Pegasus-style spyware attack hits journalists, politicians via iPhone exploits

representational image (IANS file photo)


The fear of Pegasus-style spyware attack resurfaced on Tuesday after researchers at Microsoft and the digital rights group Citizen Lab identified new victims in North America, Central Asia, Southeast Asia, Europe, and the Middle East — once again from an Israel-based spyware maker.

Hackers used QuaDream spyware to send malicious calendar invites and hack the iPhones of journalists, political opposition figures, and an NGO worker.

“Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of QuaDream’s spyware,” Citizen Lab said in a statement.

The researchers identified traces of a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware.

The exploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions.

“The suspected exploit, which we call ‘ENDOFDAYS’, appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims,” said Citizen Lab of the University of Toronto’s Munk School.

Microsoft Threat Intelligence analysts named the threat group as “DEV-0196” linked to Israel-based private sector offensive actor (PSOA) known as QuaDream.

QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.

REIGN, like NSO Group’s Pegasus spyware, reportedly utilises zero-click exploits to hack into target devices.

“Citizen Lab was able to identify operator locations for QuaDream systems in the following countries: Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan,” the tech giant revealed.

QuaDream has had a partnership with a Cypriot company called InReach, with whom it is currently embroiled in a legal dispute.

“Numerous key individuals associated with both companies have prior connections with another surveillance vendor, Verint, as well as Israeli intelligence agencies,” the reports mentioned.

An Apple spokesperson was quoted as saying in a TechCrunch report that “there’s no evidence showing the exploit discovered by Microsoft and Citizen Lab has been used after March 2021, when the company released an update”.

QuaDream was mentioned in a December 2022 report from Meta, which reportedly took down 250 accounts associated with the company.

According to the report, Meta observed QuaDream testing its ability to exploit iOS and Android mobile devices with the intent “to exfiltrate various types of data including messages, images, video and audio files, and geolocation”.