Ron Deibert’s “Chasing Shadows”

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/02/04/citizen-lab/#nso-group

Since 2001, Ron Deibert has led Citizen Lab, the world's foremost "counterintelligence group for civil society," where they defend human rights activists, journalists and dissidents from the digital weapons deployed by the world's worst autocrats and thugs:

https://citizenlab.ca/

Citizen Lab's work is nothing short of breathtaking. For decades, this tiny, barely resourced group at a Canadian university has gone toe to toe with the world's most powerful cyber arms dealers – and won.

Today, Simon and Schuster publishes Chasing Shadows, Deibert's pulse-pounding, sphinter-tightening true memoir of his battles with the highly secretive industry whose billionaire owners provide mercenary spyware that's used by torturers, murderers and criminals to terrorize their victims:

https://www.simonandschuster.com/books/Chasing-Shadows/Ronald-J-Deibert/9781668014042

Mercenary spyware companies are based all over the world, but the global leader in providing these tools is Israel, where the signals intelligence Unit 8200 serves as a breeding ground for startup founders who grow wealthy serving dictators around the world, thanks in part to Israel's lax export standards for cyberweapons.

Most notorious of these companies is the NSO Group, whose Pegasus malware has been deployed by corrupt, narco-affiliated Mexican politicians, murderous Saudi royals, and dictators in Central Asia, Latinamerica, and all around the world.

The NSO Group's founders told their customers that they were invisible, as ethereal as shadows, so their products could be deployed without fear of detection or consequence. At the same time, NSO ran a disinformation campaign for the broader public, insisting that they have the highest ethical standards and closely monitor their products' use to ensure that it is only deployed against terrorists and serious criminals. This latter strategy is backstopped by harassment and intimidation of journalists who investigate this narrative – I have personally been threatened by lawyers retained by the NSO Group.

Diebert and Citizen Lab disprove both of NSO's narratives. Their technical staff developed incredibly clever, subtle methods to detect malware infections all around the world and identify who had been targeted by NSO's products (they were greatly aided in this by farcical blunders in NSO's products).

In so doing, Citizen Lab not only showed that customers for mercenary spyware will someday be discovered – they also thoroughly disproved the company's narrative about its squeaky-clean image and high morals.

Much of Deibert's book is a true-life technothriller recounting the technology, the politics, and the human cost of a largely unregulated industry whose protectors are among the most powerful people in the world.

This book contains many never-revealed revelations from Deibert's distinguished career, like notes from a meeting where Stephen Harper's top spooks and Privy Council officials threatened and intimidated Deibert over Citizen Lab's reports on Saudi Prince Mohammed Bin Salman's use of spyware on Canadian residents.

Deibert also reveals some juicy bits of less consequence, like the fact that it was he who tipped off the BBC's Rory Cellan-Jones that Research In Motion was helping Middle Eastern autocracies and India's far right government spy on dissidents' Blackberry devices, just minutes before RIM co-founder Mike Lazardis was to sit for a televised interview with Cellan-Jones for the BBC's Click. When Cellan-Jones asked Lazaridis about the matter, Lazaridis at first denied it, then demanded that the camera be turned off before halting the interview:

https://www.youtube.com/watch?v=Q6iGe7vuGeQ

But the majority of Deibert's book is a string of horrifying stories of dissidents, activists, journalists, opposition politicians and the people around them having their lives peeled open by companies like NSO Group and their competitors. They run the gamut from multiple, successive presidents of Catalonia to the US-based children of activists agitating for limits to sugary drinks in Mexico.

On the way, Deibert is hounded by all kinds of dirty-tricksters, like the bumbling ex-Mossad spook that Black Cube – whom Harvey Weinstein hired to harass his victims – hired to discredit the organization:

https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

He's also chased by troll armies working on behalf of South American despots, the corrupt Modi government of India, and middle eastern autocrats in the UAE, Saudi Arabia and elsewhere. While most of these trolls are anonymous jerks, a few high-profile serial online harassers-for-hire are singled out by name, their deeds publicly connected for the first time.

Deibert shows the human impact of mercenary spyware: the connection between these companies' products and intimidation, arbitrary detention, punitive rape, torture, and murder – for example, he painstaking lays out the role that the NSO Group's products played in the murder and dismemberment of the US-based journalist Jamal Khashoggi.

This is a dirty business, but it's also a lucrative one. Citizen Lab goes eyeball-to-eyeball and toe-to-toe with farcically wealthy, well-resourced attackers, who've waxed fat by abetting corruption and sadistic greed.

But this isn't mere rage-bait. Deibert's story is an inspiration, both in how it shows how principled, decent, hardworking people can make a difference – Citizen Lab researchers repeatedly discover and burn the vulnerabilities exploited by mercenary spyware, a process Deibert likens to disarming them – but also in the bravery and resilience of the subjects who trust Citizen Lab to analyze their devices, risking everything to come forward and tell their stories.

Citizen Lab is enmeshed in a global, digital community of human rights defenders – a community that wouldn't exist without the internet. Deibert's life's work is to create an internet that is fit for human thriving – and to wrestle control of technology away from the monsters who project their greed and sadism around the world through our devices.

In recent years, commercial spyware has been deployed by more actors against a wider range of victims, but the prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people. At the same time, though, it has been difficult to check devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that have been on the front lines of developing forensic techniques to detect mobile spyware. On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company's customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify's infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries.

“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”

Seven out of 2,500 scans may sound like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paying or free, who want to be monitoring their mobile device security at all, much less checking specifically for spyware. But the fact that the tool has already found a handful of infections at all speaks to how widely the use of spyware has proliferated around the world. Having an easy tool for diagnosing spyware compromises may well expand the picture of just how often such malware is being used.

“NSO Group sells its products exclusively to vetted US & Israel-allied intelligence and law enforcement agencies,” NSO Group spokesperson Gil Lainer told WIRED in a statement. "Our customers use these technologies daily.”

iVerify vice president of research Matthias Frielingsdorf will present the group's Pegasus findings at the Objective by the Sea security conference in Maui, Hawaii on Friday. He says that it took significant investment to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and don't allow monitoring software to have kernel access at the heart of the system. Cole says that the crucial insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for detection. Some spyware, like Pegasus, also has characteristic traits that make it easier to flag. In the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is in refining mobile monitoring tools to reduce false positives.

Developing the detection capability has already been invaluable, though. Cole says that it helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was the target of an alleged, foiled assassination attempt by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspected nation state activity on the mobile devices of two Harris-Walz campaign officials—a senior member of the campaign and an IT department member—during the presidential race.

“The age of assuming that iPhones and Android phones are safe out of the box is over,” Cole says. “The sorts of capabilities to know if your phone has spyware on it were not widespread. There were technical barriers and it was leaving a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative.”

...<FILE PLAYBACK COMPLETE>

...

Huh. Ya'know. When you dragged me over here, I really thought you'd be showing me like. Blackmail material. Or corporate espionage.

What would be the point of that? I don't give a rat's ass about how Karrakin Colonial governments are run.

Roy. You are using a Karrakin noblewoman's actual fucking diary as your personal Omninet drama. Do you see a problem with that?

No.

;-;

This was a really recent one, too. I put spyware in the database before they sealed it.

This isn't even from the data you downloaded to begin with!? You're STILL hacking her!?

That's what I said, isn't it? We can go through the older stuff after this one finishes uploading.

Uplo- wait what?

...<UPLOAD COMPLETE>

...<TRANSCRIBING AUDIO>

...

Uggh. Another long day. I knew not whether I would have time to record mine thoughts tonight. The Passions hath blessed me with... three... four minutes to mine own self?

<sigh>

The last several months hath been beyond difficult. I did know that Rebecca's operations were important, but... keeping things together hath been a nightmare without her, truly. How many supply lines pillaged without the feared Champion of the Caldera to protect them? How much revenu-

Nay. Nay. Fie! Damn it all! Mother and Father would chastise me for mine weakness, but revenue and trade... I care nothing for such things at present. I miss mine sister. So much. As furious as I am with her, I miss the hellion! And the lives... How many lives hath been snuffed out by these filthy pirates!? I know not why I care so much! Mother and father's lessons art clear, I should view these losses practically, but I fear this burning in mine chest shall consumeth me!

The last ship which was set upon... I did speak with a man who worked aboard it once. I knew not his name, but he did greet me with a smile upon mine tour of the vessel. I inquired as to the nature of the pin he wore upon his lapel. Twas given him by his son... Did he clutch that pin as the vessel was ripped open? By weaponry the Harrison mongrels did "dump" for the pirates to "conveniently find?" As the life did fade from him, did he hold that pin close, that it might protect him? That he might wake with his son's eyes upon him?

<hitched breathing and sniffling>

Why now do I weep for the ignoble? Why doth a knot form in mine stomach when a mercenary calleth himself mine "tool," mine "weapon?" Passions forbid, what would Mother and Father say if I did use the word... friend? Mayhap all this talk of clones and tools hath riddled mine mind with uncertainty. Mayhap Rebecca did take mine fucking senses with her. Heavens, I hath grown soft!

<glass shattering, a frustrated shriek>

It doth not matter! I am not so soft that I cannot defend what is mine! The Horus Warlock's ship is nearly repaired. Two Kavaliers will see the jungle parted in a river of blood. The pirates will die. Everything will make sense once more. Finally. Finally...

...<TRANSCRIPTION COMPLETE>

In recent years, commercial spyware has been deployed by more actors against a wider range of victims, but the prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people. At the same time, though, it has been difficult to check devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that have been on the front lines of developing forensic techniques to detect mobile spyware. On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company's customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify's infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries.

Daily Newsletter

Our biggest stories, handpicked for you each day.

“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”

Seven out of 2,500 scans may sound like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paying or free, who want to be monitoring their mobile device security at all, much less checking specifically for spyware. But the fact that the tool has already found a handful of infections at all speaks to how widely the use of spyware has proliferated around the world. Having an easy tool for diagnosing spyware compromises may well expand the picture of just how often such malware is being used.

“NSO Group sells its products exclusively to vetted US & Israel-allied intelligence and law enforcement agencies,” NSO Group spokesperson Gil Lainer told WIRED in a statement. "Our customers use these technologies daily.”

iVerify vice president of research Matthias Frielingsdorf will present the group's Pegasus findings at the Objective by the Sea security conference in Maui, Hawaii on Friday. He says that it took significant investment to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and don't allow monitoring software to have kernel access at the heart of the system. Cole says that the crucial insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for detection. Some spyware, like Pegasus, also has characteristic traits that make it easier to flag. In the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is in refining mobile monitoring tools to reduce false positives.

Developing the detection capability has already been invaluable, though. Cole says that it helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was the target of an alleged, foiled assassination attempt by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspected nation state activity on the mobile devices of two Harris-Walz campaign officials—a senior member of the campaign and an IT department member—during the presidential race.

“The age of assuming that iPhones and Android phones are safe out of the box is over,” Cole says. “The sorts of capabilities to know if your phone has spyware on it were not widespread. There were technical barriers and it was leaving a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative.”

Apple warns iPhone users in 98 countries of spyware attacks

Source: https://techcrunch.com/2024/07/10/apple-alerts-iphone-users-in-98-countries-to-mercenary-spyware-attacks/

Exposing the Dark Web Scam: Fake Pegasus Spyware Code Sold for Millions

Cybercriminals are capitalizing on the infamous reputation of the Pegasus spyware, duping unsuspecting victims on the dark web. According to a recent investigation by the cybersecurity firm CloudSEK, threat actors are systematically leveraging the Pegasus name to perpetrate a widespread scam, offering randomly generated source codes falsely associated with the potent spyware for exorbitant prices, sometimes exceeding a million dollars.

Dissecting the Scam: Insights from Months of Research

CloudSEK's report sheds light on the intricate workings of this scam, which emerged shortly after Apple warned about a "mercenary spyware" attack targeting users across 92 countries. The cybersecurity firm's researchers delved deep into the dark web, analyzing approximately 25,000 posts on platforms like Telegram, many of which claimed to sell authentic Pegasus source code. Anuj Sharma, the lead investigator and security researcher at CloudSEK, underscored the detrimental impact of this scam, stating: The misuse of Pegasus's name, logo, and identity by underground sources has led to significant misinformation about the tool, confusing both experts and the public about its true capabilities and origin. The deliberate misrepresentation complicates the attribution of cyberattacks, making it harder to determine the source and nature of the spyware being used.

Engaging with Potential Sellers: Uncovering Fake Samples and Inflated Prices

CloudSEK researchers went a step further, directly engaging with over 150 potential sellers claiming to offer Pegasus-related services. Through these interactions, they accessed purported Pegasus source code samples, live demonstrations, file structures, and snapshots. However, after analyzing 15 samples and over 30 indicators from various intelligence sources, the researchers concluded that nearly all samples were fraudulent and ineffective. The report also identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024. Moreover, the scam extended to code-sharing platforms on the surface web, where scammers disseminated their own randomly generated source codes, falsely associating them with the Pegasus spyware. In one particularly brazen case, a group named Deanon ClubV7 announced on April 5 that they had obtained legitimate access to Pegasus and were offering permanent access for a staggering fee of $1.5 million. The group claimed to be the first to secure access to Pegasus and boasted about selling four accesses within just two days, raking in a total of $6 million.

Combating the Scam: Employee Awareness and Strict Access Controls

To combat this widespread scam, CloudSEK emphasizes the importance of employee awareness and implementing strict access controls. Sharma recommends providing regular updates and alerts about the latest scam tactics involving Pegasus and similar high-profile names, as well as implementing network monitoring to identify unusual activity that might indicate employees accessing the dark web or IRC platforms. Strict access controls should be implemented to limit and monitor employees' ability to visit potentially dangerous sites or download unauthorized software, reducing the risk of falling victim to such scams. Read the full article

After you escaped how did you get into humans and "intimate" stuff. I would think after escaping you would hate or severely distrust humans. As for intimate stuff did you have a daring dashing hero who saved you an well... One thing lead to another an stuff just happened.

Nah, I was pretty chill with humans once I quit. It was the boss that always hated them, and I learned pretty quickly that whatever he said was wrong.

Once I was out, I wandered for a while until I was unceremoniously robot-napped by a woman named Crash who had mistaken me for a mercenary sent to kill her. After plugging my hard drive into a burner laptop and grilling me for a while about my origins, she eventually mellowed out and we got to talking. Turns out she was a talented computer technician and programmer, a doctor of computer science in fact, as well as a recluse and a closeted robosexual. You can imagine how the next couple weeks went. Besides all the freaky robot sex, she also uninstalled all my spyware and built me a new body that better fit my idea of myself! We're still great friends (and fuck pretty often) and she's one of the three people I trust to make any major repairs or upgrades to me.

If you're reading this, I love you, Crash <3

Reflection of the Second signing of the Chaosdiver contract

The events of this reflection happened on the evening of 9/1/2024.

Vismark looked over at the images of the outpost. Finally, it was finished, and he could put this mess behind him. He was glad with what he saw, specifically the frame of the outpost being finished. However, there was the risk that the frame could never have been constructed.

It all started that night, when he was informed of a possible attack. He brushed it off back then, but thinking about it now, the chances of someone going behind his back and attacking him was not a non-zero possibility. Add to the fact that there was canonically a group known as the Mercdivers, a mercenary company of helldivers, and you have a recipe for disaster, a perfect way to destroy the Corp’s presence without getting involved himself. {The Mercdivers are a real faction in the Chaosdiver discord btw. They even have their own discord, though I didn’t join it.} It was a good thing then that he set up a guard and had them build what fortifications they could.

Moreover, it made sense why the ODST’s leader would think about doing this. After all, things fell apart and the group could have disbanded. He didn’t know what exactly happened himself; he had his spyware removed from the communications array when the deal was signed, and he didn’t have anybody snooping around. What he did know for a fact though was that the second in command left, as that was the reason sited as why the contract was now invalid. She probably wasn’t the only one. Add to the fact that apparently their ammo storage was blown out, and… yeah. Clearly, they had a rough night. On one hand, Vismark was slightly disheartened that this happened. After all, this would only hurt the Corporation’s reputation, and it was a tragic affair. On the other hand, he had nothing to do with this madness. Whatever drama was building up and boiled over with this incident had nothing to do with him.

Oh yeah, he wasn’t technically speaking with an official Chaosdiver division. He was speaking with the ODSTs, who were aligned with the Chaosdvers’ goals, but weren’t officially a part of them. Vismark would have preferred to be working with an official division, but this doesn’t really matter. After all, after he starts helping the ODSTs, the rest will surely soon follow. Still, official or not, they were Chaosdivers, and they had a contract to sign. {Note, this was only true at the time of this writing and RP scenario. As of right now, they are 100% a part of the Chaosdivers}

Instead of bringing the Steel’s Vengeance this time around, he decided to visit them virtually, sending two agents to start negotiations and bring a communications device so he could speak to them via a hologram. Those two agents were chosen to be Nova, his best Recruit Rescuer who was on site, and Carl Diver, a captain, former local, and the man who Vismark had decided to appoint to outpost master, the man in charge of the outpost’s day-to-day functions.

The leader of the ODSTs was mostly fine for the contract, even the parts that were missed in the initial singing. However, he had four main gripes. The first was that he wanted to have the right to keep any Super Earth tech they could get their hands on. Vismark agreed, as long as his men could at least observe and scan the stuff. Scanning the items would allow his team to observe them virtually in a simulated environment. It wasn’t perfect, and imperfections in the scan were known to screw over obesrvations sometimes, but it was better than not doing anything. In fact, the crew discovered that sometimes the ODSTs didn’t want the tech, resulting in the crew getting to keep it.

Two other points were raised, not really terms of the contract but still points to discuss. That being the fact the leader the leader of the ODSTs, and his wishes to keep the secrets of the ODSTs secret. Both of these were good for Vismark.

The final point was the point of contention… not really. At this point, Vismark was just eager to get the treaty signed, so when the leader explained that they needed civilians to help support the ODSTs, Vismark gave in, giving the group the right to recruit before the Corporation starts making pitches.

And just like that, the points were finished… except for the fact that Vismark had to explain that supplies weren’t going to come in right away. Stupid Anti-Project Plan. Maybe Default could have some produce to spare, but he wouldn’t know for sure. At least he promised that if no supplies were coming in the first week, he would give them 3 Crates of Copper. Crates that were reserved for the Automatons, but they didn’t know that. They didn’t need to know. If this did come to pass, he would have to just hope MazeRun could deliver that sand in time. (Fun fact, it did come to pass!)

Despite this, at least he had some breathing room, as the tower was still being worked on, and he wouldn’t send supplies to an unfinished outpost.

Vismark then thought about the situation that happened the next day, this morning in fact. As they were scanning some Super Earth lab helmets given by the ODSTs, a Corporate drone came in and interrogated them. Turns out this drone belonged to another Corporation, a local one, which was secretly supplying Chasodivers who did their dirty work jobs for them, giving them rewards for completed their own Major Orders. Corporate Orders even. While the drone was at first piloted by a board member, if not the CEO, it was then given to a friendlier handler who talked with Carl. The two then came to an understanding, as the two Corporations don’t even share the same market. While Vismark was focused on providing food and raw resources, the [Censored for privacy’s sake] Corporation was focused on weapons and such. In fact, it might be beneficial for the two Corporations to work together. Still, that would require drawing metal away from the Automatons, and he didn’t know what the Corporation would want. Better to let them contact him.

Now it is finished. The outpost would be completed, the shipments would eventually arrive, and the Chaosdivers would be supported by the Cave Filing Corporation. Super Earth was one step closer to falling, and the Corporation would at least attempt to see it through.

{These events were based on some RP interactions in the Chasodiver server, and there is another Corporation in there! If you want to interact with the Cave Filling Corporation or the other Corporation, why not join the discord?}

Governments call for spyware regulations at UN Security Council meeting

On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, marking the first time this type of software – also known as government or mercenary spyware – has been discussed at the Security Council. The purpose of the meeting, according to the US Mission to the UN, was “to address the implications of the proliferation and misuse of commercial…

Governments call for spyware regulations at UN Security Council meeting

On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, marking the first time this type of software – also known as government or mercenary spyware – has been discussed at the Security Council. The purpose of the meeting, according to the US Mission to the UN, was “to address the implications of the proliferation and misuse of commercial…

A $2 million contract that United States Immigration and Customs Enforcement signed with Israeli commercial spyware vendor Paragon Solutions has been paused and placed under compliance review, WIRED has learned.

The White House’s scrutiny of the contract marks the first test of the Biden administration’s executive order restricting the government’s use of spyware.

The one-year contract between Paragon’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations (HSI) Division 3 was signed on September 27 and first reported by WIRED on October 1. A few days later, on October 8, HSI issued a stop-work order for the award “to review and verify compliance with Executive Order 14093,” a Department of Homeland Security spokesperson tells WIRED.

The executive order signed by President Joe Biden in March 2023 aims to restrict the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

DHS did not confirm whether the contract, which says it covers a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training,” includes the deployment of Paragon’s flagship product, Graphite, a powerful spyware tool that reportedly extracts data primarily from cloud backups.

“We immediately engaged the leadership at DHS and worked very collaboratively together to understand exactly what was put in place, what the scope of this contract was, and whether or not it adhered to the procedures and requirements of the executive order,” a senior US administration official with first-hand knowledge of the workings of the executive order tells WIRED. The official requested anonymity to speak candidly about the White House’s review of the ICE contract.

Paragon Solutions did not respond to WIRED's request to comment on the contract's review.

The process laid out in the executive order requires a robust review of the due diligence regarding both the vendor and the tool, to see whether any concerns, such as counterintelligence, security, and improper use risks, arise. It also stipulates that an agency may not make operational use of the commercial spyware until at least seven days after providing this information to the White House or until the president's national security adviser consents.

“Ultimately, there will have to be a determination made by the leadership of the department. The outcome may be—based on the information and the facts that we have—that this particular vendor and tool does not spur a violation of the requirements in the executive order,” the senior official says.

While publicly available details of ICE’s contract with Paragon are relatively sparse, its existence alone raised alarms among civil liberties groups, with the nonprofit watchdog Human Rights Watch saying in a statement that “giving ICE access to spyware risks exacerbating” the department’s problematic practices. HRW also questioned what it calls the Biden administration’s “piecemeal approach” to spyware regulation.

The level of seriousness with which the US government approaches the compliance review of the Paragon contract will influence international trust in the executive order, experts say.

“We know the dangers mercenary spyware poses when sold to dictatorships, but there is also plenty of evidence of harms in democracies,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing spyware-related abuses. “This is why oversight, transparency, and accountability around any US agency attempt to acquire these tools is essential.”

International efforts to rein in commercial spyware are gathering pace. On October 11, during the 57th session of the Human Rights Council, United Nation member states reached a consensus to adopt language acknowledging the threat that the misuse of commercial spyware poses to democratic values, as well as the protection of human rights and fundamental freedoms. “This is an important norm setting, especially for countries who claim to be democracies,” says Natalia Krapiva, senior tech-legal counsel at international nonprofit Access Now.

Although the US is leading global efforts to combat spyware through its executive order, trade and visa restrictions, and sanctions, the European Union has been more lenient. Only 11 of the 27 EU member states have joined the US-led initiative stipulated in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which now counts 21 signatories, including Australia, Canada, Costa Rica, Japan, and South Korea.

“An unregulated market is both a threat to the citizens of those countries, but also to those governments, and I think that increasingly our hope is that there is a recognition [in the EU] of that as well,” the senior US administration official tells WIRED.

The European Commission published on October 16 new guidelines on the export of cyber-surveillance items, including spyware; however, it has yet to respond to the EU Parliament's call to draft a legislative proposal or admonish countries for their misuse of the technology.

While Poland launched an inquiry into the previous government’s spyware use earlier this year, a probe in Spain over the use of spyware against Spanish politicians has so far led to no accusations against those involved, and one in Greece has cleared government agencies of any wrongdoing.

“Europe is in the midst of a mercenary spyware crisis,” says Scott-Railton. “I have looked on with puzzled wonderment as European institutions and governments fail to address this issue at scale, even though there are domestic and export-related international issues.”

With the executive order, the US focuses on its national security and foreign policy interests in the deployment of the technology in accordance with human rights and the rule of law, as well as mitigating counterintelligence risks (e.g. the targeting of US officials). Europe—though it acknowledges the foreign policy dimension—has so far primarily concentrated on human rights considerations rather than counterintelligence and national security threats.

Such a threat became apparent in August, when Google’s Threat Analysis Group (TAG) found that Russian government hackers were using exploits made by spyware companies NSO Group and Intellexa.

Meanwhile, Access Now and Citizen Lab speculated in May that Estonia may have been behind the hacking of exiled Russian journalists, dissidents, and others with NSO Group’s Pegasus spyware.

“In an attempt to protect themselves from Russia, some European countries are using the same tools against the same people that Russia is targeting,” says Access Now’s Krapiva. “By having easier access to this kind of vulnerabilities, because they are then sold on the black market, Russia is able to purchase them in the end.”

“It’s a huge mess,” she adds. “By attempting to protect national security, they actually undermine it in many ways.”

Citizen Lab’s Scott-Railton believes these developments should raise concern among European decisionmakers just as they have for their US counterparts, who emphasized the national security aspect in the executive order.

“What is it going to take for European heads of state to recognize they have a national security threat from this technology?” Scott-Railton says. “Until they recognize the twin human rights and national security threats, the way the US has, they are going to be at a tremendous security disadvantage.”

Governments call for spyware regulations in UN Security Council meeting | masr356.com

Tuesday, The United Nations Security Council held a meeting To discuss the dangers of commercial spyware, which is the first time this type of software has been done — Also known as government or mercenary spyware – It was discussed in the Security Council. The goal of the meeting, According to the US Mission to the United NationsIts goal was “to address the implications of the spread and misuse…

Summary

🌍 Focus on Cyber Mercenaries: The talk explores a cyber mercenary group dubbed "Dark Caracal," highlighting their careless operational mistakes and effective malware campaigns.

🔓 The Banduk Malware: Dark Caracal's primary malware, Banduk, functions as spyware capable of capturing screenshots, activating microphones, stealing files, and more.

🔍 Exposing Mistakes:

Poor server configurations, such as leaving default XAMPP settings, exposed exfiltrated data.

Recovered logs and data trails directly linked their activities to Lebanon’s General Directorate of General Security (GDGS).

🤖 Advanced Tactics: Despite their mistakes, the group demonstrated sophistication by developing mobile spyware distributed through backdoored messaging apps like Signal and WhatsApp.

🛡️ State-Sponsored and Mercenary Links: Dark Caracal's campaigns targeted journalists, political dissidents, and obscure industries, suggesting moonlighting for private clients alongside state-sponsored work.

Insights Based on Numbers

📊 Data Exfiltration: Over 81 GB of exfiltrated data was found, with 60% from mobile devices and 40% from Windows systems.

🌐 Global Targets: The group infected thousands of devices, predominantly in Lebanon, Venezuela, and the Dominican Republic, highlighting their broad reach.

Apple Warns Users in 150 Countries of Mercenary Spyware Attacks

Source: https://www.darkreading.com/vulnerabilities-threats/apple-warns-users-targeted-by-mercenary-spyware

More info: https://support.apple.com/en-us/102174

How widespread is mercenary spyware?

http://securitytc.com/TGb36f

mac OS Update Crucial: Apple Addresses Actively Exploited Zero-Day Vulnerabilities

Apple is urging all Mac and MacBook users to update their devices to macOS version 15.1.1 immediately. This update, released shortly after the major 15.1 release, addresses two critical vulnerabilities, CVE-2024–44308 and CVE-2024–44309, that are known to be actively exploited. The U.S. Cybersecurity and Infrastructure Agency (CISA) has echoed this warning, emphasizing the urgency of the update .

Read More In Google News

What are the vulnerabilities?

CVE-2024–44308 (CVSS score: 8.8): This vulnerability in JavaScriptCore could allow attackers to execute arbitrary code when a user processes maliciously crafted web content .

CVE-2024–44309 (CVSS score: 6.1): This vulnerability in WebKit, related to cookie management, could allow cross-site scripting (XSS) attacks when a user encounters malicious web content .

Read More In Google News

Who discovered the vulnerabilities?

Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) discovered and reported these vulnerabilities . The fact that Google’s TAG was involved suggests that these vulnerabilities might have been used in highly targeted attacks, potentially by government-backed entities or mercenary spyware operators .

Read More In Google News

Which devices are affected?

The macOS Sequoia 15.1.1 update is necessary for all Macs running on Apple Silicon. This includes:

iMac Pros released since 2017

iMacs released since 2019

MacBook Pros released since 2018

Mac Minis released since 2018

Mac Pros released since 2019.

The update also supports several Intel-powered Macs released from 2017 onwards.

How to update your Mac

To update to macOS 15.1.1:

Go to System Settings/General/Software Update and click “Update Now” .

On older Macs, go to System Preferences and click “Software Update” .

Other Apple devices

Apple has also released updates for iOS, iPadOS, visionOS, and Safari to address these vulnerabilities. These updates are available for a wide range of iPhones and iPads .

Importance of updating

These are just two of four zero-day vulnerabilities Apple has addressed this year. Another vulnerability was demonstrated at the Pwn2Own Vancouver hacking competition (CVE-2024–27834), and the remaining three were patched earlier in the year. The sources underscore the critical importance of updating all your Apple devices promptly to protect yourself from these and other potential threats.

Read More In Google News