Governments in Australia, Canada, Cyprus, Denmark, Israel and Singapore are likely customers of Israeli spyware manufacturer Paragon Solutions, according to a new technical report from the well-known Digital Security Lab.
On Wednesday, Citizen Lab, a group of academics and security researchers who were housed at the University of Toronto, has been investigating the spyware industry for over a decade, released a report on surveillance startups set up in Israel, identifying six governments as “suspected paragon deployment.”
At the end of January, WhatsApp notified about 90 users that it believed the company was targeting Paragon Spyware, prompting a scandal in Italy, where some of its targets live.
Paragon has long tried to distinguish it from competitors such as NSO groups, where spyware is being abused in several countries by claiming it is a more responsible spyware vendor. In 2021, an unnamed senior Paragon executive told Forbes that an authoritarian or undemocratic administration is by no means a client.
In response to the scandal prompted by the WhatsApp notification in January, and in an attempt to bolster claims that it is a responsible spyware vendor, Paragon executive chairman John Fleming told TechCrunch that it would “license the technology primarily to global democratic groups, the US and its allies.”
Israeli press reported in late 2024 that US venture capital AE industry partners acquired Paragon for at least $500 million.
GraphiteSpyware.imageCredits Attack Flow Example: Citizen Lab
In a report Wednesday, Citizen Lab said that based on “tips from collaborators,” it could map the server infrastructure used by vendors for spyware tools codenamed graphite.
Starting with that tip, after developing several fingerprints that could identify relevant paragon servers and digital certificates, Citizen Lab researchers found several IP addresses hosted by local telecom companies. Citizen Lab said they consider these to be servers belonging to Paragon's customers. This is based on the initials of the certificate that appear to match the name of the country in which the server is located.
According to Citizen Lab, one of the fingerprints developed by the researchers led to a graphite-registered digital certificate from the Spyware manufacturer, which appears to be a significant operational error.
“Strong circumstantial evidence supports the link between Paragon and the infrastructure we mapped,” Citizen Lab wrote in the report.
“The infrastructure we found is linked to a web page entitled “Paragon” returned by an Israeli IP address (the underlying paragon), and to a TLS certificate containing the organization's name “graphite,” the report states.
Citizen Lab noted that researchers have identified several other codenames and pointed to paragons of other potential government customers. Among the suspicious client countries, Citizen Lab has picked out the Ontario Police (OPP) in Canada. This is likely to be a Paragon customer, especially given that one of the IP addresses of suspected Canadian customers is linked directly to the OPP.
Contact us Do you have any details about Paragon and this Spyware campaign? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
TechCrunch has contacted spokesmen for the next governments of Australia, Canada, Cyprus, Denmark, Israel and Singapore. TechCrunch also contacted the Ontario Police Department. No representative responded to our request for comment.
When it reached TechCrunch, Paragon's Fleming said Citizen Lab had contacted the company and said it had provided a very limited amount of information.
Fleming added: “Given the limited nature of the information provided, we cannot provide comments at this time.” Fleming did not respond when TechCrunch asked what was inaccurate about the Citizen Lab report. He also responded to questions about whether the country identified by Citizen Lab is a Paragon customer or the status of its relationship with Italian customers.
Citizen Lab said that all people notified by WhatsApp had subsequently contacted the organization to analyze the phone and used Android phones. This allowed researchers to identify “forensic artifacts” left behind by Paragon's spyware, which researchers called “BigPretzel.”
“We can confirm that we believe Indicator Citizen Lab mentions that Big Pretzel is associated with Paragon,” Meta spokesman Zade Alsawah told TechCrunch in a statement.
“We've seen first-hand how to weaponize commercial spyware to target journalists and civil society. These companies must be accountable,” read Meta's statement. “Our security team is constantly working to stay ahead of the threats, and we continue to protect people's ability to communicate personally.”
Given that Android phones don't always keep certain device logs, Citizen Lab said it's likely that more people are targeting graphite spyware, even if there's no evidence of Paragon's spyware on their phones. And it is not clear to those identified as victims if they were targeted at previous opportunities.
Citizen Lab also noted that it targets Paragon's graphite spyware targets, compromises specific apps on the phone, and does not compromise data on the wider operating system and device without requiring interaction from the target. In the case of Beppe Caccia, one of the Italian victims, if he works for an NGO supporting immigration, Citizen Lab has discovered evidence that spyware infected his Android device with two other apps without naming the app.
Targeting a particular app, in contrast to the device's operating system, can make it difficult for forensic researchers to find evidence of hacking, but app makers can increase visibility through spyware manipulation.
“Paragon spyware is harder to find than its competitors [NSO Group’s] Bill Marczak, a senior researcher at Citizen Lab, says that there are no “perfect” spyware attacks, but no “perfect” spyware attacks.
Citizen Lab also said it analyzed David Yambio's iPhone, who has worked closely with Caccia and others at his NGO. Yambio received notification from Apple about mobile phones targeting Mercenary Spyware, but researchers were unable to find evidence that they were targeted with Paragon's spyware.
Apple did not respond to requests for comment.