In a new development in WhatsApps’s ongoing battle against spyware manufacturers, the Meta company has accused Paragon spyware manufacturer Paragon Solutions of targeting about 90 journalists and assorted civil society workers (such as NGO and charity employees) via a zero-click attack delivered through its platform.
WhatsApp told media outlets that it had “high confidence” that these parties were targeted by Paragon spyware and that they were “possibly compromised.” It did not provide names of people it believed to be compromised, but did note that a zero-click attack would not have required targets to engage with a malicious link or attachment to fall victim.
WhatsApp allegations put spotlight on Paragon spyware
WhatsApp has been engaged in legal battle with another spyware vendor, NSO Group. The chat app racked up a major victory recently when a California judge determined that the company’s use of its platform to deliver its infamous “Pegasus” spyware constituted a breach of state and federal hacking laws in addition to a violation of the company’s terms of service.
The Paragon spyware is very similar to Pegasus, down to originating from an Israel-based firm with ties to that country’s security and intelligence agencies. But while Pegasus has been grabbing headlines for several years now, culminating in being blacklisted by the Biden administration for posing a national security threat, Paragon has gone below the radar for the most part despite reportedly having contracts with some 35 world governments that an inside source says are all considered “democratic.”
WhatsApp has said that it is not able to determine which government clients were involved in the spyware attacks, but a row has broken out in Italy over the issue as Paragon suddenly terminated its contracts with the national government over what it called violations of its “terms of service and ethical framework.” The company has refused to elaborate further, and the Meloni government has claimed that it has not used Paragon spyware to target “legally protected” subjects. Three Italian journalists and activists have come forward to dispute that claim, saying that the government targeted them with the spyware for criticism and providing aid to immigrants.
The Paragon spyware also appears to use a zero-click attack similar to those seen put to use by the Pegasus spyware, with the victim only needing to receive a tainted message to have their device compromised. The spyware is called “Graphite” and takes total control of a compromised device once it breaks through, to include being able to read encrypted messages. WhatsApp said that the primary method of compromise via its platform is a tainted PDF file that can be sent to individuals when they are added to group chats. The University of Toronto’s Citizen Lab, which broke the news about the Pegasus zero-click attacks and abuse of it by authoritarian governments, reportedly helped WhatsApp identify the malicious vector.
Still unclear which countries were involved in Paragon spyware targeting
As with Pegasus, the Paragon spyware is supposed to be sold only to democratic governments for legitimate law enforcement and terrorism investigation purposes. Paragon has been beneath the radar in no small part because it has not seen a public scandal comparable to the “Pegasus Papers” flare up. Outside of the controversy brewing in Italy, details about who might have used the spyware in this way remain thin.
An inside source that spoke with The Guardian indicated that there is some overlap between the Pegasus and Paragon spyware client lists, and this includes some democratic governments previously caught abusing Pegasus to track journalists and activists; the source named Greece, Poland, Hungary, Mexico and India as possibilities. Paragon also recently sold to US private equity firm AE Industrial Partners for $900 million, with talk of it relocating to AE’s Boca Raton headquarters, but the deal reportedly still requires regulatory approval by the Israeli government.
WhatsApp has thus far only sent Paragon a cease-and-desist letter, but said that it was exploring legal options. What case it might have remains unclear, as very little is known about the Paragon spyware as compared to a body of years of reporting on Pegasus. One of the elements that has opened Pegasus up to legal issues has been the gradual reveal that its staff appeared to be assisting clients with hacking their targets, something it had previously claimed it did not do.
WhatsApp has also disclosed that the targets were spread over two dozen countries in total. It says that it is reaching out to impacted parties privately to provide them with security assistance. Thus far there is no indication that any targets were in the United States, though there have been confirmations that Paragon spyware is used by the U.S. Drug Enforcement Administration (DEA), Department of Homeland Security and an unspecified amount of other federal agencies.
