Microsoft Corp and internet watchdog The Citizen Lab, in their reports, have identified at least 10 countries where an Israeli spyware company QuaDream targeted at least five civil society victims including journalists, political opposition figures, and an NGO worker.
“…Once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists. This pattern is a repetition of the abuses found with more notorious players, like NSO Group’s Pegasus spyware, Cytrox’s Predator spyware, and before them Hacking Team and FinFisher,” said The Citizen Lab report.
What is QuaDream? QuaDream is an Israeli surveillance technology company that specializes in the development and sale of advanced digital offensive technology to government clients. It was founded by a group including two former NSO Group employees, Guy Geva and Nimrod Reznik. The NSO Group is the company that developed the Pegasus spyware that had created quite a buzz in India.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day, delivered to your inbox before 9 AM. Click here to sign up today!
Which countries have QuaDream systems?
On scanning the internet, The Citizen Lab identified Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan as the countries where there are QuaDream systems. Of these, Hungary, Mexico, and the UAE are known to abuse spyware to target human rights defenders, journalists, and other civil society members.
How does QuaDream hack into user device?
The Citizen Lab report identified traces of a “suspected iOS 14 zero-click exploit” used to deploy QuaDream’s spyware. This essentially means that the cyberattack was carried out without the user’s intervention. Dubbed ENDOFDAYS, the exploit was deployed against iOS versions 14.4 and 14.4.2, and possibly other versions. It uses invisible iCloud calendar invitations sent from the spyware’s operator to victims. These invites would be back-dates and so, on iOS 14, these would be automatically processed and added to the user’s calendar without a notification.
What can the spyware do?
The Microsoft Threat Intelligence shared with the internet watchdog two samples (Samples 1 and 2) of iOS spyware that they call KingsPawn and attributed them to QuaDream “with high confidence.” As per the Microsoft report, some of the codes in these samples can also be used on Android devices. After analyzing the samples, The Citizen Lab identified Sample 2 as the “final spyware payload” that can hot-mic audio recording of calls and the environment and even search through the phone.
Specifically, The Citizen Lab report said, “Sample 2 appears to have functionality for:
- Recording audio from phone calls
- Recording audio from the microphone
- Taking pictures through the device’s front or back camera
- Exfiltrating and removing items from the device’s keychain
- Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We [The Citizen Lab] suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud
- Running queries in SQL databases on the phone
- Cleaning remnants that might be left behind by zero-click exploits
- Tracking the device’s location
- Performing various filesystem operations including searching for files matching specified characteristics.”
The spyware also contains a self-destruct feature that cleans up its own traces. Then there is the “Calendar Cleanup” function of the spyware that deletes specific calendar events from the iOS calendar whose “start date is after 728 days ago” and who matches a “supplied email address.”.
“The functions appear to be executed when a special cleanup command is received from the spyware’s command-and-control server. The cleanup command includes an email address that specifies the scope of the cleanup,” said The Citizen Lab.
As per Microsoft’s report, the spyware can also get device information like the iOS version and battery status, Wi-Fi information (SSID and airplane mode status), cellular information (carrier, SIM card data, and phone number), monitor phone calls, generate an iCloud time-based one-time password (TOTP).
Why it matters: Reports like these highlight that there is a large industry for mercenary spyware that threaten the work of journalists and civil society groups. It’s no longer only governments but even private entities that have access to such surveillance. It is worrisome that some countries suspected of having QuaDream customers are known for their attacks on human rights defenders. India too has been flagged for its failure to act on a spyware like Pegasus. Thus, it is important to understand the manner in which these spywares invade and monitor individuals’ devices.
Indian government’s interest in spyware
In 2022, the Organised Crime and Corruption Reporting Project (OCCRP) in an investigation said that the Indian government received a shipment containing hardware that resembles equipment used in the deployment of Pegasus. As per the investigation, India’s principal intelligence agency, Intelligence Bureau, purchased the hardware in April 2017 from the NSO Group.
However, in 2021, Bloomberg reported that the NSO group was in danger of defaulting on its debts and was considering shutting down its Pegasus spyware unit or selling the entire company. While this might mean a win for privacy, it also means that governments across the globe, including India, could end up looking for alternative technologies.
According to The Citizen Lab’s report, “Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.”
In its report, the internet watchdog also included a list of “key individuals” associated with QuaDream and InReach through a review of corporate documents, newspaper articles, etc., which may be viewed here. The list includes Geva and Rinsky who were involved in the Pegasus spyware as well.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Meta Manager Reportedly Spied On By Greek Intelligence Agency Using Predator Spyware
- Meta Reports How Spyware Firms Target Activists And Journalists On Its Platforms
- ‘When Spyware Turns Phones Into Weapons’: CPJ Report On How Spyware Impacts Journalists And Press Freedom
- NSO Faces Trouble At Home As Israel Launches Investigation Into Domestic Use Of Pegasus Spyware