WhatsApp Blocks Malware Attack Targeting Journalist

The messaging app claimed to have “high confidence” that Paragon Solutions malware had targeted and “possibly compromised” a few users.

On Friday, WhatsApp, the well-known messaging program owned by Meta said that it had stopped the malware operations that is the hacking effort that targeted over 100 users, including journalists and other civil society representatives and journalists. WhatsApp told the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised,” warning the journalists and other members of civil society of a potential hack of their devices.

The identity of the attacker remains unknown. WhatsApp claimed it was unable to identify the clients who commissioned the alleged assaults, and like other spyware manufacturers, government clients utilize Paragon’s hacking tools.

The campaign was connected to Paragon, an Israeli spyware manufacturer that was purchased by American private equity firm AE Industrial Partners in December of last year, a WhatsApp representative told TechCrunch.

“We have made direct contact with those we feel were impacted. This is the most recent illustration of why spyware businesses need to answer for their illegal activities. WhatsApp spokesman Zade Alsawah assured TechCrunch that the company will keep safeguarding users’ private communication rights.

According to experts, the targeting was a “zero-click” assault, meaning that in order for targets to become infected, they would not have needed to click on any malicious links. WhatsApp claimed to have issued a patch to stop the hacking campaign’s usage of malicious PDFs shared over WhatsApp groups to infect targets.

TechCrunch was informed by John Scott-Railton, a senior researcher at The Citizen Lab who has spent years studying spyware businesses and their misuses, that they have also seen this hacking effort by Paragon employing this particular attack vector and are looking into it.

WhatsApp refused to provide the journalists’ and civil society representatives’ whereabouts, including if they were situated in the United States. And Whatsapp claimed that they had informed TechCrunch that it delivered a stop and desist letter to Paragon and that it thought the hacking effort took place in December. 

The US headquarters of Paragon are located in Chantilly, Virginia. The business has been under fire lately because Wired magazine revealed in October that it had signed a $2 million deal with the homeland security investigations branch of the US Immigration and Customs Enforcement.

A request for comment via LinkedIn was not answered by Paragon CEO Idan Nurick. A request for response from AE Industrial was not answered.

For the first time, Paragon has been made publicly associated with a hacking effort that purportedly targeted civil society activists and journalists. Since its establishment in 2019, Paragon has managed to maintain a low profile and stay out of the spotlight, unlike other spyware manufacturers like Intellexa and NSO Group, who have both been targeted by the US government. NSO Group was placed on a blocklist, while Intellexa and its founders were sanctioned. 

As Wired disclosed last year, Paragon entered into a contract with the U.S. Immigration and Customs Enforcement in September through its U.S. company. According to a Paragon source quoted by The New Yorker, the contract was awarded following a screening procedure in which the business proved its technology had safeguards against foreign clients targeting Americans.

Who the targets of this WhatsApp-disclosed malware campaign are is still unknown.

WhatsApp’s measures were praised by Natalia Krapiva, senior tech-legal counsel at Access Now, a digital rights group that looks into spyware abuses.

“Paragon has long been seen as a ‘better’ spyware company that hasn’t been linked to any blatant misuses, but WhatsApp’s recent disclosures imply otherwise,” Krapiva told TechCrunch. “The commercial spyware industry is known for these kinds of abuses, so it’s not just a matter of a few bad apples.”

“Offers our customers ethically based tools, teams, and insights to disrupt intractable threats,” according to Paragon’s official website.

According to reports, the division placed a stop-work order on the contract to check if it met with an executive order issued by the Biden administration that limited the federal government’s use of spyware. The 2023 directive, which forbade the use of malware that constituted a national security risk, is still in force even though the Trump administration has repealed scores of the Biden administration’s executive orders in its first two weeks in office.

WhatsApp stated that it was investigating its legal options and that it had issued Paragon a “cease and desist” letter. WhatsApp stated that it was unclear how long the targets would have been in danger and that the purported attacks had been stopped in December.

WhatsApp will get in touch with the victims of the purported hacking, who are now being notified by the business.

WhatsApp has thwarted a Paragon malware operation that targeted a variety of users, including civil society representatives and journalists. We’ve made direct contact with those we think were impacted. This is the most recent illustration of why spyware businesses need to answer for their illegal activities. A business representative stated, “WhatsApp will continue to protect people’s ability to communicate privately.”

Paragon Solutions chose not to respond.

According to a person close to the company, Paragon had 35 government clients, all of whom could be regarded as democratic, and it avoided doing business with nations that had previously been accused of misusing spyware, including several democracies, the Guardian said. According to the source, that included Mexico, India, Greece, Poland, and Hungary.

The features of Graphite, the spyware from Paragon, are similar to those of Pegasus, the malware from NSO Group. Once a phone has been infected with Graphite, the spyware operator has complete control over the device, including the ability to read messages transmitted through encrypted apps like Signal and WhatsApp.

Former Israeli Prime Minister Ehud Barak created the corporation, which has lately been the focus of Israeli media coverage following allegations that the organization was sold to AE Industrial Partners, a US private equity firm, for $900 million.

According to reports, Israel’s regulators have not yet given the purchase its complete permission. The Israeli Ministry of Defense regulates cyberweapons such as Pegasus and Graphite. The Boca Raton, Florida-based AE Industrial Partners was contacted by The Guardian. The company’s website does not include Paragon as one of its investors.

“Paragon has long been seen as a “better” spyware provider that hasn’t been connected to any glaring misuses, but WhatsApp’s most recent disclosures seem to contradict that. According to Natalia Krapiva, senior tech legal counsel at Access Now, “this is not just a problem of a few bad apples; these kinds of abuses are a feature of the commercial spyware industry.”

WhatsApp said that it thought a malicious PDF file given to users who were joined to group conversations was the “vector,” or how the virus was spread to users. With “confidence,” WhatsApp claimed to be able to link Paragon to this targeting.

According to John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which monitors and detects online threats against civil society, WhatsApp received some information from Citizen Lab that aided the company in comprehending the vector that was employed against its users.

In the future, the organization is anticipated to release a report that will include further information regarding the purported targeting.

WhatsApp made the announcement a few weeks after a California judge decided in the company’s favour in a historic lawsuit against NSO Group, the well-known spyware manufacturer that the Biden administration had put on a commerce department blacklist in 2021. NSO was put on the so-called entity list by the Biden administration at the time due to its involvement in actions “that are contrary to the national security or foreign policy interests of the United States.”

NSO has advocated for congressional members to be removed from the list.

In 2019, WhatsApp claimed that 1,400 users had been infected by NSO’s malware and launched a lawsuit against the firm. A judge named Phyllis Hamilton declared in December that NSO was responsible for the assaults and that it had breached both WhatsApp’s own terms of service and state and federal hacking laws in the United States.