Journalists, politicians targeted by 'new Israeli spyware'

New Israeli-made spyware resembling the notorious Pegasus programme has been used to target journalists and opposition politicians in several countries, a Canadian watchdog said.

The spyware and related exploit or hacking software was created by the little-known firm QuaDream Ltd, which was established by a former Israeli military official and veterans of NSO Group, the creator of Pegasus, Citizen Lab said on Tuesday.

Citizen Lab, which studies the abuse of digital technologies, said based on the samples shared with them by Microsoft Threat Intelligence, it identified at least five people targeted by QuaDream spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

"Victims include journalists, political opposition figures, and an NGO worker," it said, saying it would not identify them at the moment.

Citizen Lab said they were able to identify more than 600 servers and 200 domain names that are linked to QuaDream's spyware between late 2021 and early 2023, including servers that have been used to receive data exfiltrated from QuaDream victims, and servers used for QuaDream’s one-click browser exploits.

Spyware like Pegasus has been widely used by governments and other actors to spy on opponents, media and activists.

The programmes can be placed on computers and cellphones by phishing communications and backdoor exploits, and can survey and transmit information on the phone back to an operator without the user's knowledge.

"The company is known for its spyware marketed under the name 'Reign', which, like NSO Group’s Pegasus spyware, reportedly utilises zero-click exploits to hack into target devices," Citizen Lab said.

READ MORE: Israel-based spyware firm chief steps down amid NSO reorganisation

Self-destruct feature

The White House said in late March that Pegasus has been used by governments "to facilitate repression and enable human rights abuses."

Citizen Lab said that, once placed on a user's phone or computer, QuaDream's spyware can record audio from a phone call, record external sounds from a device's microphone, take pictures from cameras, and search the device's files, all without the user's knowledge.

The spyware can also generate its own two-factor authentication codes to enable continual access to the device owner's cloud accounts.

The spyware includes a self-destruct feature to hide its previous presence once it is no longer used, Citizen Lab said.

"Our analysis of the self-destruct feature revealed a process name used by the spyware, which we discovered on victim devices," Citizen Lab said.

Citizen Lab identified servers in 10 countries that received data from victims' devices, including Israel, Singapore, Mexico, the United Arab Emirates and Bulgaria.

QuaDream has marketed its spyware and services to many government clients, Citizen Lab said.

QuaDream has been involved in a legal battle with Cyprus-registered company InReach, which helped expose many of the former's practices.

The dispute took place when InReach failed to transfer 92 percent of the revenues to QuaDream per their agreement, starting with an invoice dated 26 June 2019.

"On 7 May 2020, QuaDream applied to the court in Cyprus to freeze InReach's assets, pending potential arbitration in the Court of Arbitration in Amsterdam," Citizen Lab added.

READ MORE: Mexico lawmaker says Israeli firm's Pegasus targeted his phone