According to Google, government hackers last year exploited three unknown vulnerabilities in Apple's iPhone operating system to target victims with spyware developed by a European startup.
On Tuesday, Google's Threat Analysis Group, the company's team that investigates state-sponsored hacking, said the attack was carried out using hacking tools developed by multiple spyware and exploit sellers, including Barcelona-based startup Variston. published a report analyzing several government campaigns.
According to Google, in one of the campaigns, government hackers exploited three “zero days” on the iPhone. These vulnerabilities were unknown to Apple at the time they were exploited. In this case, the hacking tool was developed by Variston, a surveillance and hacking technology startup. The company's malware has already been analyzed by Google twice (in 2022 and 2023).
inquiry
Do you have more information about Variston or Protect Electronic Systems? We'd love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Google announced in March 2023 that it discovered that an unknown Variston customer was using these zero-days to target iPhones in Indonesia. The hacker delivered his SMS text message containing a malicious link that infected the target's mobile phone with spyware and redirected the victim to a news article in Indonesian newspaper Pikiran Rakyat. Google has not disclosed who Baliston's government customers are in this case.
An Apple spokesperson did not comment when asked by TechCrunch if the company was aware of the hacking activity discovered by Google.
While Variston continues to attract attention from Google, the company has lost several employees over the past year, according to former staffers who spoke to TechCrunch on condition of anonymity due to non-disclosure agreements.
It is still unclear to whom Variston sold the spyware. According to Google, Variston “works with several other organizations to develop and distribute spyware.”
Google said one of those organizations is Protected AE, which is based in the United Arab Emirates. Local company records list the company as “Protect Electronic Systems,” founded in 2016 and headquartered in Abu Dhabi. On its official website, Protect bills itself as a “leading cybersecurity and forensics company.”
According to Google, Protect “combines the spyware it develops with Heliconia's framework and infrastructure into a complete package that is then sold directly to local intermediaries or government customers,” a software from Variston that Google previously detailed. Heliconia is mentioned. In 2022.
Variston was founded in Barcelona in 2018 by Ralph Wegener and Ramanan Jayaraman, and shortly after acquired Italian zero-day research firm True IT, according to Spanish and Italian business records seen by TechCrunch.
Mr. Wegener and Mr. Jayaraman did not respond to email requests for comment. Protect representatives also did not respond.
While much attention has been focused on Israeli companies such as NSO Group, Candiru and Quadream in recent years, Google's report shows that European spyware makers are expanding their reach and capabilities.
Google said in the report that its researchers are tracking about 40 spyware makers that sell exploits and surveillance software to government customers around the world. In the report, Google cites Variston as examples of relatively new companies entering the market, as well as Italian companies Cy4Gate, RCS Lab, and Negg. RCS Lab was a partner in Hacking Team, a now-defunct spyware maker he founded in 1993, but didn't develop any spyware on his own until recently, developing products for traditional phone eavesdropping at telecom providers. The focus was on sales. level.
In the report, Google says it will work to stop hacking campaigns carried out using tools from these companies as they are linked to targeted surveillance of journalists, dissidents, and politicians. said.
“Commercial surveillance vendors (CSVs) are enabling the spread of dangerous hacking tools,” Google said in the report. “The damage is not hypothetical. Spyware vendors point out that their tools are used legitimately for law enforcement and counterterrorism. Spyware deployed against people at home (what Google calls “high-risk users”) is well documented. ”
“Although spyware targets a smaller number of users than other types of cyber threat activity, the subsequent impact is far more far-reaching,” the company wrote. “This type of focused targeting threatens free speech, press freedom, and election integrity around the world.”