WhatsApp has identified and disrupted a spyware campaign targeting nearly 100 journalists and civil society members. The attacks, orchestrated using spyware developed by Israeli firm Paragon Solutions, were halted in December. In response, WhatsApp has sent a "cease and desist" letter to Paragon and is evaluating further legal actions. The company suspects that the spyware was disseminated via malicious PDF files shared in group chats.
Paragon Solutions, known for its spyware named Graphite, offers capabilities comparable to the infamous Pegasus spyware by NSO Group. WhatsApp maintains "high confidence" that the 90 individuals in question were targeted and possibly compromised. The communication platform has faced scrutiny for a $2 million contract with the US Immigration and Customs Enforcement's homeland security investigations division, as previously reported by Wired magazine.
In 2021, the Biden administration placed NSO Group on a commerce department blacklist due to activities deemed "contrary to the national security or foreign policy interests of the United States." WhatsApp had previously filed a lawsuit against NSO in 2019 after alleging that 1,400 users were infected by NSO's spyware.
Paragon Solutions, while headquartered in Israel, operates a US office in Chantilly, Virginia. The company is currently notifying victims of the alleged hacking, with WhatsApp reaching out directly to those believed to be affected. However, WhatsApp has not disclosed the specific locations of the targeted individuals, nor has it identified the clients who ordered the attacks.
"WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately," – WhatsApp spokesperson
The method of attack involved sending malicious PDF files to individuals added to group chats. This vector allowed the spyware to potentially infiltrate devices without the users' knowledge. The sophistication of Paragon's Graphite spyware underlines broader concerns about commercial spyware's role in privacy violations.
"This is not just a question of some bad apples – these types of abuses are a feature of the commercial spyware industry," – Natalia Krapiva, senior tech legal counsel at Access Now
WhatsApp's proactive measures include notifying affected users and ensuring future protection against similar threats. The company remains committed to safeguarding user privacy and holding accountable those responsible for unlawful surveillance activities.
"We’ve reached out directly to people who we believe were affected." – WhatsApp spokesperson
Despite WhatsApp's efforts to protect its users, challenges persist in identifying and addressing vulnerabilities exploited by sophisticated spyware. The inability to pinpoint clients behind the attacks further complicates the situation, highlighting gaps in international cybersecurity regulations.
"This is the latest example of why spyware companies must be held accountable for their unlawful actions." – WhatsApp spokesperson