Full Report
They’re the first confirmed cases of Paragon spyware on Apple products, according to Citizen Lab. The post Paragon spyware found on the phones of Euro journos appeared first on CyberScoop.
Analysis Summary
# Incident Report: Paragon Spyware Targeting European Journalists
## Executive Summary
Researchers from Citizen Lab confirmed the presence of Paragon mercenary spyware on the Apple devices of multiple European journalists, marking the first confirmed case on an Apple product. The attacks targeted investigative journalists in Italy and at least one other unnamed European country, highlighting the ongoing misuse of commercial spyware technology. While the exact initial infection method is not detailed, the incident prompted public attention and follows prior alerts from Apple and WhatsApp regarding surveillance threats.
## Incident Details
- **Discovery Date:** June 12, 2025 (Date of Citizen Lab report publication)
- **Incident Date:** Occurred prior to June 2025, following Apple/WhatsApp alerts in April/January.
- **Affected Organization:** Journalists affiliated with the Italian investigative outlet Fanpage (specifically named: Ciro Pellegrino and Francesco Cancellato) and one unnamed European journalist.
- **Sector:** Media/Journalism
- **Geography:** Italy, and at least one other European country.
## Timeline of Events
### Initial Access
- **Date/Time:** Undocumented, prior to mid-June 2025.
- **Vector:** Unspecified, but involved the deployment of Paragon spyware onto Apple mobile devices.
- **Details:** The targeting seems related to specific customers of Paragon, as the same customer targeted the Italian journalist and the unnamed European journalist.
### Lateral Movement
- Details are not provided in the source material concerning internal network movement; the focus is on the mobile endpoint compromise.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Not explicitly stated, but the nature of mercenary spyware (like Paragon/NSO Group offerings) implies the ability to monitor communications, access files, and potentially exfiltrate sensitive data from the compromised mobile devices.
### Detection & Response
- **How it was discovered:** Citizen Lab forensic analysis confirmed the presence of Paragon spyware on Ciro Pellegrino's phone, following a prior alert concerning Francesco Cancellato's device. This investigation was partially spurred by prior notifications from Apple (April) and WhatsApp (January).
- **Response actions taken:** Citizen Lab published its findings globally. The Italian government reportedly ended its contract with Paragon following internal scrutiny regarding previous spyware use.
## Attack Methodology
- **Initial Access:** Suspected use of zero-click or highly targeted phishing methods typical of mercenary spyware against mobile devices.
- **Persistence:** Implicitly achieved via the Paragon spyware successfully installing on the Apple devices.
- **Privilege Escalation:** Not detailed, but required to fully compromise the operating system environment.
- **Defense Evasion:** Paragon is described as trying to present itself as "clean and undetectable."
- **Credential Access:** Not detailed, but likely capability exists within the spyware.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed (focused on endpoint compromise).
- **Collection:** Implicitly involves gathering communications and data from the targeted devices.
- **Exfiltration:** Implicitly involves sending compromised data off the device.
- **Impact:** Compromise of journalistic source confidentiality and personal security via complete device access.
## Impact Assessment
- **Financial:** Not disclosed. Paragon's client (suspected Italian government entity) expenditure on the software is implied but unquantified.
- **Data Breach:** Likely sensitive journalistic communications and data from the targeted reporters.
- **Operational:** Disruption and compromise of the journalistic investigation workflow and security practices for the targeted individuals.
- **Reputational:** Significant negative reputational impact on Paragon, drawing parallels to scandals faced by NSO Group.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (No specific IoCs provided in the text).
- **File indicators:** Presence of Paragon spyware components on Apple mobile operating systems.
- **Behavioral indicators:** Unexplained or malicious activity suggesting remote monitoring on the targeted devices.
## Response Actions
- **Containment measures:** Not specified for the victims, though the public disclosure itself is a response mechanism.
- **Eradication steps:** Victims would require professional device wiping/reimaging or replacement to ensure eradication from the compromised mobile endpoint.
- **Recovery actions:** Victims likely heightened security awareness and communication protocols.
## Lessons Learned
- Commercial "mercenary spyware" sold to governments is repeatedly subject to abuse against non-state targets, such as journalists, demonstrating a fundamental flaw in vendor control/oversight.
- Paragon, despite attempting to appear "clean," is facing the same scrutiny and scandal associated with other major spyware firms.
- The targeting appears systematic, following a pattern involving Italian journalists critical of the government.
## Recommendations
- Mobile security vendors (like Apple/WhatsApp) should continue proactive vulnerability detection and notification, as this ecosystem serves as the primary vector for such attacks.
- Governments procuring or experimenting with surveillance technology must establish stringent, verifiable oversight mechanisms to prevent internal abuse against domestic critics or journalists.
- Journalists and activists operating in high-risk environments should employ rigorous mobile security practices, including regular device resets and segregated communications channels.