as well as the ability to tap into cameras and microphones.
In 2021, Apple filed a lawsuit against NSO Group and its parent company for targeting its users.