Reports from Microsoft Threat Intelligence and Canadian internet watchdog, Citizen Lab, have revealed that hacking tools developed by Israeli firm QuaDream have been used to target political opposition figures, journalists, and an NGO worker in at least 10 countries.
In its report, Citizen Lab stated that the iPhones of at least five civil society victims had been hacked using surveillance software, which Microsoft believes is connected to QuaDream, a lower-profile competitor to the blacklisted NSO Group.
“Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream,” Microsoft’s report reads. “QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.”
Citizen Lab carried out internet scanning to locate QuaDream’s servers and was able to identify some of the operator locations.
“We detected systems operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan,” Citizen Lab’s report read. The report also stated that QuaDream had pitched its services to Morocco and Indonesia.
The spyware created by QuaDream used malicious iOS calendar invites that don’t prompt a notification on the iPhone, making them undetectable to the device owners. While the reports didn’t pinpoint the targets of QuaDream’s software, the allegation could still have a negative impact on the organization.
QuaDream, which sells its eavesdropping services to government agencies, was incorporated in 2016 by former NSO employees. The spyware organization was recognized internationally after a 2022 Reuters report cited its REIGN platform and “zero-click” capabilities. The company doesn’t have a website or social media presence and maintains a very low profile.