US-backed Israeli company's spyware used to target European journalists
apnews.com728 points by 01-_- 5 days ago
728 points by 01-_- 5 days ago
> Ciro Pellegrino, who heads the Naples newsroom of an investigative news outlet called Fanpage.it, received a notice on April 29 that his iPhone had been targeted. Last year, Fanpage secretly infiltrated the youth wing of Meloni’s Brothers of Italy party and filmed some of them making fascist and racist remarks.
It's never a good look going after journalists, but this seems especially petty.
People talk about Japan but if there is one country that has never distanced itself from their role in WW2 it's Italy.
Ofcourse they get away with it because literally nobody has ever taken Italy seriously in centuries.
Attending a political party's events and reporting what they say and do is petty?
Deploying spyware against journalists in retaliation for their exposing racism in the governing party's youth wing is petty.
Sorry I misunderstood, I thought you were saying Fanpage's actions were petty.
There is now a rich history in outsourcing activities that would otherwise be illegal to other countries where it is legal. For example, the CIA's extreme rendition [1], knowingly sending prisoners to countries to be tortured and/or executed. This is how such countries make themselves useful to American empire.
Likewise, restrictions on the NSA spying on American citizens, for example, are bypassed by outsourcing that spying to, say, other Five Eyes countries.
Israel's role in this hacking phones of politicians, dissidents and now journalists on the behalf of the US and its allies, including Saudi Arabia [2].
The Israeli company NSO Group was sued by WhatsApp for their use of Pegasus [3], something Israel tried to intervene to block [4].
I honestly don't know how people work on things like Pegasus knowing it's being used to target and kill journalists and politicians.
[1]: https://www.pbs.org/frontlineworld/stories/rendition701/upda...
[2]: https://www.nytimes.com/2021/07/17/world/middleeast/israel-s...
[3]: https://www.bbc.com/news/articles/c77n76kzmz4o
[4]: https://www.amnesty.org/en/latest/news/2024/07/israels-attem...
Chomsky described these countries as "mercenary states". One of his books, Understanding Power, dives into the topic quite a bit.
Chomsky has supported "anti-imperialist" russia and ignored all warnings by the eastern European people, who dared to walk out on socialism in a freedom movement. Blood on the hands, blood on the quill, blood in the will..
This is an inexcusable ad-hominem argument. This is not how we discuss things on this platform.
That might be true, but it doesn't disprove the fact that this is happening, does it?
Chomsky is right about some things and wrong about other things, like every human is.
When we call people experts, that doesn't mean they are infallible, but they are supposed to be better than average.
Chomsky also believes 2+2=4. Is that also wrong because you don’t like some of his other beliefs? You seem to think so.
His language hierarchy holds up, but thats not how this works . You can not heap personal catastrophic beliefs into a train waggon and by proof of chaining that train, your work is invalidated or valid and valued.
His academic works stand independent of the unsavoury character -similar to Werner von Braun. But that doesn't remove the fact he supported "any-but-american-imperialism" decorated with racists undertones ("the brown people can not be perpetrator and victims at the same time") and tried to undermine the western value based world order.
"I honestly don't know how people work on things like Pegasus knowing it's being used to target and kill journalists and politicians."
You can make many people do pretty much anything under orders, and even more by rewarding them.
"I was just putting food on the table for my family..."
FYI Milgram is one of the many popular examples of fake science, wiki link has some critical review links
I feel like dunking on personality psychology was Milgram’s big mistake. Live by the sword…
Auschwitz wasn't in Germany.
>I honestly don't know how people work on things like Pegasus knowing it's being used to target and kill journalists and politicians.
Is that all it's being used for? I can easily see situations where its use is saving lives, in which case it would be easy to justify working on.
> I honestly don't know how people work on things like Pegasus knowing it's being used to target and kill journalists and politicians.
Sorry, but it looks like you simply don't know people.
Same as happened in greece a few years back against the leader of opposition and journalists using Predator
> Graphite allows the operator to covertly access applications, including encrypted messengers like Signal and WhatsApp
That's pretty obvious. Signal doesn't protect you against full device compromise. Any app can trivially extract your signal conversations
> Any app can trivially extract your signal conversations
There is a security model baked in to the mobile OS that usually does not allow that.
Yes, and it can be subverted when the mobile OS is compromised.
That doesn't lead to
> Any app can trivially extract your signal conversations
In that case, can Signal users take advantage of this to export their own messages?
Yes but one would have to exploit a similar vulnerability as was exploited in this story. Apple would patch it as soon as it became popular because it could be used for an attack like this one.
How does the exploit work, though? The article does some real handwaving around "now the device is yours and now it's not". They don't need to go too deep but isn't anyone reading that far into the article going to be curious?
You're not gonna find technical details in an AP article of all places.
You will find it in CitizenLab's report: https://citizenlab.ca/2025/06/first-forensic-confirmation-of...
There isn’t much technical details there either. They list the servers it connected to and log entry but that’s it.
It mentions a CVE number but the apple link is generic and mo details on the CVE database.
Has this even been fixed by apple?
we talking about state sponsored actor with zero day vuln here
You would not find info anywhere
It's no longer a zero day if Apple already patched it.
Just for the sake of being more precise...
On the “vulnerability” it could be considered a zero-day because there was a real exploit against it prior to the exploit being reported by security researchers. It could also be considered not a zero-day because the software vendor is aware of the vulnerability such that no other real exploit of it, regardless of it being patched, will occur on the same day that they learn of it.
It’s kinda moot that it’s been patched. Even if they somehow failed to patch it since the exploit, it is no longer a zero-day vulnerability. But, to your point, knowing that it has been patched is practically (obviously) the same as knowing that the software vendor is aware of the vulnerability.
(Funny enough, they could be aware of it and it still be a zero-day since the definition is how many days have past since the vendor learned of it prior to it being exploited. Though, it would need to be exploited after they learn about it but before they patch it, which is unlikely.)
I replied to the parent comment with the info I found:
https://news.ycombinator.com/item?id=44274249
Tl;DR: yes, this was resolved in iOS 18.3.1
I don't have a full answer for you, but I found some more info in the CitizenLab report [^1] about the incidents.
(Small aside, but CitizenLab is excellent and such a valuable resource)
CitizenLab states the zero-click iMessage attack — CVE-2025-43200 - used as one of the vectors was fixed by Apple in iOS 18.3.1.
Apple has an "About the security content of iOS 18.3.1 and iPadOS 18.3.1" [^2] page, and it contains the following:
---
Messages Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Description: This issue was addressed with improved checks.
CVE-2025-43200: Apple
---
1: https://citizenlab.ca/2025/06/first-forensic-confirmation-of...
waay down, near the end of the article: "Paragon referred questions to a statement it gave to Israeli newspaper Haaretz, in which the company said that it stopped providing spyware to Italy after the government declined its offer to help investigate Cancellato’s case. "
Stuff like this will just keep happening unless a major jurisdiction goes after these digital mercinaries. The fact that we ignore all laws for no reason other than "our agencies really like spying on people" is laughable. Literally crime as a service, sanctioned by most governments. Should not be surprising that such criminal organizations use their tools to spy on people who don't deserve it.
Ignore all laws?? EU has officially recognized the utility of these criminal agencies. Of course under the all-time-classic umbrella of "legitimate use for law enforcement" which in common means "go ahead and use it freely, if you get caught we'll give you a slap on the wrist"
There is a higher chance that vendors take OS development more seriously when it comes to security...
This is my irritating reminder that there is a whole marketplace of implant/CNE products, most of which you have never heard of, produced in basically every jurisdiction in the world.
It used to be NSO Group that got all the press, now it's Paragon, and I think it's all for the good that the spotlight gets shone on these companies, but do keep in mind that this is not an "Israeli" phenomenon. There are American companies selling tooling that is more effective than "Graphite"; they're just more careful about publicity. Wherever it is you live that you feel is morally superior to America and Israel on commercialized CNE, you're likely to end up surprised.
The issue isn't the mere existence of spyware companies globally. The issue is that Israeli companies in particular have cornered the market on selling to the world's worst human rights abusers, with catastrophic consequences.
Let's be specific: NSO Group sold Pegasus to Saudi Arabia, who used it to track Jamal Khashoggi's inner circle before his assassination. They sold to Mexico, where it was used to target journalists' families within days of their murders. To Rwanda, to hunt dissidents abroad after imprisoning their family. The list goes on.
This isn't cherry-picking. When Citizen Lab analyzes global sypware operations, Israeli companies dominate: NSO, Candiru, Paragon, QuaDream, and arguably Cytrox (Macedonian, but Israeli leadership and investors). The common thread? Former Unit 8200 personnel, who've turned state cyber-warfare capabilities into a business model explicitly built on selling to authoritarians.
Your "but everyone does it" framing fundamentally misrepresents the issue. Yes, other countries have surveillance companies. But there's a massive difference between developing capabilities and systematically selling them to regimes that murder journalists. WHen was the last time a German or French company's tools were found on a murdered journalist's or imprisoned political dissident's phone?
The data shows Israeli companies don't just happen to have "bad PR" (or uniquely terrible luck in choosing their clients) - they actively court authoritarian clients because that's where the money is if you have no morals.
For some context: Israel has a population of less than 10 Million - less than 0.1% of the world's population. If you have a persuasive argument for why Israeli spyware is routinely found by organizations like Citizen Lab, why their products seem so uniquely popular and successful with fascists and authoritarians, I'd love to hear it. Because from where I'm standing, the clear and obvious explanation is that there is a deep, systemic issue in the Israeli private intelligence and cybersecurity sector that is entirely unconcerned with how their tools will be used, or by whom, as long as the money's right. All enabled by the Israeli authorities, who need to approve of these exports.
You're right that spyware companies exist elsewhere. But when researchers keep finding the same tiny country's products in the phones of murdered journalists and jailed activists, dismissing scrutiny as bias is itself a bias. The question isn't why Israeli companies get attention - it's why they keep selling to regimes that use their tools to crush dissent, and worse.
It's not the only market they've cornered.
If you are paying for a VPN, the odds are good that it's owned by Kape Technologies, another Israeli company staffed by former Unit 8200 personnel. PIA and a bunch of others are now under their purview.
They'll say they don't keep logs, but only an idiot would trust that.
Cellebrite also does questionable shit with phone forensics; newer products upload phone images to "the cloud." Supposedly it is instanced and law enforcement is just supposed to trust that yet another function the Justice Department outsources to Israel isn't backdoored by them, like Inslaw/PROMIS.
I wonder how they find extremely talented exploit developers. The exploits they produce probably takes years to develop at minimum
Short and sweet: Unit 8200.
Unit 8200 is Israel's elite military intelligence cyber unit - think NSA but with mandatory military service. Israelis serve in their late teens/early twenties, the most tech-savvy and promising recruits land in Unit 8200 where they develop world-class offensive cyber capabilities on the state's dime.
When they finish their service, they take those skills directly to companies like NSO, Candiru and Paragon. It's not a secret - these companies are often funded, and actively recruit Unit 8200 alumni. The talent isn't necessarily found, it's manufactured by the state and then handed off to the private sector.
That's why Israeli spyware is so effective. Arguably, it's not commercial R&D - it's military grade capabilities with a profit motive and little, if any, ethics oversight.
Just about every single Israeli citizen is required to complete mandatory military service. In effect this means that both the local baker and the stay-at-home programmer have likely worked for the IDF in some capacity.
Probably mostly the same way everybody finds extremely talented exploit developers? By bidding for them? Why do people think exploit developers are a strategic resource like rare earth metals? They're probably uniformly distributed across the world --- including in developing countries.
[flagged]
And why have I heard about them? I'll give you a hint: It's not because they have a fantastic marketing and PR department. It's because their product kept showing up on the phones of assassinated journalists and imprisoned dissidents.
I looked you up a bit. You clearly know this industry. So when you say there are American companies with "more effective" tools than NSO, I have to assume you're not speaking hypothetically - you're speaking from professional knowledge.
Your response is like a chemical industry veteran hearing about a company that poisoned a river and killed dozens, then saying "you're only mad at ACME Chemicals because you've heard of them."
That leaves two possibilities:
- You know other companies are doing comparable harm and you're remarkably comfortable with it
- You're defending a uniquely destructive company by falsely equating it with legitimate businesses
Either way, you're using your industry credibility to minimize documented atrocities. Given your expertise, that's clearly not ignorance - it's a choice.
Which are you, Thomas? Someone with inside knowledge of comparable human rights abuses who's been sitting on it? Or someone minimizing documented atrocities to defend your industry's reputation?
The spotlight on NSO exists because of the graves they helped fill. Your response tells us exactly where you stand on that.
Have a fantastic day, I hope you pass a mirror or two and can actually stand looking at yourself.
> Wherever it is you live that you feel is morally superior to America and Israel on commercialized CNE
It's not the tech (or lack of it) that makes me feel morally superior. It's the choice to use that tech to defend literal facists that I would find embarassing.
Exactly. As somebody with a past in security, I've often thought about the ethics of my actions. Where is the ethics of government?
If you think that sounds naive, I think you get my point. Those in power can not show worse ethics and morals than those they rule, at least not if you want to uphold the illusion of democracy and its values.
It's not a question of illusion. Classical political philosophy makes it clear that leaders must be virtuous to be good leaders, and that the consequences of having leaders without virtue are bad. No system can counteract vice; people, after all, run the system. Probably the most famous example of how the state degenerates as virtue weakens is given in Plato's Republic, but this is seen consistently.
The American founders also emphasized the requirement that, for the American republic to function, it must have a virtuous people. The democratic process means that citizens now participate in the political process and thus shoulder some of the responsibility for how well a country is governed. The virtue of citizens becomes even more important.
how come each time researchers find a new spyware, it's always an Israeli shop behind it ? maybe because Israel has developed an ecosystem and an industry around spying. I think it's evil to try to deflect the blame from israel given the fact it's currently committing genocide in Palestine
Based on what you're saying, I think I know more about this market than you do. I'm comfortable with who does and does not take me seriously. For those people who do: this "Israel" stuff is not useful for understanding what's happening in the world with respect to CNE tools.
A long time ago, I went to my first (and only) Defcon conference. There was a speaker who had worked in the US government talking about state use of hacking tools.
After the talk I went up to him and asked, "What are the countries that are using these tools?" He looked at me with a certain amount of scorn and said, "All of them."
This obviously just has to be true. I have very strong evidence that it's true, but it's also just the most obvious possible conclusion to reach. Competitive CNE tooling even at the top of the market costs just a fraction of what you'd have to pay in benefits and overhead for the equivalent HUMINT operations.
Just out of curiosity - would you describe companies that are commonly in the spotlight as more mercenary than average?
Absolutely not. Some of them are far more ruthless, some of them much more principled.
I've seen you reference these actors previously. Is there a reason you won't name them? Is this an industry code of silence, or fear of retribution?
This isn't the first of these takes regarding Israel by that poster, where they present themselves as 'not supportive of Israel, just presenting a balanced perspective' (while wildly distorting reality).
Since tptacek likes to present themselves as an authority on this kind of stuff, and does indeed have a reputation here, I feel it's important to point out that this isn't the first time they've carried water for Israel like this.
Examples: Calling Israel's exploding pagers war crime "surgical" [0] - which it absolutely was not, or, saying that Hamas should've taken the ceasefire deal they were offered [1] (rightly called out in the replies).
It's absurd to try and claim that Israel is 'no better or worse' than other nations in the 'spying on journalists phones' department. Especially when you look at why.
This is one of the many pitfalls of sharing a collective identity, whether in politics, technology, or even outright jingoist nationalism. You see it on HN all the time; people respond to the tone of a piece rather than what the actual contents are. It's pretty obvious when someone posts a message imbued with that insecurity; it's always about "the other side" and trying to create relative morality. Hasbara, in the Hebrew vernacular. Or "mansplaining" if you're a jaded progressive.
American surveillance is a pretty good example. "Lawful" intercept, geofence tracking, dragnet collection, commercial de-anonymization, America leads the way in a deeply unethical field. Yet, criticize Palantir et. al and people will find ways to argue it's necessary. Usually they create a boogeyman; "we're the good guys because we fight human traffickers and thieves" type of stuff. You don't have to look very closely at the marketing materials for these companies, they're very clear about using it on the "bad guys" to assuage the average insecurity. It's like the dog-and-pony we always see when iOS vs Android security is brought up; "it's not about my phone, it's the relative security of theirs!" When in reality, neither company is ethical or sells a secure product. They're excuses not to think, instead of logical arguments against the claim.
This isn't even a politics issue, either. These comments are a mirror reflection of one's character and their internal (often irrational) justification for an illogical stance. Often these comments aren't even rooted in a form of rhetoric, they just want to deflect the blow a little bit to cover their own ass emotionally. In the tech industry, I've noticed this happen a lot when people are embarrassed by their own work being discovered "in the wild" by peers.
There is a reason I won't name them --- the ones I know about, a fraction of the total market --- it's not interesting, and I'm not going to get into it.
I'm interested, and I'm sure I'm not alone. This isn't easily researched information, and it would be nice to have a list of organisations to put on my boycott list. These companies should be named and shamed. They have no positive influence on the world. If they disclosed instead of exploited the vulnerabilities they have knowledge of, they would improve the security of most of the world's population. Instead, they profit from the insecurity of the population. This is criminal behaviour and should be treated as such.
You'd boycott these companies, that you don't know who they are? It's not much of a boycott to stop doing business with companies you already aren't doing business with.