\nMercenary spyware hacked iPhone victims with rogue calendar invites, researchers say<\/br>
\n2023-04-11 21:54:00<\/br><\/p>\n
Hackers using spyware<\/span> made by a little known cyber mercenary company used malicious calendar invites to hack the iPhones of journalists, political opposition figures and an NGO worker, according to two reports.<\/p>\n Researchers at Microsoft and the digital rights group Citizen Lab analyzed samples of malware they say was created by QuaDream, an Israeli spyware maker that has been reported<\/a> to develop zero-click exploits \u2014 meaning hacking tools that don\u2019t require the target to click on malicious links \u2014 for iPhones.<\/p>\n QuaDream has been able to mostly fly under the radar until recently. In 2021, Israeli newspaper Haaretz reported that QuaDream sold its wares<\/a> to Saudi Arabia. The next year, Reuters reported that QuaDream sold an exploit to hack iPhones that was similar to one provided by NSO Group, and that the company doesn\u2019t operate<\/a> the spyware, its government customers do \u2014 a common practice in the surveillance tech industry.<\/p>\n QuaDream\u2019s customers operated servers from several countries around the world: Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates (UAE) and Uzbekistan, according to internet scans done by Citizen Lab.<\/p>\n Both Citizen Lab<\/a> and Microsoft<\/a> published groundbreaking new technical reports on QuaDream\u2019s alleged spyware on Tuesday.<\/p>\n Microsoft said it found the original malware samples, and then shared them with Citizen Lab\u2019s researchers, who were able to identify more than five victims \u2014 an NGO worker, politicians and journalists \u2014 whose iPhones were hacked. The exploit used to hack those targets was developed for iOS 14, and at the time was unpatched and unknown to Apple, making it a so-called zero-day. The government hackers who were equipped with QuaDream\u2019s exploit used malicious calendar invites with dates in the past to deliver the malware, according to Citizen Lab.<\/p>\n Those invites didn\u2019t trigger a notification on the phone, which made them invisible to the target, Bill Marczak, a senior researcher at Citizen Lab who worked on the report, told TechCrunch.<\/p>\n Apple\u2019s spokesperson Scott Radcliffe said that there\u2019s no evidence showing the exploit discovered by Microsoft and Citizen Lab has been used after March 2021, when the company released an update.<\/p>\n Citizen Lab is not naming the victims because they don\u2019t want to be identified. Marczak said that they are all in different countries, which makes it harder for the victims to come out.<\/p>\n \u201cNobody necessarily wants to be the first one in their community to come out and say, \u2018yes, I was targeted,\u2019\u201d he said, adding that it\u2019s usually easier if the victims are all in the same country and part of the same community or group.<\/p>\n Before Microsoft contacted Citizen Lab, Marczak said he and his colleagues had identified several people targeted by an exploit that was similar to the one used by NSO Group customers in 2021, known as FORCEDENTRY<\/a>. At the time, Marczak and colleagues concluded that those people were targeted with a tool made by another company, not NSO Group.<\/p>\n Image Credits:<\/strong> The Citizen Lab<\/p>\n<\/div>\n The analyzed samples include the initial payload, which is designed to then download the actual malware \u2014 the second sample \u2014 if it\u2019s on the device of the intended target. The final payload records phone calls, records audio using the phone\u2019s microphone surreptitiously, take pictures, steal files, track the person\u2019s granular location and deletes forensic traces of its own existence, among other functionalities, according to Citizen Lab and Microsoft.<\/p>\n Still, Citizen Lab researchers said the malware does leave certain traces that allowed them to track QuaDream\u2019s spyware. The researchers said they don\u2019t want to reveal what these traces are in order to retain their ability to track the malware. They called the traces of malware the \u201cEctoplasm Factor,\u201d a name that Marczak said was inspired by a quest in the popular game Stardew Valley, which he said he plays.<\/p>\n Citizen Lab researchers also claimed that QuaDream uses a Cyprus-based company called InReach to sell its products.<\/p>\n A person who has worked in the spyware industry confirmed to TechCrunch that QuaDream used InReach \u201cto bypass the Israeli [export] regulator.\u201d For example, the person said, that\u2019s how QuaDream sold to Saudi Arabia.<\/p>\n This workaround, however, apparently didn\u2019t allow them to skirt regulations completely.<\/p>\n \u201c[QuaDream] had four signed deals with countries in Africa (Morocco and few others) but because of the change in the regulation in Israel (limited to only 36 countries), they couldn\u2019t deliver them,\u201d said the person, who asked to remain anonymous to discuss sensitive industry details.<\/p>\n The source said that other than Saudi Arabia, QuaDream also sold to Ghana, the UAE, Uzbekistan and Singapore, its first customer. Also, the person added, \u201ctheir system is the most important system in Mexico currently,\u201d it\u2019s operated by the country\u2019s president, and it was nominally sold to the local government of Mexico City, \u201cto keep it quiet.\u201d<\/p>\n The Mexican consulate in New York City did not respond to a request for comment.<\/p>\n According to the source, QuaDream \u201crecently shut down their Android division and is now focusing on iOS only.\u201d<\/p>\n Citizen Lab named several people who allegedly work for QuaDream or InReach. None of them, except for one, responded to a request for comment from TechCrunch. The person who responded said that he has no connection to QuaDream, and that his name was wrongly associated with the company in the past.<\/p>\n The discovery of QuaDream\u2019s malware shows once again that the spyware industry \u2014 once dominated by Hacking Team and FinFisher \u2014 is not only made of NSO Group but several other companies, most of which are still flying under the radar.<\/p>\n \u201cThere\u2019s a broader ecosystem of these companies and targeting individual companies is not necessarily the optimal strategy for reining in the industry,\u201d Marczak said.<\/p>\n In a blog post<\/a> accompanying Microsoft\u2019s report, Amy Hogan-Burney, the company\u2019s general manager and associate general counsel for cybersecurity policy and protection, wrote that \u201cthe explosive growth of private \u2018cyber mercenary\u2019 companies poses a threat to democracy and human rights around the world.\u201d<\/p>\n \u201cAs the technology industry builds and maintains the majority of what we consider \u2018cyberspace,\u2019 we as an industry have a responsibility to limit the harm caused by cyber mercenaries,\u201d wrote Hogan-Burney. \u201cIt is only a matter of time before the use of the tools and technologies they sell spread even further. This poses real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization. Their actions do not only impact the individual they target, but leave whole networks and products exposed and vulnerable to further attacks. We need to act against this threat before the situation escalates beyond what the technology industry can handle.\u201d<\/p>\n Do you have more information about QuaDream? Or another surveillance tech provider? We\u2019d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com<\/a>. You can also contact TechCrunch via\u00a0SecureDrop<\/a>.<\/em><\/p>\n<\/p><\/div>\n <\/br><\/br><\/br><\/p>\n![\"Map](\"https:\/\/i0.wp.com\/techcrunch.com\/wp-content\/uploads\/2023\/04\/QDMap.png?resize=1024%2C577&ssl=1\")
<\/p>\n
\n