Reportage
Spyware company cuts ties with Italy after journalists’ and activists’ phones tapped
The Italian government is refusing to provide any further information on the case, saying it will only do so in a classified setting. The most plausible explanation is that the company’s position is that the Italian government lied to it.
Paragon Solutions, the company that created the Graphite spyware used to infect the cell phones of at least 90 individuals, including seven phones with the +39 Italian prefix, has cut all ties with its Italian clients. The victims of spying include the director of the Fanpage news outlet, Francesco Cancellato, the mission chief of the Mediterranea NGO, Luca Casarini, and two other Meditterranea activists. Among the names made public so far is also that of Libyan journalist Husam El Gomati, living in exile in Sweden.
The decision to “terminate its dealings with Italy” was first revealed on Thursday morning by a scoop in The Guardian. A few hours earlier, the Prime Minister’s office had circulated a note denying that “intelligence, and therefore the government” had put journalists under surveillance. The denial is made highly implausible by the fact that Paragon only lends its services to state entities, more specifically “to a select group of global democracies — principally, the United States and its allies,” according to the company's executive chairman, John Fleming. Furthermore, the Israeli newspaper Haaretz reported that Paragon's Italian clients are “two different bodies, a law enforcement agency and an intelligence organization.”
At the end of last week, when the scandal first came to light, Paragon had asked these two clients for more information about their use of the spyware. According to Haaretz’s sources, the decision to cut them off from Graphite came just after the memo from the Italian Prime Minister’s office that also listed 13 other EU countries involved, thus revealing other clients of the company based on information acquired by the National Cybersecurity Agency, activated at the request of Undersecretary of State Alfredo Mantovano.
The Italian government is refusing to provide any further information on the case, saying it will only do so in a classified setting before the Parliamentary Committee for the Security of the Republic (COPASIR), while the opposition is demanding that it report to Parliament. Paragon has not officially stated the reason why it stopped working with its Italian clients. The most plausible explanation is that the company’s position is that the Italian government lied to it. The license conditions include the possibility of “terminating the agreement with the user” in case of abuse or violations.
Among the founders of Paragon are former Israeli premier Ehud Barak, who declined to comment on the scandal, and senior officers of Unit 8200, a division of the Israeli army that specializes in espionage and cyberattacks. On the company's website, a single page with no links, its full name is listed as Paragon Solutions US. Late last year, the company was purchased – still unclear whether in part or in full – by a U.S. private equity firm. This is an advantageous business move to secure access to the U.S. market, after Paragon passed a review of its contract with Joe Biden's White House for reasons of national security.
That is an important issue for Italy as well, where problems have already surfaced in the past over the procurement of digital control systems from Israeli companies. However, the current scandal brings up questions of a different nature. If it’s true that the government gave no instructions to spy on journalists, it would mean that the decision to subject Cancellato to surveillance was made separately, by apparatuses over which the executive has no control. Furthermore, the note from Palazzo Chigi says nothing about the NGO activists who were spied on. Who ordered their phones to be tapped? Theoretically, one cannot rule out an investigation by the judiciary. However, a well-informed source clarified to il manifesto that in such cases, prosecutors don’t outsource spying to foreign companies. They have their own tools available. For instance, the classic ones used against Mediterranea in the Maersk case: recordings of phone calls and then the seizure of phones to access chats.
“Using Graphite for investigations would be like using a rocket launcher to hit a minnow,” the source tells us. The system used by the spyware is extremely complex. A number of technical investigations are still ongoing, but it is certain that the software is able to record all the operations performed by the infected device and also access connected cloud-based services to retrieve information that is not physically present on the phone. A WhatsApp chat to which the unsuspecting users were added appears to have been used to infect them. Through sending a specially crafted PDF file, it is possible to start spying on a device without the file ever being opened or downloaded. Furthermore, the technology employed by the spyware is able to conceal all these operations.
The affair came to light only because Meta, the owner of the messaging app, contacted the people spied on. “Most likely after the Pegasus scandal, a spyware used against 1,400 WhatsApp users, the company implemented a control and verification mechanism to prevent the exploitation of its software by third parties. Especially in order to stop real scams. Graphite may have been caught up in this net as well,” explains forensic computer scientist Paolo Reale.
“Certain EU states are clients of these invasive and rights-violating technologies, which are abused with impunity, and no action is being taken by the authorities to hold the companies that produce them accountable. There is a lack of political will to intervene on the part of the institutions,” says Rand Hammoud, surveillance campaign manager at Access Now.
“If you put secret hacking technology in the hands of a government that thinks it will go undetected, abuse is not a matter of ‘if,’ but ‘when.’ Even in a democracy. So far, only the tip of the iceberg has been revealed,” says John Scott Railton, an expert at The Citizen Lab research center that is conducting an independent analysis of the surveilled cell phones.
Meanwhile, Casarini announced he had filed a criminal complaint before the prosecutors to “bring to light those responsible.”
Originally published at https://ilmanifesto.it/lo-spyware-usato-solo-dai-governi-il-bluff-di-palazzo-chigi on 2025-02-07