2 min Security

Israeli threat actor hacks civil society in 10 countries, reports say

Israeli threat actor hacks civil society in 10 countries, reports say

Two new threat analyses expose a new player in the field of targeted hacking for intelligence gathering.

New research published this week by Microsoft and the internet watchdog Citizen Lab detail the operations of a new Israeli spyware company targeting journalists, politicians, opposition figures and advocacy organizations. The victims span a range of 10 countries, including targets in North America, Central Asia, Southeast Asia, Europe, and the Middle East, according to the reports.

Microsoft Threat Intelligence has detailed the threat posed by the spyware company in a blog post. In it, they write that their analysts “assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream”.

QuaDream has an office in Ramat Gan, Israel. It specialises in the development and sale of “advanced digital offensive technology” to government clients “for law enforcement purposes”. The Israeli company is known for its spyware marketed under the name “Reign”. This platform is similar to that of the NSO Group’s Pegasus spyware. It uses zero-click exploits, malware, and infrastructure designed to exfiltrate data from mobile devices, according to Microsoft.

QuaDream operates with a minimal public presence, according to a research report by Citizen lab. For example, the company does not have a website, generates little media coverage, and has no social media presence.

QuaDream group’s globe-spanning malware

Microsoft Threat Intelligence analysts “assess with high confidence” that the malware, which they have dubbed KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream.

Additionally, Citizen Lab identified an iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The suspected exploit “appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims”.

Despite QuaDream’s efforts to keep a low profile, Citizen lab was able to detect QuaDream systems operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.