Security experts have warned about the emergence of previously unknown spyware with hacking capabilities comparable to NSO Group’s Pegasus that has already been used by clients to target journalists, political opposition figures and an employee of an NGO.
Researchers at the Citizen Lab at the University of Toronto’s Munk School said the spyware, which is made by an Israeli company called QuaDream, infected some victims’ phones by sending an iCloud calendar invitation to mobile users from operators of the spyware, who are likely to be government clients. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking. Such attacks are known as “zero-click” because users of the mobile phone do not have to click on any malicious link or take any action in order to be infected.
According to the Citizen Lab report, the hacking tool is marketed by QuaDream under the name Reign. The hacking attacks that have been discovered occurred between 2019 and 2021.
The research underscores that, even as NSO Group, the maker of one of the world’s most sophisticated cyberweapons, has faced intense scrutiny and been blacklisted by the Biden administration, probably curtailing its access to new customers, the threat posed by similar and highly sophisticated hacking tools continues to proliferate.
As with NSO’s Pegasus, a phone infected with Reign by a QuaDream client can record conversations that happen in the proximity of the phone by controlling the phone’s recorder, read messages on encrypted apps, listen to phone conversations, and track a user’s location, according to Citizen Lab. Researchers found Reign can also be used to generate two-factor authentication codes on an iPhone to infiltrate a user’s iCloud account, allowing the spyware operator to exfiltrate data directly from the user’s iCloud.
The new revelations mark another blow to Apple, which has marketed its security features as among the best in the world. Now, Reign appears to be a new and potent threat to the integrity of the company’s mobile phones.
In a statement to the Guardian, Apple said it was “constantly advancing the security of iOS” and that there was no indication that QuaDream’s exploit had been used since 2021.
The company said state-sponsored attacks like those described in Citizen Lab’s report cost millions to develop, have a short shelf life, and are used to target specific individuals “because of who they are or what they do”.
“The vast majority of iPhone users will never be the victims of highly targeted cyberattacks and we will work tirelessly to protect the small number of users who are,” the company said.
Citizen Lab did not name the individuals who were found to have been targeted by clients using Reign. But it said that more than five victims – described as journalists, political opposition figures, and one employee of an NGO – were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. Citizen Lab also said it was able to detect operator locations for the spyware in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the UAE and Uzbekistan.
Unlike NSO Group, QuaDream has a relatively low public profile.
The company’s name was briefly referenced in a December 2022 security report issued by Meta, the parent company of Facebook, which described QuaDream as an Israeli-based company founded by former NSO employees. At the time, Meta said it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream and that it believed the accounts were being used to test the spyware maker’s capabilities using fake accounts, including exfiltrating data such as messages, images, video and audio files.
Citizen Lab said it had identified key individuals associated with QuaDream through a review of corporate documents and databases, and they included a former Israeli military official and previous NSO Group employees.
QuaDream did not respond to a request for comment sent by email to an individual who is listed in corporate documents as the company’s lawyer. The company does not have a website or list other contact details. Citizen Lab said it also did not receive a response to queries it sent to the company’s lawyer.
Citizen Lab’s analysis was based in part on samples shared with the researchers by Microsoft Threat Intelligence. In a blog post released on Tuesday, the company said its analysts had assessed with “high confidence” that a threat group it had tracked was linked to QuaDream, and that it was sharing detailed information about the threat to customers, industry partners, and the public in order to raise awareness about how spyware companies work.