Full Report
The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that's capable of harvesting sensitive data from instant messaging applications
Analysis Summary
# Threat Actor: Paragon Solutions (Implied operator/user of Graphite Spyware)
## Attribution & Identity
The technology/spyware is developed by the Israeli company **Paragon Solutions**, founded in 2019 by Ehud Barak and Ehud Schneorson. The actual threat actor deploying the spyware is implied to be government entities using the software commercially.
Known aliases and associated groups:
* **Software:** Graphite Spyware
* **Suspected Deploying Governments:** Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
## Activity Summary
The activity centers around the deployment and use of Paragon's "Graphite" surveillance tool by several governments.
* **December 2024 Attacks:** WhatsApp notified approximately 90 journalists and civil society members that they were targeted by Graphite. These attacks were successfully disrupted by WhatsApp.
* **June 2024 Attack:** An infection targeting an iPhone belonging to the founder of the organization "Refugees in Libya" was found, which Apple subsequently addressed with the release of iOS 18.
* The Citizen Lab identified server infrastructure associated with these deployments across multiple countries.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Targets were added to a WhatsApp group and subsequently sent a PDF document.
- **Exploitation:** The PDF automatically parsed the message content to trigger a **now-patched zero-day vulnerability** in WhatsApp/mobile OS.
- **Payload Execution:** Successful exploitation led to loading the Graphite spyware.
- **Post-Exploitation:** The spyware performed **Android sandbox escapes** to compromise other applications on the targeted devices.
- **Forensic Artifact:** A forensic artifact dubbed **BIGPRETZEL** is suspected to uniquely identify infections with Graphite spyware on Android devices.
## Targeting
- **Sectors:** Journalists, civil society members, and individuals associated with specific organizations (e.g., Refugees in Libya founder).
- **Geography:** Individuals targeted were spread across over two dozen countries, including specific examples such as Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden.
- **Victims:** Approximately 90 journalists and civil society members targeted in December 2024; the founder of the organization Refugees in Libya (June 2024).
## Tools & Infrastructure
- **Malware families used:** Graphite Spyware.
- **Infrastructure (C2, domains, IPs):** The Citizen Lab mapped server infrastructure suspected to be associated with the spyware deployments of the suspected government customers. (No specific non-defanged URLs/IPs were provided in the article text).
## Implications
This represents the proliferation of "mercenary spyware," which is described as extremely sophisticated, costly to develop, and often has a short shelf life. Its use targets specific individuals based on their identity or vocation (journalists, activists), posing a significant threat to privacy and free press globally.
## Mitigations
- Immediate patching of mobile operating systems (as Apple rapidly deployed a fix in iOS 18 in response to a known vector).
- Users should be wary of suspicious messages (like unsolicited PDFs) received via instant messaging applications, especially from unknown groups.
- Users identified as high-risk targets should be notified of potential targeting (as WhatsApp did for its users).