Potential Customers of Israeli Spyware Identified

According to a recent technical report from a well-regarded digital security lab, the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore may be clients of Israeli spyware manufacturer Paragon Solutions.

The Citizen Lab, an academic and security research organization based at the University of Toronto and specializing in spyware investigations for over a decade, released a report on Wednesday revealing these six governments as “suspected Paragon deployments.”

At the end of January, WhatsApp informed approximately 90 users believed to have been targeted by Paragon spyware, which led to a controversy in Italy, particularly affecting various targets who came forward.

Paragon’s Position in the Spyware Market

Paragon has repeatedly aimed to differentiate itself from competitors like the NSO Group, whose spyware has been misused in various countries. An unnamed senior Paragon official stated in 2021 that the company would never serve authoritarian regimes or non-democratic governments.

After the fallout from the WhatsApp notifications in January, Paragon’s executive chairman, John Fleming, asserted to TechCrunch that the company “licenses its technology to a select group of global democracies — primarily, the United States and its allies.”

Evidence of Paragon’s Operations

Citizen Lab’s latest report explains how it managed to trace the server structure used by Paragon for its spyware, codenamed Graphite. This tracing initiated from a tip-off, leading the researchers to discover several IP addresses linked to local telecom companies, believed to belong to Paragon customers. Some of these were even associated with certificates consistent with the country names.

Citizen Lab identified one particular digital certificate that was registered to Graphite, suggesting a significant operational error by Paragon. They stated, “Strong circumstantial evidence supports a link between Paragon and the infrastructure we mapped out,” citing connections to ‘Paragon’ webpages returning IP addresses within Israel.

Responses and Additional Findings

TechCrunch reached out to officials from the identified nations including Australia, Canada, Cyprus, Denmark, Israel, and Singapore, but did not receive any responses. However, Jeffrey Del Guidice of the Ontario Provincial Police acknowledged Citizen Lab’s findings, explaining that disclosing details about specific methods or technology could jeopardize ongoing investigations.

Paragon’s Fleming indicated that Citizen Lab’s inquiry presented only limited, possibly inaccurate information, stating that he could not comment further. Moreover, all identified WhatsApp users who contacted Citizen Lab for analysis had Android devices, which allowed for discovering a “forensic artifact” dubbed “BIGPRETZEL” linked to Paragon’s spyware.

Citizen Lab noted that while targeting specific apps rather than the entire operating system complicates the detection of hacks for forensic investigators, it might allow app developers increased insight into spyware activities. Their findings revealed that Paragon’s spyware operates stealthily and is sometimes trickier to spot than that of competitors like NSO Group’s Pegasus.