Full Report
Researchers found suspected Graphite deployments in Australia, Canada, Cyprus, Denmark, Israel and Singapore. The post Six additional countries identified as suspected Paragon spyware customers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Paragon Solutions (Suspected Government Customers)
## Attribution & Identity
**Threat Actor/Vendor:** Paragon Solutions (Spyware company)
**Known Aliases and Associated Groups:** The reporting focuses on the *customers* of Paragon's spyware tool "Graphite," not the actor using the tool, but Paragon itself is the central entity facilitating the surveillance capabilities.
## Activity Summary
Researchers from the University of Toronto’s Citizen Lab identified six additional countries suspected of deploying Paragon’s **Graphite** spyware, adding to previously known clients.
* New suspected customer countries identified: Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
* Potential links were found between Paragon deployments and the **Ontario Provisional Police**.
* Additional activity was detailed in **Italy**, including potential targeting of sea rescue operations for migrants in the Sahel and Sub-Saharan regions, and the targeting of a personal friend of the Pope.
* Italian activist David Yambio, founder of Refugees in Libya, reported being targeted around the time he was sharing confidential information about torture victims with the International Criminal Court (ICC).
* Paragon's marketing claims regarding abuse prevention are being challenged, as targets include journalists and activists.
## Tactics, Techniques & Procedures
- Deployment of spyware tool named **Graphite**.
- Targeting of activists, journalists, and organizations involved in migrant rescue operations.
- Sophistication sufficient to go undetected by targets until analysis by Citizen Lab.
- *Note: Specific MITRE ATT&CK IDs were not provided in the article for Graphite operations.*
## Targeting
- **Sectors:** Migrant Sea Rescue Organizations, Activists, Journalists, potentially Law Enforcement (Ontario Provisional Police).
- **Geography:** Australia, Canada, Cyprus, Denmark, Israel, Singapore, and Italy (where specific targeting of migrant advocates occurred).
- **Victims:** David Yambio (Italian activist), a personal friend of the Pope, sea rescue operations personnel.
## Tools & Infrastructure
- **Malware families used:** **Graphite** (spyware).
- **Infrastructure (C2, domains, IPs):** Details about specific C2 infrastructure were not provided/defanged in the summary, only the identification of suspected deployments within certain nations/agencies.
## Implications
Paragon Solutions markets itself as having an "abuse-proof business model" to maintain international norms, but this research suggests **widespread potential misuse**, challenging their claims. The targeting of humanitarian/rescue operations and human rights advocates indicates high-level state surveillance capabilities being deployed against politically sensitive targets, worsening the "digital surveillance crisis in Europe."
## Mitigations
- Increased scrutiny and vetting for procurement of surveillance technology from vendors like Paragon Solutions, ensuring compliance with international rights norms.
- Organizations engaged in sensitive advocacy (e.g., migrant support, human rights reporting) must adopt stringent mobile security and threat monitoring, especially in high-risk jurisdictions.
- Defense against zero-click/exploitative spyware remains a critical need for high-value targets (HVTs).