Spyware slinger QuaDream’s reported demise may be the canary in the coal mine

Analysis Israeli spyware shop QuaDream is reportedly shutting down due to financial troubles.

The vendor was last week named by Citizen Lab as the source of a hacking tool being used by governments against journalists, dissidents, and advocacy groups.

The reported closure of the little-known nine-year-old company likely won't reduce the use of spyware - QuaDream's much higher profile and more infamous brethren, NSO Group, last year rolled out at least three new exploits targeting devices running versions 15 and 16 of Apple's iOS operating system.

However, pressure on the spyware industry is increasing, which may have helped hasten QuaDream's demise. Countries like the US and the Europe Union have pressured spyware vendors that offer software which allows users to surveil mobile devices (though a number of European countries are NSO customers). Other entities like Citizen Lab, Amnesty International, and security vendors are tracking the industry.

Spyware vendors had gone about their business without garnering attention for most of the last decade, as their insistence that their wares were only employed by vetted buyers conducting criminal or national security investigations was generally accepted.

But growing evidence that spyware was being used for political purposes saw its purveyors struggle to defend their products and practices.

"Everyone understands that [spyware] is a problem and that the industry is causing harm," John Scott-Railton, senior researcher at Citizen Lab and the Munk School of Global Affairs and Public Policy at the University of Toronto, told The Register.

Citizen Lab and Microsoft last week both reported that a zero-click exploit developed by QuaDream, and dubbed "Reign", was used to deliver spyware on devices running Apple's iOS 14 on victims' phones. The exploit abused the iOS calendar app, leading to the spyware compromising the devices and stealing data.

The knockout punch

QuaDream reportedly sold the spyware to several countries, with Citizen Lab tracking down malicious servers delivering Reign in at least 10 nations.

The reports appear to have proven fatal to QuaDream. According to Israeli business news site Calcalist, the spyware outfit was in deep financial strife for months before news of Reign emerged, and few employees remained by the time the weekend decision was made to close up shop.

In addition, the company's board of directors has been trying to sell QuaDream's intellectual property, Calcalist reported.

In a tweet, Amy Hogan-Burney, associate general counsel and general manager of cybersecurity policy and protection at Microsoft, applauded the work of both her company and Citizen Lab, adding that "continuing to publicly out these actors is essential to stopping cyber mercenary activity."

• Another zero-click Apple spyware maker just popped up on the radar again
• How much to infect Android phones via Google Play store? How about $20k
• Malware disguised as Tor browser steals $400k in cryptocash
• President Biden kind of mostly bans commercial spyware from US govt

Scott-Railton, senior researcher at Citizen Lab said that QuaDream's troubles demonstrate the difficulties spyware vendors face trying to operate under pressure brought by governments and organizations like Microsoft and his own employer.

He noted the "close set of relationships" NSO has with the Israeli government, adding that if not for such support, NSO likely would not have survived this long. However, even that support could be shifting, with Israel likely getting pushed by other countries to put a shorter leash on NSO.

The seas are getting rougher

The US under the Biden Administration is taking a fairly strong stand against spyware vendors. The government in November 2021 put NSO on the Commerce Department's blacklist and late last month issued an executive order banning the US government from using commercial spy tools in certain situations, such as if they pose a counterintelligence or security threat or could be improperly used by foreign governments.

European lawmakers have also has turned their attention to NSO after European Commission officials and staff members were targeted in 2021 with Pegasus spyware. The EU that year created the PEGA Commission to investigate the use of the spyware in Europe.

Digital civil rights nonprofit organization Access Now said in a January 2023 report that NSO admitted to the Commission it had sold its product to 22 government entities in 14 EU countries, including Spain, Poland, Hungary, Belgium, and the Netherlands.

Also in 2021, a consortium of media organizations around the world launched the Pegasus Project that covered NSO-related incidents around the world.

NSO is still out there trading blows

While the business environment for spyware vendors is becoming more complex, NSO remains hard at work. According to a recent Citizen Lab report, customers of the Israeli firm last year deployed at least three new zero-click chain exploits – those which don't require the user to click on or download anything to run – aimed at iOS 15 and iOS 16 users around the world.

Citizen Lab discovered the exploits while investigating attacks against individuals in Mexico.

Citizen Lab named the three zero-click exploits LATENTIMAGE, FINDMYPWN, and PWNYOURHOME. After notifying Apple about the spyware, Apple improved the security of its HomeKit in iOS 16.3.1 in February.

Last year Apple hardened its products against Spyware by introducing Lockdown Mode in iOS 16. That tool helped block the NSO attack and alerted users. It was a first, Scott-Railton said. In the past, the industry could suggest to users to use Lockdown Mode; now he and others can say there is proof it works.

But NSO appears to have fought back. In its report, Citizen Lab noted that the Lockdown Mode feature worked "for a brief" period against PWNYOURHOME.

"Although NSO Group may have later devised a workaround for this real-time warning, we have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled," the researchers wrote.

Spyware will remain a problem, Scott-Railton said. It's a billion-dollar market and there will always be companies that want a piece of it.

Not all will succeed, as QuaDream's demise demonstrates, but the company's expertise and IP will likely find its way to another vendor. Indeed, QuaDream was founded by a group that included two former NSO workers.

That said, the environment for the companies is getting more difficult. QuaDream was relatively secretive; at least for much of its history it didn't even have a website. Yet, for years NSO officials were vocal about its products' powers.

However, a goal for many of these vendors is to sell their wares to Western entities, Scott-Railton said. NSO's notoriety, which helped drive visibility, may now be a hinderance as it continues to "sell to countries that you know will abuse it [which] sends a message to people that you just don't care." That could scare off countries that otherwise might be customers.

NSO "is not the boastful bully that it once was," he added. ®