Microsoft and the nonprofit Citizen Lab have released separate reports detailing the use of spyware and hacking tools developed by the Israeli company QuaDream and that the hacking tools have been used against minority-party politicians and journalists in several countries, including Singapore.
QuaDream is a secretive Israeli spyware company that sells hacking tools to various governments around the world. Reuters reported last year that one of QuaDream’s first clients was the Singaporean government.
Citizen Lab’s report identified at least five civil society victims of QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The victims included journalists, political opposition figures, and an NGO worker.
Citizen Lab identified more than 600 servers and 200 domain names that were linked to QuaDream’s spyware between late 2021 and early 2023.
The organization also identified countries from which QuaDream systems were operated, including Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates (UAE), and Uzbekistan.
Citizen Lab’s report also highlighted a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The exploit, called ENDOFDAYS, was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions. The exploit appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims.
Citizen Lab received no response from QuaDream’s legal counsel when asked about the company’s business practices, human rights, and the potential for spyware abuse.
Its report notes that QuaDream’s obscurity reflects an effort to avoid media scrutiny that was successful for a time. However, once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists.
The reports underscore the need for greater regulation of the commercial spyware industry and increased scrutiny of the governments and companies involved in the buying and selling of these tools.
The commercial spyware industry has expanded rapidly in recent years, with companies like NSO Group and Cytrox coming under fire for the alleged use of their tools to target journalists, political dissidents, and other individuals.
Citizen Lab’s report notes that the industry for mercenary spyware is larger than any one company and that researchers and potential targets alike require continued vigilance.
“Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abusea cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.”
Through a spokesperson, Apple said to Washington Post that it had no indication that the same software exploit has been used since then. Citizen Lab said that QuaDream is likely to have substituted a new exploit into its program that has not yet been detected.
Microsoft notes that preventing the exploitation of mobile devices by advanced actors who potentially have zero-click exploits is difficult.
In addition to enabling automatic software updates and using anti-malware software, Microsoft in its report, recommends that individuals who believe they are targeted by advanced attackers and use an iOS device enable Lockdown Mode. This mode offers enhanced security for iOS devices by reducing the attack surface available to threat actors.
Spyware in Singapore
In Citizen Lab’s report, it is noted that Singapore’s constitution does not recognize the right to privacy, and state authorities have broad surveillance powers that bypass standard judicial mechanisms.
In September 2014, a Wikileaks media release noted that a Singapore company was one of several that had allegedly purchased “weaponized German surveillance malware” for use. The company in question was PCS Security Pte Ltd (PCS), which was incorporated in 1998 and headed by Singaporeans who were supposedly former Internal Security Department officers.
A 2018 Citizen Lab analysis found suspected Pegasus spyware infections in 45 countries, including Singapore.
In February 2022, Singapore’s Minister of State for Home Affairs, Desmond Tan declined to discuss whether the government uses QuaDream’s spyware or other spyware technologies, citing the need to safeguard national security.
In that same parliamentary session, Minister for Home Affairs and Law, K Shanmugam, responded to a question raised by WP MP, Ms Sylvia Lim regarding a threat warning she received from Apple regarding the potential hacking of her phone by state-sponsored agencies.
The Minister said he had confirmed that Ms Lim’s phone has not been hacked by Singapore’s state agencies in the time between when the question was raised and the present moment, after having checked with the Security and Intelligence Division (SID), which falls under the Ministry of Home Affairs (MHA).