Full Report
Researchers found suspected Graphite deployments in Australia, Canada, Cyprus, Denmark, Israel and Singapore. The post Six additional countries identified as suspected Paragon spyware customers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Paragon Solutions (Vendor) / Graphite (Spyware)
## Attribution & Identity
The primary focus is on **Paragon Solutions**, a spyware company identified as a vendor whose tool, **Graphite**, is suspected of being deployed by government customers. Citizen Lab identified suspected deployments linked to six new countries, in addition to previously known activity in Italy. Paragon markets itself as having an "abuse-proof business model," which researchers challenge.
## Activity Summary
Researchers from the University of Toronto’s Citizen Lab mapped the infrastructure of Paragon’s **Graphite** tool and identified suspected deployments in:
1. Australia
2. Canada (with potential links to the Ontario Provisional Police)
3. Cyprus
4. Denmark
5. Israel
6. Singapore
Additionally, heightened scrutiny was placed on Italian activity, which included potential targeting of:
* Sea rescue operations for migrants in the Sahel and Sub-Saharan regions.
* A personal friend of the Pope Francis.
* Italian activist David Yambio (founder of Refugees in Libya), who was targeted while sharing information about torture victims with the ICC.
## Tactics, Techniques & Procedures
The document focuses on the deployment of commercial spyware, suggesting capabilities associated with state-sponsored surveillance, although specific technical TTPs (like C2 protocols or exploit chains) are not detailed, other than the existence of the **Graphite** tool.
- Deployment of proprietary spyware (Graphite).
- Targeting of activists, journalists, and groups operating in sensitive humanitarian/legal sectors.
## Targeting
- Sectors: Migrant sea rescue organizations, activists, journalists, individuals sharing information with international bodies (like the ICC).
- Geography: Australia, Canada, Cyprus, Denmark, Israel, Singapore, Italy, and potentially organizations operating in the Sahel and Sub-Saharan regions (via Italian-linked targeting).
- Victims: David Yambio (Italian activist), sea rescue operations for migrants, a personal friend of Pope Francis, and potentially the Ontario Provisional Police (if used by them).
## Tools & Infrastructure
- Malware families used: **Graphite** (Paragon's spyware).
- Infrastructure (C2, domains, IPs - defang URLs): Not specifically detailed in the summary, other than the "infrastructure of Paragon’s Graphite tool" being mapped.
## Implications
Paragon Solutions appears to be a proliferating player in the commercial spyware market whose claims of ethical sales practices are being actively challenged by real-world targeting cases. The use of this spyware against humanitarian workers (sea rescue NGOs) and figures engaging with international legal bodies (ICC) points to potential severe human rights abuses facilitated by countries acquiring this technology. This activity exacerbates the "digital surveillance crisis" in Europe.
## Mitigations
- Scrutiny of commercial spyware vendors' compliance claims regarding respecting fundamental rights and freedoms.
- Heightened defensive posture for organizations and individuals involved in migrant support, human rights advocacy, or international legal reporting, especially in identified jurisdictions.
- Given the nature of the tool (spyware targeting individuals), users should follow standard mobile threat detection and device hardening practices, though specific technical mitigations are not provided in the source text.