New Spyware Firm Said to Have Helped Hack iPhones Around the Globe (slightly edited)

Tools linked to QuaDream of Israel highlight continued use of secret software

Hacking tools sold by a little- known Israeli vendor have been used to break into the
iPhones of journalists and political opposition figures by silently exploiting Apple
Inc's iPhone software, cybersecurity researchers said.

The intrusions are linked to QuaDream Ltd., which markets spyware under the name "Reign,"
according to new research published Tuesday by Citizen Lab, a research group at the
University of Toronto, and Microsoft Corp.

Spyware makers have operated largely under the radar for years, but US authorities
and tech companies have become increasingly concerned about the misuse of their hacking tools.
In particular, another Israeli company, NSO Group, has attracted scrutiny, with investigators
saying that its software has been deployed to attack US officials as well as journalists,
activists and politicians worldwide. In 2021, Microsoft linked the Israeli company Candiru
to attacks on more than 100 victims, including politicians, human- rights activists and journalists.

"The explosive growth of private 'cyber mercenary' companies poses a threat to democracy
and human rights around the world," said Amy Hogan- Burney, the general manager of Microsoft's
Cybersecurity Policy & Protection.

QuaDream is the latest spyware company to face questions about its software and how it is
used. The company's software essentially granted assailants full surveillance capabilities
over a user's device, including the ability to record phone calls, capture photos and read
messages, said Bill Marczak, a researcher with Citizen Lab. QuaDream's software was as
sophisticated as NSO Group's and took pains to obscure its fingerprints in computer code
deployed on infected devices, Mr. Marczak said.

Law- enforcement agencies say that there are legitimate uses for spyware products to conduct
surveillance of criminal or terrorist organizations, for example- but the Biden administration
has recently taken steps to ensure that they aren't used without proper oversight and legal authorization.

The NSO Group has previously said its software is used only lawfully and is licensed to
government intelligence and law enforcement for investigations. An NSO spokesman declined
to comment for this article.

Representatives for QuaDream and Candiru didn't respond to requests for comment.

Although Citizen Lab was unable to obtain the software used to attack the iPhone, they
said they were able to draw some conclusions by examining the digital evidence left on
at least five previously hacked phones along with two samples of the spyware provided by
Microsoft. Mr. Marczak and other researchers determined that the attack compromised phones
running versions of Apple's iOS 14 iPhone operating system, which was state- of- the- art
between 2020 and 2021, and appeared to be connected with calendar invitations sent to the victims.

Citizen Lab's analysis found that the attack worked without requiring any user
interaction- what is known as a zero- click attack- meaning that victims would be defenseless
against it. "There's nothing the victim has to do" to be infected, Mr. Marczak said. The
research group didn't provide the identities of suspected victims.

In July of last year, Apple introduced a new feature, called Lockdown Mode, designed to
mitigate the risks of zero- click attacks.

Without samples of the attack code, it isn't possible to determine whether the QuaDream
attack has been patched, according to Citizen Lab. The attack hasn't been launched against
more- recent versions of Apple's operating system, a sign that the bug— or bugs— that it leveraged
to burrow into the iPhone may have been fixed, Mr. Marczak said.

 Apple hasn't detected signs that the attack described by Citizen Lab was used after March
 2021, when iOS 14 shipped, a company spokesman said. Attacks such as the one described
 by Citizen Lab typically cost millions of dollars to develop, have a short shelf life and
 don't affect most iPhone users, he said.

QuaDream's operator locations were found in a range of countries, Citizen Lab said. They are
Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab
Emirates and Uzbekistan.

Reports of the growing use of hacking tools purchased from vendors in Israel and elsewhere
have fueled calls within Europe and in the US to restrict their use. Last month, President
Biden issued a first- of- its- kind executive order limiting the use of commercial spyware within
the federal government, though it doesn't outright prohibit its use, either for offensive
purposes or testing. The administration also disclosed that it believed at least 50 US
personnel working overseas had been compromised by such spyware and that it expected that
number to grow as officials continued to investigate.

NSO Group has faced years of international scrutiny for its selling of a mobile- device hacking
tool known as Pegasus, which has been used to break into cellphones belonging to politicians,
activists and journalists, according to Facebook- parent Meta Platforms Inc., Citizen Lab and others.

The Biden administration blacklisted both NSO Group and Candiru in 2021, but senior administration
officials said the new executive order was needed to keep up with a rapidly evolving international
spyware market. Instead of publicly listing companies barred from selling to the US government,
the administration seeks to create a system of rules that agencies will internally consider to
determine whether vendors pose a threat to national security or human rights and should be off limits.