Skip to main contentSkip to navigationSkip to navigation
The entrance to an office listed as belonging to QuaDream in Ramat Gan, Israel
The entrance to an office listed as belonging to QuaDream in Ramat Gan, Israel, photographed in January 2022 – after the series of hacking attacks took place. Photograph: Nir Elias/Reuters
The entrance to an office listed as belonging to QuaDream in Ramat Gan, Israel, photographed in January 2022 – after the series of hacking attacks took place. Photograph: Nir Elias/Reuters

Experts warn of new spyware threat targeting journalists and political figures

This article is more than 11 months old

Citizen Lab says victims’ phones infected after being sent an iCloud calendar invitation in a ‘zero-click’ attack

Security experts have warned about the emergence of previously unknown spyware with hacking capabilities comparable to NSO Group’s Pegasus that has already been used by clients to target journalists, political opposition figures and an employee of an NGO.

Researchers at the Citizen Lab at the University of Toronto’s Munk School said the spyware, which is made by an Israeli company called QuaDream, infected some victims’ phones by sending an iCloud calendar invitation to mobile users from operators of the spyware, who are likely to be government clients. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking. Such attacks are known as “zero-click” because users of the mobile phone do not have to click on any malicious link or take any action in order to be infected.

According to the Citizen Lab report, the hacking tool is marketed by QuaDream under the name Reign. The hacking attacks that have been discovered occurred between 2019 and 2021.

The research underscores that, even as NSO Group, the maker of one of the world’s most sophisticated cyberweapons, has faced intense scrutiny and been blacklisted by the Biden administration, probably curtailing its access to new customers, the threat posed by similar and highly sophisticated hacking tools continues to proliferate.

As with NSO’s Pegasus, a phone infected with Reign by a QuaDream client can record conversations that happen in the proximity of the phone by controlling the phone’s recorder, read messages on encrypted apps, listen to phone conversations, and track a user’s location, according to Citizen Lab. Researchers found Reign can also be used to generate two-factor authentication codes on an iPhone to infiltrate a user’s iCloud account, allowing the spyware operator to exfiltrate data directly from the user’s iCloud.

The new revelations mark another blow to Apple, which has marketed its security features as among the best in the world. Now, Reign appears to be a new and potent threat to the integrity of the company’s mobile phones.

In a statement to the Guardian, Apple said it was “constantly advancing the security of iOS” and that there was no indication that QuaDream’s exploit had been used since 2021.

The company said state-sponsored attacks like those described in Citizen Lab’s report cost millions to develop, have a short shelf life, and are used to target specific individuals “because of who they are or what they do”.

“The vast majority of iPhone users will never be the victims of highly targeted cyberattacks and we will work tirelessly to protect the small number of users who are,” the company said.

Citizen Lab did not name the individuals who were found to have been targeted by clients using Reign. But it said that more than five victims – described as journalists, political opposition figures, and one employee of an NGO – were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. Citizen Lab also said it was able to detect operator locations for the spyware in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the UAE and Uzbekistan.

Unlike NSO Group, QuaDream has a relatively low public profile.

The company’s name was briefly referenced in a December 2022 security report issued by Meta, the parent company of Facebook, which described QuaDream as an Israeli-based company founded by former NSO employees. At the time, Meta said it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream and that it believed the accounts were being used to test the spyware maker’s capabilities using fake accounts, including exfiltrating data such as messages, images, video and audio files.

Citizen Lab said it had identified key individuals associated with QuaDream through a review of corporate documents and databases, and they included a former Israeli military official and previous NSO Group employees.

QuaDream did not respond to a request for comment sent by email to an individual who is listed in corporate documents as the company’s lawyer. The company does not have a website or list other contact details. Citizen Lab said it also did not receive a response to queries it sent to the company’s lawyer.

Citizen Lab’s analysis was based in part on samples shared with the researchers by Microsoft Threat Intelligence. In a blog post released on Tuesday, the company said its analysts had assessed with “high confidence” that a threat group it had tracked was linked to QuaDream, and that it was sharing detailed information about the threat to customers, industry partners, and the public in order to raise awareness about how spyware companies work.

More on this story

More on this story

  • Exiled Russian journalist hacked using NSO Group spyware

  • Spain closes Pegasus investigation over ‘lack of cooperation’ from Israel

  • US supreme court lets WhatsApp pursue Pegasus spyware lawsuit

  • NSO Group co-founder emerges as new majority owner

  • Management of five firms linked to Pegasus maker NSO is moved to London

  • No safe haven? The Bahraini dissident still menaced after gaining UK asylum

  • Pegasus spyware inquiry targeted by disinformation campaign, say experts

  • Dutch MEP says illegal spyware ‘a grave threat to democracy’

Most viewed

Most viewed