QuaDream: The Emerging Israeli Spyware Firm and Its Threat to Digital Privacy

The Emerging Israeli Spyware Firm and Its Threat to Digital Privacy DALL-E

In today's interconnected world, digital privacy and cybersecurity have become matters of grave concern. Among the key players threatening these values is QuaDream, an Israeli-based spyware firm that has recently come under the spotlight for targeting high-risk iPhones with a zero-click exploit. In this article, we will delve into the details of QuaDream's operations, the vulnerabilities it has exploited, and the potential ramifications of its actions. We will also discuss the growing need for systemic government regulations and collective efforts to counter such offensive actors and protect democracy and human rights.

QuaDream's Targets and Tactics

QuaDream has targeted at least five members of civil society across various regions, including North America, Central Asia, Southeast Asia, Europe, and the Middle East. The victims of these attacks were journalists, political opposition figures, and NGO workers in 2021. According to the Citizen Lab, an interdisciplinary laboratory specializing in digital security, the spyware campaign leveraged a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2.

The ENDOFDAYS exploit appears to utilize invisible iCloud calendar invitations sent from the spyware's operator to victims. These .ics files contain invites to two backdated and overlapping events, ensuring that users remain unaware of the intrusion. The attacks took advantage of a quirk in iOS 14 that processes any iCloud calendar invitation with a backdated time without any notification or prompt.

The KingsPawn Malware

Microsoft's Threat Intelligence team tracks QuaDream as DEV-0196, describing it as a private sector offensive actor (PSOA). The company is known for selling its "exploitation services and malware" to government customers. The malware used by QuaDream, named KingsPawn, is composed of a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

The monitor agent is designed to reduce the forensic footprint of the malware and evade detection. On the other hand, the primary agent is equipped with a variety of capabilities, including gathering device information, cellular and Wi-Fi data, harvesting files, accessing camera and location, call logs, and iOS Keychain, and even generating an iCloud time-based one-time password (TOTP).

Additionally, some samples of the KingsPawn malware support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails by deleting all calendar events from two years prior to the current time. The data is exfiltrated via HTTPS POST requests.

QuaDream's Global Reach

Internet scans conducted by the Citizen Lab reveal that QuaDream's customers operated 600 servers from several countries around the world between late 2021 and early 2023. These countries include Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan. Despite the spyware's attempts to cover its tracks, the Citizen Lab uncovered unspecified traces of what it calls the "Ectoplasm Factor" that could be used to track QuaDream's toolset in the future.

The Growing Threat of Commercial Spyware Firms

QuaDream is not the only commercial spyware firm operating in the shadows. The infamous NSO Group is another notable example. The growing number of such companies indicates a dire need for systemic government regulations to curb the proliferation of commercial spyware. As these firms continue to develop sophisticated spyware products for government clients, the number of abuse cases is likely to increase.

Microsoft, along with other industry experts, has emphasized that the growth of mercenary spyware companies poses a threat to democracy and human rights. Combating such offensive actors requires a "collective effort" and a "multistakeholder collaboration." Amy Hogan-Burney, Microsoft's associate general counsel for cybersecurity policy and protection, warned that the use of tools and technologies sold by cyber mercenaries will continue to spread, posing risks not only to human rights online but also to the security and stability of the broader online environment.

Conclusion

The emergence of QuaDream as a significant player in the commercial spyware landscape highlights the urgent need to address the growing threat posed by such firms. As QuaDream and other cyber mercenaries continue to exploit vulnerabilities and develop new methods for unauthorized network access, it is crucial for governments, cybersecurity experts, and private companies to collaborate in curbing the out-of-control proliferation of commercial spyware.

Systemic government regulations, coupled with multistakeholder collaboration, can help protect democracy, human rights, and the overall stability of the digital world. As the dangers posed by commercial spyware firms like QuaDream continue to escalate, it is imperative to act swiftly and decisively in the interest of a safer, more secure online environment for all.

References

The Citizen Lab. (n.d.). The Citizen Lab - University of Toronto. https://citizenlab.ca/
Reuters. (2022, February). Exclusive: Israeli firm uses iPhone zero-click hack to spy on activists - sources. https://www.reuters.com/technology/exclusive-israeli-firm-uses-iphone-zero-click-hack-spy-activists-sources-2022-02-09/
Meta. (2022, December). Taking Down an Attack Network Used by a Cyber Mercenary Group. https://about.fb.com/news/2022/12/taking-down-an-attack-network-used-by-a-cyber-mercenary-group/
Microsoft Threat Intelligence Center. (n.d.). Microsoft Threat Intelligence Center (MSTIC) - Microsoft Security. https://www.microsoft.com/en-us/security/mstic

security,

Read 224 times

Last modified on Friday, 14 April 2023 09:54

Rate this item

(0 votes)

K Dinesh Kumara

Founder of PC World Online Magazine

I'm an educator, entrepreneur, and career guidance officer. I'm interested in ICT, psychology, financial literacy, meditation, and yogic sciences. My hobbies are discovering, learning, experiencing, sharing, and exiling.

Website: https://www.pcworld.lk

Latest from K Dinesh Kumara

Attention readers: Starting from 15-05-2023, we will be reviewing all comments submitted through our website's comment section before publishing them. This change is due to the increased volume of spam comments we have been receiving. We appreciate your understanding and apologize for any delays this may cause. Thank you for your continued support and valuable contributions to our platform.

Dear valued users,

We welcome you to the PC World Magazine Website and appreciate your interest in commenting on our articles. This platform is intended for thoughtful discussions and exchanging ideas and information related to the topic of the article. However, please be mindful that we do not tolerate any illegal activities or marketing purposes. Misusing the comment section for such purposes will result in the immediate removal of the comment and could result in the termination of your account. We ask that you keep your comments respectful, on-topic, and relevant to the article. Additionally, please do not post personal information, hate speech, or offensive content. Thank you for your cooperation in creating a positive and productive environment for all users on the PC World Magazine Website.

Best regards,
PC World Magazine Team

«	September 2023					»
Mon	Tue	Wed	Thu	Fri	Sat	Sun
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30