Home » Israel Torpedoed Morocco Spyware Deal – and NSO Competitor QuaDream Shut Down
Business Israel News Technology

Israel Torpedoed Morocco Spyware Deal – and NSO Competitor QuaDream Shut Down

Quadream offered zero-click infections for iPhone. Leaked code reveals their spyware may have abused WhatsApp ■ Firm also developed “terrifying” new spyware.

QuaDream, a boutique Israeli spyware maker that once boasted clients in Saudi Arabia, was long considered the biggest local threat to NSO Group, the most famous, and infamous, of the country’s cyber weapons makers. QuaDream’s spyware was the only one that could compete with NSO’s flagship product, Pegasus, which has come under scrutiny over misuse by clients around the world turning the powerful spying weapon against activists and journalists. Pegasus allows the targeting of someone’s iPhone without any action on their part and maintaining continued access to the device, all without their knowledge.

Reign, QuaDream’s zero-click spyware, lets its operator do much the same and have full control of a targeted smartphone, as well as unfettered access to instant messages from services such as WhatsApp, Telegram, and Signal – and emails, photos, texts and contacts, per code obtained by Haartez. However, just a few weeks ago, the company told its employees it was shutting down.

Code and documents that were obtained by researchers and whose veracity was confirmed by Haaretz have now revealed the firm’s previously unknown software. Five different sources familiar with the Israeli spyware industry say the firm, which has long tested regulators, decided to shut down after failing to get authorization to sell its spyware to new clients (including Morocco).

Moreover, according to sources with knowledge of the firm and its activities, QuaDream also invested heavily in a number of new products and capabilities that failed to mature and make it to market. According to two of the sources, these included expanding their spyware’s scope to also be able to hack Android devices – as well as developing what was termed a “terrifying” new form of spyware. With no ability to make new deals, and both these and other efforts failing to reach fruition – albeit for different reasons – the firm decided to cut its losses and close up shop.

QuaDream is now working to sell off some of its assets to local competitors, according to two of the sources. Its research teams and outgoing staff are interviewing with other offensive cyber firms, they say.

Pieces of QuaDream’s code, which was leaked by an employee, likely by mistake, revealed not just the existence of Reign, but also Blue Spear – a previously unknown program that seems to serve as the web interface through which the targeted devices are likely infected. (Click here for a full technical analysis)

On the left menu bar of the program, likely a demo version of the real program, operators can open new “cases”, and each case can have multiple missions – that is, multiple infected phones. Each case lists a manager, viewers, and a “blacklist” and “white list” of phone numbers that can (and presumably cannot) be targeted.

The code and screen captures of the web interface, which is also called Quantum in some cases, were found in a popular online repository used by programmers to share, store and collaborate on code. It was uploaded there by a user using a QuaDream email account. Others using similar organizational emails interacted with the code as well.

“The exposed source code shares network artifacts with samples of the Reign spyware seen by the Amnesty International Security Lab, confirming this code was developed internally by QuaDream,” said Donncha Ó Cearbhaill, an ethical hacker who heads the human rights organization’s technical research unit and is focused on investigations into cyberattacks against civil society.

Cearbhaill confirms that this code is internal to Quadream, but notes it may be more of a demo than a tactical working system. The code sheds light on the history of the spyware sold by QuaDream, nonetheless, showing the firm’s intentions and early developments.

Reuters previously reported that the firm had developed zero-click capabilities in 2021, in tandem with NSO and using a very similar method. However, the code revealed now is dated to May 2019, indicating the firm’s spyware was active earlier than thought.

Reuters described the 2021 capabilities as exploiting a loophole in iPhone’s iMessage service. Recently, Citizen Lab and Microsoft published a detailed investigation into the firm, revealing it had exploited other Apple services to gain access to iPhones as early as 2019. However, per the code, by 2019 – if not 2018 – QuaDream may have also been trying to use WhatsApp for infections, too.

According to pieces of code found in the repository, WhatsApp is one of the main vectors – a term used in the industry to describe the method of infection – through which Reign is installed on a target’s devices.

It is unclear if the system exploits a security flaw in WhatsApp, or rather just uses the app to send nefarious messages that include a link to the spyware.

QuaDream developed zero-click cablities for iPhones considered second in quality only to NSO’s – which also hacked devices by exploiting WhatsApp. But the firm, per a source who spoke to Haaretz, also hoped to compete with NSO and others over the Android hacking market. It is possible that WhatsApp was supposed to be the vector for Android attacks.

The code also reveals another attack vector that seems to target phones through WiFi networks. It was not clear if these efforts came to fruition and were sold.

“Invasive new attack vectors such as ‘zero-clicks’ in WhatsApp or tactical Wi-Fi pose a huge threat to human rights defenders. They make an already serious threat even more insidious and difficult to detect, enabling rights abusers to silently target critics with impunity,” Amnesty’s Cearbhaill says.

The entrance to Quadream's offices outside Tel Aviv, 2022

Last year, sources said, QuaDream abandoned these efforts, also due to the fact that it did not secure regulatory approval for their sales. The team behind it left and was integrated almost in its entirety by a local competitor.

Cypriot servers

Two months before Apple patched the iMessage breach being exploited by both QuaDream and NSO known as Forced Entry, Haaretz’s Gur Megido first revealed the former firm’s existence to the world. He also outed its biggest client: Saudi Arabia.

However, while NSO’s deal with Saudi Arabia was formed through Israeli diplomatic back channels and received the blessing of the Israeli defense exports body, QuaDream’s sale was done through a Cypriot firm called InReach. That firm is allegedly beyond the purview of Israeli defense export regulators.

Many Israeli firms have long used Cypriot subsidiaries to augment their regulated operations. While some Israeli firms have chosen to relocate there altogether, QuaDream and its ties with InReach “tested” Israeli regulators, sources say.

InReach, per legal documents in Cyprus, was set up to promote the sales of QuaDream’s Israeli-developed products outside of the country. Sources and documents obtained by Haaretz seem to indicate that the firm operated from Cyprus for roughly a year. They suggest it ended some of its development operations in Israel in 2019, letting go of part of the Israeli staff (including the developer who posted the code online), relocating others to Limassol, and then disbanding the Cypriot offices’ operations by August 2020 altogether.

The QuaDream email account linked to the code repository was also used for a job posting, to try to enlist new workers to the firm through yet another company, where having a “foreign passport” was described as an advantage. “You won’t find a website, we enjoy staying below the radar,” 4dco, the supposed company behind the posting, wrote to describe itself on the headhunting site.

“Foreign passport an advantage". The job posting from a QuaDream email account

QuaDream and InReach began a lengthy legal dispute in 2020 over allegations that QuaDream failed to make good on its commitment and pay InReach its percentage of sales. The legal battle ended in a $5 million settlement.

Moroccan woes

In response to backlash to the Saudi deal and since the fallout with its Cypriot arm, sources say QuaDream has worked under strict Israeli oversight.

NSO has long enjoyed success in the West and still dominates the European market. But it has gained infamy for working with clients in less democratic parts of the world through sales backed and actively supported by Israel as part of Prime Minister Benjamin Netanyahu’s “cyber diplomacy.”

Unable to compete with NSO within the EU, and banking on Netanyahu’s digital arms policy, QuaDream focused its sales efforts on intelligence and law enforcement agencies in Asia, Africa and the Arab world – countries that can’t develop their own spyware or those who failed to secure a deal with NSO.

Over the past two years, QuaDream held talks with at least four such nations, according to three of the sources. The talks initially received Israel’s blessings – pitching advanced spyware to foreign nations requires a permit – but the final deals did not.

The largest of the deals was with Morocco. Talks reportedly began in August 2021. The kingdom, which normalized ties with Israel as part of the Abraham Accords, has long been said to be a client of NSO. But Israel barred it from importing cyber technology after reports suggested it had misused Pegasus to target senior officials in Europe, including in France and Spain.

Claims that Pegasus was used by Moroccan operators to attempt to target a phone linked to French President Emannuel Macron sparked a small diplomatic crisis between Jerusalem and Paris, with then-Defense Minister Benny Gantz visiting France to try to assuage their concerns.

According to sources, NSO failed to obtain authorization to renew its Morocco contract. QuaDream, whose talks with Morocco began earlier, didn’t receive a green light, either.

“The attempts by QuaDream to sell their spyware tools to Morocco, following numerous reported abuses of spyware targeting journalists and civil society, shows the total inability of the commercial spyware industry to police itself. Obscure corporate structures should not allow the spyware industry to side-step even the minimal existing controls. Hugely invasive spyware tools with capabilities such as Reign should be banned as their potential for abuse is simply too high,” said Amensty’s Cearbhaill.

Amid a wider global debate about such spywares and how to regulate their sales, QuaDream’s final decision to shut down, sources say, were fueled by Israel’s decision in the fall of 2021 to drastically pull back the local cyber weapons industry. Israel took this step following the Project Pegasus revelations of NSO’s activities, and in the wake of American anger over misuse of its spyware.

In November 2021, it was revealed that a client in Africa had used Pegasus to spy on U.S. State Department officials. As a result, the U.S. blacklisted two Israeli firms, Candiru and NSO. The latter was already facing legal suits by Apple and by Meta, WhatsApp’s owner, for using the messaging app to infect devices.

In response, Israel did an about face and drastically cut down the list of countries to which sales of offensive cyber technologies were permitted from roughly 100 to just over 35, most of them Western democracies. The move sent the local industry into a tailspin and led a number of firms to shut down.

QuaDream, no longer making use of its Cypriot front and heavily invested in talks with four non-Western states, failed to get authorization to renew many of its existing contracts and lost hope of getting any of its new deals approved.

The firm had invested heavily in developing what sources termed “new forms” of spyware, but either failed to reach a working product or obtain a green light from Israel to sell what would still be considered an extremely sensitive technology. QuaDream is not the only firm that has worked to develop such technologies, but it seems to be the only firm that banked on their launch for its survival.

Despite Netanyahu’s return to power and the expected loosening of Israel’s regulatory grip – to renew sales to less-than-democratic states – QuaDream’s management decided to cut their losses completely when Citizen Lab and Microsoft published a report revealing its activities.

According to a high-level source with knowledge of the spyware industry, QuaDream’s rise and fall is a prime example of the shifts that have taken place in Israeli offensive cyber space in recent years. “They had hoped to out-NSO NSO, but Israel’s decision to pull back sales according to American demands and impose strict regulations pulled the market from under their feet,” says the source. “If you can’t sell to places outside of Europe and the U.S., then the market is just not big enough for all of the firms, and only the big ones will survive.”


National Security & Cyber

QuaDream, NSO and Israel’s Defense Ministry declined to comment. WhatsApp, which is currently suing NSO, said in response: “The spyware industry operates with no accountability and total disregard for the privacy and security of people around the world by exploiting bugs in mobile operating systems. Our focus is to advance the security of our products and work with others to hold companies like this to account.”

Source : Haaretz