The Guardian published a story about how the WhatsApp messenger discovered that at least 90 users were affected by malware due to a zero-click.
Let’s retell what it’s about and in whose interests it’s in.
The Guardian published a story about how the WhatsApp messenger discovered that at least 90 users were affected by malware due to a zero-click.
Let’s retell what it’s about and in whose interests it’s in.
About 100 journalists and other users of WhatsApp, owned by Meta, have been targeted by spyware from Israeli hacking software maker Paragon Solutions, the company said on Friday. They were warned that their devices could be compromised, and WhatsApp told the Guardian it had «high confidence» that the 90 users in question were targeted and «possibly compromised.»
It is not yet clear who is behind the attack, the publication writes. Like other spyware, the Paragon hacking software is used by government clients, and WhatsApp said it was unable to identify the clients who ordered the alleged attacks.
Experts said the attack was «zero-click,» meaning victims did not need to click on any malicious links to be infected.
WhatsApp refused to disclose the whereabouts of the journalists and other victims, including whether they were in the United States.
Paragon has a U.S. office in Chantilly, Virginia. The company recently came under scrutiny after Wired magazine reported in October that it had secured a $2 million contract with the Homeland Security Investigations Division of U.S. Immigration and Customs Enforcement.
The department reportedly issued a stop work order on the contract to verify whether it complies with a Biden administration order restricting the federal government’s use of spyware. The Trump administration has rescinded dozens of Biden administration orders in its first two weeks in office, but a 2023 order that banned the use of spyware that poses a risk to national security remains in effect.
WhatsApp said it had sent a letter to Paragon demanding it «cease the attacks» and that it was exploring its legal options to respond to the incident. WhatsApp said the alleged attacks were thwarted in December and that it was unclear how long the targets might have been at risk.
«WhatsApp has disrupted Paragon’s spying campaign, which targeted a number of users, including journalists and members of civil society. We have reached out directly to the people we believe were affected. This is another example of why spyware companies must be held accountable for their illegal actions. WhatsApp will continue to protect people’s ability to communicate privately,» a company spokesperson said.
Paragon Solutions declined to comment.
A person close to the company told the Guardian that Paragon has 35 government customers, all of which could be considered democratic, and that Paragon does not do business with countries, including some democracies, that have previously been accused of abusing spyware. The person said such countries include Greece, Poland, Hungary, Mexico and India.
Paragon’s spyware is known as Graphite and has capabilities comparable to NSO Group’s Pegasus spyware. Once a phone is infected with Graphite, the spyware operator gains full access to the phone, including the ability to read messages sent via encrypted apps like WhatsApp and Signal.
The company, which was founded by former Israeli Prime Minister Ehud Barak, recently became the focus of Israeli media attention after it was revealed that the group had been sold to American private equity firm AE Industrial Partners for US$900 million.
The deal has reportedly not yet received full approval from Israeli regulators. Cyber weapons such as Graphite and Pegasus are regulated by the Israeli Ministry of Defense. The Guardian contacted AE Industrial Partners, which is based in Boca Raton, Florida. The company’s website does not list Paragon among its investments.
WhatsApp said it believed the so-called vector, or means by which the virus reached users, was through a malicious PDF file that was sent to individuals added to group chats. WhatsApp said it could «confirm» that Paragon was involved in the attack.
John Scott-Railton, a senior fellow at Citizen Lab at the University of Toronto, which tracks and identifies digital threats to civil society, said Citizen Lab provided WhatsApp with some information that helped the company understand the vector that was being used against the company’s users.
The group is expected to release a report in the future that will provide more details about the alleged targeting.
WhatsApp announced the news a few weeks after a judge in California ruled in favor of the company in a landmark case against NSO Group, a notorious spyware maker that was blacklisted by the Biden administration in 2021. At the time, the Biden administration said it had placed NSO on the so-called Entity List because the company was engaged in activities «contrary to the national security or foreign policy interests of the United States.»
NSO lobbied members of Congress to remove the company from the list.
WhatsApp sued NSO in 2019 after claiming that 1,400 users were infected with the company’s spyware. In December, Judge Phyllis Hamilton ruled that NSO was liable for the attacks and that NSO violated state and federal hacking laws, as well as WhatsApp’s own terms of service.
According to cyber expert Konstantin Korsun, this situation does not mean that WhatsApp is dangerous. «The makers of super-spyware can adapt it to the specifics of any messenger. WhatsApp can even be praised for publishing this story and creating a huge global scandal,» he notes. However, according to Korsun, every user of WhatsApp, Signal or Threema is at risk.
«The fact is that spyware is so expensive that only very rich intelligence services in very wealthy countries can afford it. For example, back in 2016, the aforementioned NSO Group sold its Pegasus for $500,000 (initial installation) plus $650,000 for every 10 infections. And in 2021, Predator was offered by the developer company Intellexa for 13.6 million euros at once — for 20 infections. That is, even then, the cost of infecting one smartphone (and not guaranteed!) cost from $65,000 to $680,000. And now the prices are clearly even higher,» Korsun assures.
The expert adds that the world is now full of lesser-known and cheaper spyware, which is distributed by much less secure messengers like Telegram. «Therefore, for the vast majority of users, it is enough to know and apply in practice well-known cyber self-defense practices: „don’t touch anything“, 2FA/MFA, TOR/VPN, using „encrypted“ messengers for confidential communication, regularly updating the operating system and applications, configuring protection for personal devices, being able to check sites for security, etc.,» Korsun summarizes.
