WhatsApp says it disrupted a hacking campaign targeting journalists with Paragon spyware | TechCrunch

Another year…another targeted spyware campaign aimed at journalists and civil society members. This time, the company of concern is technically owned by an American private equity firm

WhatsApp said on Friday that it had disrupted a hacking campaign that targeted around 90 users, including journalists and members of civil society.

A WhatsApp spokesperson told TechCrunch that the campaign was linked to Paragon, an Israeli spyware maker that was acquired in December of last year by American private equity giant AE Industrial.

Paragon’s attack vector is also quite interesting.

WhatsApp said that the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets and said it had pushed a fix to prevent this mechanism.

Did the victims had their phone numbers leaked or publicized? I am not sure if this was exactly what happened, but they could had been added to these group chats without consent.

One victim (an Italian investigative journalist) has now come forward and identified themselves. This is extremely concerning for freedom of the press in the EU given it seems possible, if not likely, that the Italian government may be behind this.

Very brave. It is not uncommon for activist/investigative Journalists to end up behind bars (like it happened in Jordan).

I personally know of an entire newsroom targeted by mercenary spyware (presumably planted by the State). Some of its main Journos moved to the UK / Canada fearing for their lives.

Read the linked article. I get infuriated that human rights activists and journalists are targeted for trying to make the world a better place. Wish journalists had more protections and better honor for freedom of press.

Seems like a weird attack vector to my uneducated eye. Zero click by sending malicious PDFs in group chats? You can block people from directly adding you to group chats, so there must be some reason group chats were used even with this additional obstacle. Also can’t find if it compromised the whole device or just WhatsApp. Hopefully Citizen Lab’s future report will give some clarity.

It does seem weird from my end too. Unless of course, the victims did not disable that feature in their WhatsApp settings…but that seems unlikely

The work of the three alleged targets to have come forward so far – Casarini, the journalist Francesco Cancellato, and the Sweden-based Libyan activist Husam El Gomati – have one thing in common: each has been critical of the prime minister, Giorgia Meloni. The Italian government has not responded to a request for comment on whether it is a client of Paragon.

Italian involvement is starting to look less and less like speculation.

Whoops, it made it a reply to you! Anyway, lots of text upcoming…

Fanpage (the Italian investigative news outlet) wrote an article about the hack, including the message received from Whatsapp. Also on techcrunch in English & more of the message:

“This is a message from WhatsApp,” read the message in Italian, which was obtained by TechCrunch. “In December, WhatsApp interrupted the activities of a spyware company which we believe attacked your device. Our investigations indicate that you may have received a harmful file via WhatsApp and that the spyware may have resulted in accessing your data, including messages saved on the device.”
“We have made changes to prevent this specific attack from happening again. However, your device’s operating system may remain compromised due to the spyware,” continued the message.

It appears it isn’t the entire message however, as later this is stated.

WhatsApp’s message to Cancellato suggested he could contact Citizen Lab …

Spyware maker Paragon confirms US government is a customer:

Paragon’s executive chairman John Fleming said in a statement to TechCrunch on Tuesday that “Paragon licenses its technology to a select group of global democracies — principally, the United States and its allies.”
Fleming also said that Paragon “requires that all users agree to terms and conditions that explicitly prohibit the illicit targeting of journalists and other civil society figures. We have a zero-tolerance policy against such targeting and will terminate our relationship with any customer that violates our terms of service.”

Ynetnews reported on Monday that Italy is a Paragon customer.

Italy says seven people targeted by spyware on WhatsApp
https://www.reuters.com/world/italian-sea-rescue-activist-targeted-with-spyware-according-meta-alert-2025-02-05/

In a statement, Meloni’s office said the cybersecurity agency was informed by WhatsApp, via a law firm, about seven confirmed cases in Italy, but was not told the names of the people affected, “to protect their privacy.”
ACN was also told that spyware was found among WhatsApp users in other European Union nations, namely Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, Netherlands, Portugal, Spain and Sweden.

Prime Minister Giorgia Meloni’s office said it asked the National Cybersecurity Agency to look into the affair, while denying any involvement, after …

Agenzia per la Cybersicurezza Nazionale (ACN; Italian: National Cybersecurity Agency) is an Italian government agency.

The countries listed are based on the phone numbers’ country codes.

Reminder: “targeted around 90 users … [WhatsApp] said that the targets were in over two dozen countries, including several in Europe.” Separately: “a person close to [Paragon] said it had about 35 government clients, which the person described as democratic governments.” More than 24 countries, and now here are 13 European countries listed… I think that a country does not necessarily respond to a client. E.g. one of the public targets was a Swedish-based critic of Italy-Libya migration pact. But at the same time, in 2022 Pegasus Spyware Maker NSO had active contracts with 12 of the 27 European Union members.

Paragon Solutions … has terminated its client relationship with Italy, according a person familiar with the matter.
The person familiar with the matter, who spoke to the Guardian on the condition of anonymity, said Paragon had “out of an abundance of caution” initially suspended the Italy contract when the first allegation of potential abuse of the spyware emerged last Friday. The decision to fully terminate the contract, the person said, was made on Wednesday after Paragon determined that Italy had broken the terms of service and ethical framework it had agreed under its Paragon contract.

No longer speculation that Italy is a customer but confirmed it seems like.

Paragon demands Italy responds to the allegation, hints Paragon may believe Italy has lied. Paragon has two Italian clients (law enforcement & intelligence). (linked article requires registration to read. Also, this is the relevant Citizen Lab researcher and they have been consistently posting about this story on their twitter.).

A lot of fingerpointing so far. Sad that nobody’s taking responsibility.

I don’t understand how app attacks like this get out of the app sandboxing. The articles seem to suggest that the spyware can target the whole device, not just the whatsapp chats. By accessing the pdf reader they use an OS vulnerability? Meta again seems to be ignoring their responsibility to release info for researchers.

The fundamental reason this happens is, in the von Neumann architecture (all modern computers), data is indistinguishable from code.

This means, when you’ve got unsafe code parsing / reading malicious data, funny things happen. The key, then, is to write safe code, not solely rely on sandboxing.

Highly recommend reading this blogpost on how media files (a common way to get code to parse data) pwned Android, back in the day. These bugs led to dramatic changes in Android Framework’s design wrt security (work that’s still ongoing).

I’m sure they’re learning, but you’ve a point (which I don’t agree with) that something as ubiquitous as WhatsApp ought to have its infrastructure / code more permissively accessible to researchers. It doesn’t help that Meta’s CISO (Chief Information Security Officer) is a former Unit 8200 lead, from whence spyware companies like NSO & Paragon have propped up.

Citizen Lab’s report on Paragon spyware got released. It covers their analysis of Paragon’s infrastructure and the forensic analysis of infected devices. Here’s a twitter thread summary if you prefer that.

Its not weird of an attack vector if you consider majority of people didn’t even realise that setting to only allow contact to add them into group even exist. Where i am whatsapp is huge, everyone and their grandma use it. And you’d see tech news blog posting tutorial how to limit that adding to group option. First time seeing that my reaction are the same too, people didn’t know thats even a thing? Turns out average people don’t, they just use whatsapp as it is with default setting, not even going to the settings to change anything.

It isn’t the people. It isn’t even WhatsApp. It is just scammers being scammy.

It must be said though, if WhatsApp had end-user security at the top of its list, they’d not hesitate to provide a “lockdown mode” (front and center) which disables settings that make these “0-click” rings possible.

Unless there’s laws and regulation that holds orgs building software that’s used by 50%+ of humanity responsible (think Banks) and criminalization of cash-rich orgs that build/use offensive tech irresponsibly (think Robber Barons), nothing much of note will come to pass.

If you’re referring to my comment: But why group chats in the first place? Why risk your target (some of whom were informed by Meta that they may be targeted by sophisticated hackers, and are thus more likely to have restricted their accounts for safety) may have disabled group chats? Why not directly send them the payload instead? These aren’t average people - these are journalists who are likely more aware of the risk.

Citizen Lab’s report is more about the spyware industry, covering Paragon’s infrastructure, their customers and their targets, only briefly covering the attack vector and forensic artifacts. That’s obviously important and interesting too (if not more!), but it seems that WhatsApp/Meta was more involved in the actual attack vector itself, with Citizen Lab only stating that the “attacker adds [the] victim to [a] WhatsApp group in a specific way” before sending the PDF after which WhatsApp automatically parses the PDF, exploiting the vulnerability (but confirming it did infect the entire device). All I found was this article stating that WhatsApp 'addressed the attack vector late last year “without the need for a client-side fix” and decided not to assign a CVE-ID after “reviewing the CVE guidelines published by MITRE, and [its] own internal policies.” '. Maybe a future Citizen Lab report or Meta’s Adversarial Threat Report of Q1 2025.

(Quote emphasized to highlight what I am specifically talking about)

There’s WhatsApp’s lawsuit in which NSO group was found liable. But other from that… There’s calls for regulation of spyware by the very same countries using said spyware that haven’t resulted in anything concrete as of yet, so personally I don’t have high hope for that unfortunately.