Israeli Spyware Spreads across the Middle East… Again

In mid-April 2023, the Citizen Lab, a University of Toronto lab researching the convergence between information security and human rights, released a report investigating the Israeli spyware vendor QuaDream. The lengthy report offered a unique look into some previously unknown spyware likely created by QuaDream. Spyware, or spying software, is malicious software that secretly spies on victims and gathers information about them.

QuaDream is a highly secretive Israeli company founded in 2016 by a former Israeli Defense Forces official and former NSO Group employees, and develops and sells offensive hacking tools to governments around the world. Similar to the infamous spyware “Pegasus” sold by the Israeli NSO Group, QuaDream gained notoriety through selling its flagship spyware “Reign.”

Reign, like Pegasus, is purportedly capable of using “zero-click” exploits to infect mobile devices, meaning a victim need not click a malicious document or link to get hacked. Some types of spyware, like older versions of NSO Group’s Pegasus, are known as “one-click” exploits, meaning they need to be physically clicked by victims to be activated. Operators of this malware typically send a lure, or a message enticing a user to take an action, to get users to interact with a malicious prompt to download and execute the spyware. Other types, like more recent versions of Pegasus, Reign, and QuaDream’s newer spyware, deliver zero-click spyware to victims exploiting different iPhone vulnerabilities requiring no interaction from users, such as an unsolicited message or calendar invite. According to Reuters, government clients could use Reign to directly control a victim’s smartphone, gaining immediate access to a victim’s instant messaging services (including Signal and WhatsApp), emails, photos, and contacts, and gain the ability to record calls, activate cameras, and listen to a phone’s microphone. Citizen Lab calls such products “mercenary” spyware: a type of software with little concern for ethics and maximum concern for profit.

QuaDream, a highly secretive Israeli company, developed Reign, a zero-click software that can infect mobile devices regardless of clicks. Governments can directly control a victim’s smartphone, including Signal and WhatsApp, emails and microphones.

In a similar vein, Citizen Lab’s report highlights how QuaDream’s newer spyware boasts a dizzying array of surveillance capabilities targeting iPhone users. Like NSO Group’s Pegasus and QuaDream’s Reign, the newly detailed Israeli spyware can, without a victim’s knowledge, record live phone calls and from the microphone, take unsolicited and unwarranted pictures with front and back cameras, exfiltrate information, and track a user’s location. The spyware also appears to be able to destroy itself and remove most traces of its existence. The malware critically appears to have taken advantage of what’s known in the cybersecurity world as a “zero-day” exploit, or a security flaw that developers do not currently know about and have no current fix for. In the case of QuaDream, its exploit affected iOS 14 devices (for reference, Apple just released iOS 17). Because Apple did not know about this security issue for some time, it was a highly lucrative surveillance offering (Apple, however, has since patched the security flaw). And, like with NSO Group’s offensive security products targeting iPhones, it appears that QuaDream’s spyware was too good to resist for some autocrats in the Middle East and North Africa. QuaDream previously sold hacking products to Saudi Arabia and has reportedly had talks with Moroccan officials, and Citizen Lab traced the use of QuaDream’s malware to the United Arab Emirates—all states with a history of surveilling dissidents at home and abroad. While QuaDream’s products are highly sophisticated and its client list is growing, it is but a symptom of a larger problem. Beyond QuaDream and its latest malware looms a burgeoning industry of Israeli companies specializing in mercenary spyware that gives government clients, including throughout the Arab world, profound access to everyday digital devices.

QuaDream’s spyware was too good to resist. They sold hacking products to Saudi and has reportedly had talks with Moroccan officials. Citizen Lab traced the use of the malware to UAE —all states with a history of surveilling dissidents at home and abroad.

A cyber mercenary industry explodes

In more ways than one, Israel’s government-supported cybersecurity industry has exploded in size and power. In what has become a well-documented trend, offensive cyber technology has become a major export of the Israeli economy in and beyond Arabic-speaking countries. Bahraini, Egyptian, Emirati, and Saudi authorities have all reportedly used Israeli surveillance technology to track or persecute prominent political dissidents over the past decade. In a show of force of the UAE’s willingness to use Israeli technology in 2016, an Israeli-owned company helped the UAE install Falcon Eye, its premier camera-based mass surveillance system. In 2019, Israeli military intelligence veterans were tied to the creation of ToTok, a popular Emirati social media app secretly operating as spyware. A New York Times investigation into ToTok revealed that its parent company, Breej Holding, was likely a front company for the Abu Dhabi-based hacking company DarkMatter, which has reportedly sought to hire recruits from Unit 8200, Israel’s military intelligence’s elite offensive cyber unit. In a 2018 exposé further detailing the global spread of Israeli spyware, Citizen Lab found suspected Pegasus infections in 15 countries in the Arabic-speaking world (and 45 countries worldwide) and documented an apparently major expansion of the Gulf countries’ use of Pegasus domestically, specifically calling out Bahrain’s, Saudi Arabia’s, and the UAE’s use of spyware tools to track dissidents.

In 2020, official Israeli estimates put Israel’s cyber exports at US$6.85 billion. That same year, acquisitions of Israeli cyber companies yielded US$4.7 billion, and sophisticated technology exports comprised 43% of all Israeli exports. Moreover, Israel’s defensive and offensive cyber exports are estimated to be worth around US$10 billion annually. Between 2010 and 2019, the number of Israeli cyber firms increased by 100%, and Israeli cyber exports increased by 600% between 2011 and 2019. Countless Israeli cyber firms specializing in developing sophisticated spyware technology have sprouted as the industry has grown, such as Black Cube, Bluehawk, Candiru, Cellebrite, Cobwebs, Cognute, Cytrox, NSO Group, QuaDream, and Toka (prominently, Toka was founded by former Israeli Prime Minister Ehud Barak). Total domestic and foreign funding for Israeli cyber startups has consistently reached well over a billion dollars yearly since 2018, and Israeli cyber firms in 2020 received over 30% of global investment in this sector. The FBI also purchased Pegasus software, though it later decided against using it.

Explicit Military Support, International Cyber Cooperation, and Surveillance of Palestinians

Israel’s cyber industry is intimately supported and funded by Israel’s military. Through various research agreements and close ties between academic and government institutions, civilian- and state-owned businesses, and the Israeli Defense Forces, Israel props up and provides an incubating environment for its cyber firms—some of which earned the esteemed title of being sanctioned by the US Commerce Department for their “malicious cyber activities.” Israel’s government provides eased export and licensing policies, grants, subsidies, and tax exemptions to cyber tech companies and invests hundreds of millions of US dollars in different ways into the sector. Israel also has cyber cooperation and agreements with 90 countries internationally, and Israel and Israeli cyber companies significantly benefit from international cyber cooperation deals. A prominent example of this, the European Union’s 2007-2013 Seventh Framework Programme, resulted in Israeli organizations receiving grants worth over US$1.06 billion. Unit 8200 also funnels former personnel to Israel’s cyber industry, creating an intimate, revolving door-style relationship between Israel’s chief cyber unit and Israeli startups interested in commercializing technology predicated on violating the privacy of others.

Sophisticated Israeli surveillance technology is widely recognized as a major component of Israel’s systematic occupation of Palestinians. A report released by Amnesty International from early May 2023 documented Israel’s extensive use of biometric recognition systems and highly advanced surveillance technologies to control Palestinian bodies and, as Amnesty International’s secretary general puts it, “automate apartheid against Palestinians.”

Sophisticated Israeli surveillance automates apartheid against Palestinians. A report released by Amnesty in May 2023 documents Israel’s extensive use of biometric recognition systems and surveillance technologies to control Palestinian bodies.

Israel uses a biometric security system called “Red Wolf” to surveil and control Palestinians. Red Wolf, which was developed by the Israeli military, uses cameras to scan Palestinians’ faces without their consent, adds their biometric information to surveillance databases, and automates restrictions on Palestinians’ movement. Israeli authorities use Red Wolf in occupied East Jerusalem, in Hebron, and in and around other illegal settlements. Amnesty’s research suggests that Red Wolf is tied to two additional surveillance apparatuses, “Wolf Pack” and “Blue Wolf,” created and run by Israel’s military to store and quickly access vast amounts of information on Palestinians and their families. As Amnesty International argues, in addition to violating any semblance of following international law when it comes to surveillance, Israel’s use of such surveillance tools against Palestinians restricts the Palestinian people’s freedom of movement, helps further segregate Palestinians, and upholds Israel’s system of apartheid.

Making the world a more dangerous, not safer, place

Although firms in the business of selling offensive cyber technology like to claim they are making the world a safer place, technology that aims to penetrate, pervade, and persist has one primary purpose (beyond making a profit): to gather and sell information. Further muddying Israeli companies’ attempts to construct a squeaky-clean, safety-first reputation, autocratic regimes have notoriously relied on Israeli cyberweapons to surveil and oppress civilians, particularly political opponents, dissidents, and LGBTQIA+ individuals. A fundamental affront to the ever-shrinking freedom to privacy and part and parcel to Israel’s occupation of Palestinians, companies like NSO Group and QuaDream make a concerted effort to control digital space, making the world an increasingly dangerous place when it comes to one of the most essential things that makes us human.

This article was proofread by Paul Daubman, a malware analyst, and Reese Lewis, a cybersecurity researcher.