Full Report
A parliamentary investigation answered some — but not all — the questions related to a spyware scandal involving the use of the Israeli company’s spyware, Graphite.
Analysis Summary
# Incident Report: Alleged Unauthorized Use of Israeli Spyware Against Italian Activists
## Executive Summary
The Italian Government, through its intelligence agencies (AISE and AISI), utilized spyware named 'Graphite' developed by the Israeli company Paragon to target activists involved in rescuing immigrants at sea, citing investigations into the facilitation of illegal immigration. While the investigative committee (COPASIR) confirmed the lawful targeting of two specific activists, it concluded there was no evidence that a prominent Italian journalist who also received a warning was targeted by Italian agencies, suggesting potential targeting by foreign government customers of Paragon. The impact centers on the use of potent surveillance technology against activists and journalists, leading to contract cancellations with Paragon.
## Incident Details
- Discovery Date: January 2025 (When notifications to potential targets began)
- Incident Date: Targeting began as early as January 2024 (AISE activation) and 2023 (AISI activation)
- Affected Organization: Italian Intelligence Agencies (AISE and AISI) were the operators; Human rights activists and journalists were the targets.
- Sector: Government/Intelligence and Non-Profit (Immigrant Rescue)
- Geography: Italy
## Timeline of Events
### Initial Access
- Date/Time: AISE began using Graphite on January 23, 2024. AISI began using Graphite in early 2023.
- Vector: Exploitation via Paragon's 'Graphite' spyware (Specific zero-day vector not detailed, but implied access to mobile devices).
- Details: Italian intelligence agencies claimed specific legal approval for targeting based on investigations into illegal immigration facilitation.
### Lateral Movement
- Details: The report focuses on the initial compromise via spyware; details on lateral movement post-infection are not specified, though the spyware gathers data from the device itself.
### Data Exfiltration/Impact
- Details: Intelligence agencies accessed real-time and stored communications, including E2E encrypted app data (AISE focus) and exfiltrated chat messages stored on target devices (AISI focus). Targets included activists Luca Casarini and Giuseppe Caccia.
### Detection & Response
- Detection: Potential victims received notifications from WhatsApp or Apple alerting them to potential targeting by government spyware, prompting a political scandal and the COPASIR investigation.
- Response Actions: COPASIR conducted an inquiry; AISE and AISI rescinded their contracts with Paragon.
## Attack Methodology
- Initial Access: Deployment of Paragon’s 'Graphite' spyware, allegedly authorized for specific investigations.
- Persistence: Implied by the nature of commercial spyware, though specifics on persistence mechanisms were not detailed.
- Privilege Escalation: Not detailed; spyware likely functions with high privileges on the device.
- Defense Evasion: Not detailed; commercial spyware typically employs sophisticated evasion techniques.
- Credential Access: Not detailed.
- Discovery: Not detailed, but espionage efforts included searching for fugitives and counter-terrorism/intelligence gathering by AISE/AISI.
- Lateral Movement: Not detailed.
- Collection: Access to real-time and stored communications, including end-to-end encrypted apps.
- Exfiltration: Data gathered from target devices.
- Impact: Surveillance of individuals engaged in humanitarian work (NGO focused on migrant rescue).
## Impact Assessment
- Financial: Not disclosed; potential costs associated with contract cancellation or internal review.
- Data Breach: Compromise of communications (real-time and stored chats) belonging to selected individuals deemed to be facilitating illegal immigration. The full scope of compromised users is "extremely limited" but unspecified.
- Operational: Minimal operational impact reported on the agencies, though significant reputational impact necessitating contract termination.
- Reputational: Significant political damage due to the confirmed use of surveillance tools against humanitarian actors.
## Indicators of Compromise
*Note: Specific IOCs were not provided in the summary context; the investigation focused on system audit logs.*
- Network indicators: [Not specified/Defanged]
- File indicators: [Not specified/Defanged]
- Behavioral indicators: Unauthorized access to E2E encrypted communications and device files via 'Graphite' spyware.
## Response Actions
- Containment measures: AISE and AISI cancelled their contracts with Paragon.
- Eradication steps: Not detailed, presumably device remediation for known victims.
- Recovery actions: COPASIR investigation concluded, but external scrutiny remains regarding unaccounted-for targeting (e.g., the journalist).
## Lessons Learned
- Key takeaways: Commercial-grade spyware offers deep access into encrypted communications, compelling the government agencies to review supply chain risk (Paragon).
- What could have been done better: COPASIR suggested that foreign entity targeting of Italian citizens remains a risk, as the investigative scope confirmed only Italian agency actions. The journalist's case remains unexplained by Italian intelligence logs.
## Recommendations
- Prevention measures for similar incidents: Strict adherence to contractual clauses forbidding targeting of journalists and human rights activists must be enforced or supply chain validated to ensure foreign governments using the same tool are not compromising domestic targets under the guise of intelligence sharing. Transparency checks on intelligence warrants impacting sensitive professions should be improved.