Paragon Solutions and Graphite Spyware: An Overview and Investigation
Founded in Israel in 2019, Paragon Solutions offers a spyware tool named Graphite, which it claims has built-in safeguards to mitigate abuses commonly associated with similar products like NSO Group’s Pegasus. The company aims to differentiate itself by adhering to a policy of only selling to governments that respect fundamental rights.
Recently, investigations have indicated potential customers of Paragon’s spyware in various countries, including Canada, where links have been discovered between Paragon and the Ontario Provincial Police. Evidence points toward a burgeoning ecosystem of spyware usage among police services in Ontario.
The Citizen Lab, a research group focused on defending civil liberties in the digital realm, collaborated with Meta (formerly Facebook) to analyze Paragon’s infrastructure. Their findings contributed to WhatsApp identifying and neutralizing a zero-click exploit related to Graphite, subsequently notifying over 90 targets, including civil society members in Italy.
A comprehensive forensic analysis of Android devices belonging to some of the notification recipients in Italy revealed signs of Graphite infections. Further scrutiny extended to an iPhone of an associate of these targets, which showed evidence of a different spyware attempt, underscoring a broader concern regarding the use of various surveillance technologies in tandem.
Paragon Solutions operates as Paragon Solutions Ltd. in Israel, with prominent founders including former Israeli Prime Minister Ehud Barak. In the U.S., Paragon Solutions (US) Inc. was set up in 2021 by personnel with connections to the U.S. government, and a significant portion of its operations is now overseen by Paragon Parent Inc., a Delaware-registered corporate entity that acquired Paragon Israel for $500 million.
Investigations into Paragon’s infrastructure revealed a mix of cloud-based and terrestrial server deployments linked to the spyware, established through distinctive self-signed certificates. This infrastructure enables what is referred to as a "Tier 1" command and control system, believed to facilitate communication with victim devices. Moreover, second-tier nodes reflect Paragon’s operational ties to local telecommunications in multiple nations, implying ongoing international deployments of the spyware.
Particularly concerning are the ties to Canadian law enforcement. The Ontario Provincial Police appear to be a potential customer, as indicated by investigations into a company named Integrated Communications, which shares an address with the OPP. Similar scrutiny has pointed to the OPP’s controversial history regarding its procurement of surveillance technologies, extending to alleged use of spyware without judicial oversight.
The patterns of spyware utilization across Italian civil society organizations depict a disturbing trend. Targets include journalists and human rights advocates focused on rights issues, suggesting a targeted attack strategy against individuals critiquing governmental operations, particularly regarding migration and humanitarian efforts.
Italian authorities have acknowledged engagements with Paragon but have struggled with transparency, providing conflicting responses when inquiries have been raised. Legislative bodies in Canada have also recognized the troubling implications of spyware technologies and recommended regulatory reforms. However, action on these suggestions has been minimal.
The Citizen Lab emphasizes the critical role of tech companies like Meta in identifying and curtailing such surveillance tactics. The collaboration has drawn attention to the risks inherent in mercenary spyware and has underscored the necessity for accountability measures against these technologies.
Overall, while Paragon Solutions positions itself as adhering to ethical standards by serving only select governments, evidence suggests a troubling usage of its products in surveilling civil society actors globally. These findings reiterate the importance of comprehensive regulations to prevent potential abuses by spyware manufacturers and their governmental customers.