A Look at QuaDream’s Exploits, Victims, and Customers citizenlab.ca

Amy Hogan-Burney of Microsoft:

We are also acutely aware that to have real impact, we must pair our commitment with action. Microsoft has disrupted the operations of Knotweed and Sourgum, two cyber mercenary groups targeting victims around the world. Today, we are taking further action. In partnership with security researchers from The Citizen Lab of the University of Toronto’s Munk School, we have tracked the malware used by an Israeli cyber mercenary we refer to as DEV-0196. The malware has been used to target communities including journalists, NGO workers, and politicians. Microsoft is sharing information about DEV-0196 with our customers, industry partners, and the public to improve collective knowledge of how cyber mercenaries operate and raise awareness about how cyber mercenaries facilitate the targeting and exploitation of civil society. Technical information for customers and the security community is available here.

The iOS spyware package described by Microsoft is similar to NSO Group’s Pegasus, albeit with far less publicity so far. This one is called Reign; it was developed by QuaDream which, like NSO Group, is an Israeli firm with unsavoury customers around the world. The targets are familiar, too — not terrorists or mob bosses, but “journalists, political opposition figures, and a non-government organisation (NGO) worker”.

Researchers at Citizen Lab analyzed the spyware and one capability stood out to me:

Sample 2 appears to have functionality for:


  • Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud

I could not find whether similar spyware from other companies can also do this; unsurprisingly, spyware companies are very secretive. It is a notable inclusion in this list.

Lorenzo Franceschi-Bicchierai, who now writes for TechCrunch:

Apple’s spokesperson Scott Radcliffe said that there’s no evidence showing the exploit discovered by Microsoft and Citizen Lab has been used after March 2021, when the company released an update.

Microsoft suggests enabling the recently introduced Lockdown Mode on your devices if you feel you may be a target.