The governments of Australia, Canada, Cyprus, Denmark, Israel and Singapore are likely to be clients of Israeli manufacturer Spyware Paragion Solutions, according to a new technical report from a well -known digital security laboratory.
On Wednesday, Citizen Lab, a group of security academics and researchers located at the University of Toronto who has investigated the Spyware industry for more than a decade, published a report on the commencement of Israeli supervision, identifying the six governments as “suspected Paragon dislocations”.
At the end of January, WhatsApp announced about 90 users that the company believed they were targeted to Paragon Spyware, causing a scandal in Italy, where some of the targets live.
Paragon has long tried to be distinguished from competitors, such as the group of NSO – whose spyware is abused in several places – claiming to be a more responsible spyware seller. In 2021, an old unnamed executive Paragon told Forbes that authoritarian or non-democratic regimes would never be its clients.
In response to the scandal driven by WhatsApp notifications in January, and in what was probably an attempt to strengthen her claims to be a responsible Spyware seller, the executive chairman of Paragon John Fleming told Techcrunch that the company “licenses its technology in a group of global democracies – mainly its United States.”
Israeli newspapers reported at the end of 2024 that US enterprise capital AE industrial partners had earned Paragon for at least $ 500 million ahead.
In Wednesday’s report, Citizen Lab said he was able to design the server infrastructure used by Paragon for his Spyware tool, which the seller coded graphite, based on “a counsel from a collaborator”.
Starting from this advice, and after developing some fingerprints capable of identifying Paragon -related servers and digital certificates, the Citizen Lab researchers found some expected IP addresses in local Telecom companies. Citizen Lab said they believe that these are servers belonging to customers to parade, partly based on the initials of the certificates, which appear to match the names of the places in which the servers are located.
According to Citizen Lab, one of the fingerprints developed by its researchers led to a digital certificate recorded in graphite, in what seems to be an important operational error from the Spyware manufacturer.
“Strong circumstantial evidence supports a link between Paragon and the infrastructure we have designed,” Citizen Lab wrote in the report.
“The infrastructure we found is linked to websites entitled” Paragon “returned from IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the name of the” Graph “organization,” the report said.
Citizen Lab noted that its researchers identified several other codes, showing other potential government clients to Paragon. Among the suspected customer places, Citizen Lab singled out the provincial police of Ontario of Canada (OPP), which specifically appears to be a client Paragon given that one of the IP addresses for the suspected Canadian client is directly related to OPP.
Contact us
Do you have more information about Paragon, and this spyware campaign? From a job without work, you can contact Lorenzo Franceschi-Bicchierai safely on the signal at +1 917 257 1382, or through the telegram and keybase @lorenzofb, or email. You can also contact techcrunch via securedrop.
Techcrunch achieved spokesperson for the following governments: Australia, Canada, Cyprus, Denmark, Israel and Singapore. Techcrunch also contacted Ontario provincial police. None of the representatives responded to our commentary requests.
When it was reached by Techcrunch, Fleming Paragion said that Citizen Lab reached the company and provided “a very limited amount of information, some of which appear to be incorrect.”
Fleming added: “Given the limited nature of the information provided, we are unable to provide a comment at this time.” Fleming did not respond when Techcrunch asked what was inaccurate regarding the report of Citizen Lab, nor did he answer questions whether the places identified by Citizen Lab are clients, or the status of his relationship with its Italian clients.
Citizen Lab noted that all the people who were announced by WhatsApp, who then approached the organization to analyze their phones, used an Android phone. This allowed researchers to identify a “forensic -legal object” left by Paragon Spyware, which researchers called “Bigpretzel”.
Meta spokesman Zade Alsawah told Techcrunch in a statement that the company “can confirm that we believe the Citizen Lab refers to as Bigpretzel is related to Paragon.”
“We have seen in the forefront how commercial spyware can be armed to aim for journalists and civil society, and these companies must be held accountable,” read in Meta’s statement. “Our security team is constantly working to stand ahead of threats, and we will continue to work to protect people’s ability to communicate privately.”
Given that Android phones do not always preserve certain logs of the equipment, Citizen Lab noted that it is likely that more people were targeted by Spyware Graphic, even if there was no spyware proof to their phones. And for the people who were identified as victims, it is not clear if they were targeted by previous cases.
Citizen Lab also noted that Spyware’s targets of graphite Paragise and compromise specific applications on the phone – without the need for any interaction from the target – rather than compromising the wider operating system and device data. In the case of Beppe Caccia, one of the victims in Italy, who works for an NGO that helps migrants, Citizen Lab found evidence that Spyware infected two more applications on his Android device without appointing applications.
Targeting specific applications compared to the device operating system, noted Lab Citizen, can make it harder for forensic investigators to find evidence of a hack, but can give manufacturers more visible in Spyware operations.
“Spyware of Paragon is more complicated to see than competitors like (NSO Group) Pegasus, but, at the end of the day, there is no spyware attack perfectly,” said Bill Marczak, a senior Lab Citizen, for Techcrunch. “
Perhaps data is in places different from what we are used to, but with cooperation and exchange of information, and even the most difficult cases are revealed. “
Citizen Lab also said he analyzed David Yambio’s iPhone, who collaborates closely with Caccia and others in his NGOs. Yambio received an announcement from Apple about his phone targeting by Spyware Mercenary, but researchers could not find evidence that he was targeted by Spyware.
Apple did not respond to a comment request.
