July 2021, someone sent Google a batch of malicious code that can be used to hack PCs running Chrome, Firefox, and Windows Defender. That code was part of an exploitation framework called Heliconia. According to Google, the exploits targeting these applications were zero-day at the time, meaning the software maker was unaware of the bug.
More than a year later, in November 2022, Google's Threat Analysis Group, the company's team that investigates government-backed threats, published a blog post analyzing these exploits and the Heliconia framework. Google researchers concluded that the code belonged to Variston, a little-known start-up based in Barcelona.
“It was a big crisis at the time, mainly because we went unnoticed for quite some time,” a former Balliston employee told TechCrunch. “In the end, everyone believed that if they were caught, they would be exposed.” [in the wild], but it was rather a leak. ”
Another former Balliston employee said the code was sent to Google by a disgruntled company employee, and after that happened, Balliston's name and secrets were “burned.”
Google continued to investigate Variston's malware. In March 2023, researchers at the tech giant discovered that spyware made by Variston was being used in Kazakhstan, Malaysia, and the United Arab Emirates. Last week, Google reported that it had discovered that Variston's hacking tools had been used against iPhone owners in Indonesia.
More than half a dozen Balliston employees have left the company in the past year, they told TechCrunch on condition of anonymity because they were not authorized to speak to the press under non-disclosure agreements.
Now, four former employees and two people familiar with the spyware market say Variston is set to shut down.
In the early 2010s, it became public knowledge that there was a thriving market in which Western-based companies such as Hacking Team, FinFisher, and NSO Group were providing surveillance and hacking tools to countries and regimes around the world. Ta. questionable or inadequate human rights records in Ethiopia, Mexico, Saudi Arabia, the United Arab Emirates, and many other countries;
Since then, digital human rights organizations such as Citizen Lab and Amnesty International have documented dozens of cases in which government customers of these spyware makers have used these tools to hack and spy on journalists, dissidents, and human rights activists. has been documented.
Over the past few years, the offensive security industry has become more common and normalized. Some of these spyware creators and exploit developers openly advertise their services online, with their employees disclosing their work locations on social media, leading to companies like OffensiveCon and HexaCon in the industry. There are also some popular security conferences that openly address him.
But Balliston has always tried to fly under the radar.
The company's only public information is a bare-bones website that vaguely explains what it does.
“Our toolset is built on the vast accumulated experience of our consultants to support the discovery of digital information. [law enforcement agencies]” reads the Varistone website, the only brief mention of the company's activities as a spyware and exploit creator for government agencies.
According to former employees who spoke to TechCrunch, Balliston forbade employees from disclosing their work location not only on LinkedIn but also at cybersecurity conferences.
Varistone website. Image credits: TechCrunch (screenshot)
Variston was founded in Barcelona in 2018 and lists Ralf Wegener and Ramanan Jayaraman as founders and directors, according to Spanish business records seen by TechCrunch.
The company's website lists a different address in the city, but Barriston was most recently working from an office in a co-working space a block from the beach in Poblenou, Barcelona. In October, a representative for the coworking space told TechCrunch that Variston is there and has been for several years.
When TechCrunch visited Barriston's office this week, a representative from the co-working space insisted that Barriston was still working there. A representative offered to take a message for Barriston and said he was not there that day, but that he had been in the building during the week. Neither Wegener nor Jayaraman responded to multiple emails from TechCrunch seeking comment on Variston. An email sent to Mr. Variston's public email address was not returned.
One of Variston's first moves in 2018 was the acquisition of small Italian zero-day research startup Truel IT, according to Italian business records seen by TechCrunch. Since then, Variston has grown to a company of approximately 100 staff. The company's exploits that target Windows devices Besides his framework, Heliconia, Variston has also developed his exploits and hacking tools that target iOS and Android. Former employees say Variston's Android product was called “Violet Pepper.”
Even the founder of Truel IT, who moved to Variston, does not identify Variston as his employer on his LinkedIn profile.
Former Balliston employees say this level of confidentiality also applied to the identities of the company's customers, with the exception of a special relationship with Protect, a company based in Abu Dhabi, United Arab Emirates.
“Variston was a supplier to Protect,” said a person familiar with Protect's operations, speaking on condition of anonymity because he was not authorized to speak to the press. “For a while, it was an important relationship for both parties.”
Former Balliston employees said the company's work was “going to the UAE” and that Protect was “effectively its only customer.”
Former employees told TechCrunch that Protect funded all of Varistone's operations, including the research and development side. One former Varistone employee said that once Protect pulled developer funding in early 2023, Protect tried to force Varistone employees to relocate. Then, later that year, when research funding stopped, Balliston “closed up shop,” the person said.
inquiry
Want to know more about Variston and Protect? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), Telegram, Keybase and Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
In early 2023, Protect asked all Varistone employees to relocate to Abu Dhabi. Most of Balliston's staff did not accept this proposal, and this is where the trouble for Balliston began. Former employees said management gave them two options: move to Abu Dhabi or be fired, with no exceptions.
As a “state-of-the-art cybersecurity and forensics company,” we protect your invoices themselves. Like Variston, Protect says little about what the company does on his website.
However, security researchers at Google say that Protect (also known as Protect Electronic Systems) “combines the spyware it develops with Heliconia's framework and infrastructure into a complete package that can then be used by local brokers or government customers.” We sell directly to customers.''
That would also explain how Valiston's tools are said to have been used in Indonesia, Kazakhstan, and Malaysia.
Controversial UAE-based hacking firm Dark Matter employs Americans to help the UAE government spy on dissidents, political opponents and political factions, according to Intelligence Online, a trade publication covering the surveillance and intelligence industry. Protect was launched after it became clear that he had done so. journalists.
As of 2019, Protect was headed by Awad Al Shamsi and provided “covert access to foreign cyber technology to users in the UAE government,” Intelligence Online reported. It is unclear whether Mr. Al Shamsi is still with Protect, and he did not respond to an email requesting comment. Protect did not respond to several other emails from TechCrunch.
Variston founders Wegener and Jayaraman also appear to have worked for Protect since at least 2016, according to public online records of encryption keys linked to Protect email addresses seen by TechCrunch.
Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, including one based in Cyprus that Jayaraman also co-owns. Mr. Wegener previously worked for AGT (Advanced German Technology), a surveillance provider founded in Berlin in 2001 with offices in Dubai. In 2007, AGT worked with the Syrian government in collaboration with Italian spyware maker RCS Labs to develop a real-time, nationwide, centralized internet surveillance system, according to reports based on leaked documents and an investigation by the nonprofit Privacy International. . In the end, AGT did not provide the system to the Syrian government.
Five years after its founding, Variston is no longer a secret startup.
Three former employees said Google's 2022 report exposed Baliston's secrecy. One employee said the Google report exposing Balliston “could have been the beginning of the end” for the spyware maker.
But another former Balliston employee said the company, like other spyware makers, will eventually be busted. “It was inevitable that it would happen sooner or later,” the source said. “That's quite normal.”
Natasha Lomas contributed reporting.
An earlier version of this report incorrectly stated that Google discovered Variston's tools in Italy, due to an editor's error. ZW.