The US government banned the use of NSO’s Pegasus spyware 18 months ago, but a new report today says that at least one government agency is using very similar malware from a rival company: Paragon Graphite.
Graphite reportedly has the same capabilities as Pegasus, and the US Drug Enforcement Administration (DEA) is said to be using it …
Backstory: The US ban on the use of Pegasus
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
Back in 2021, the US government declared the spyware to be a threat to national security, and banned its use within the country by either public or private organizations.
The Commerce Department’s Bureau of Industry and Security (BIS) has added the Israeli company to the Entity List, which bans the company’s products from being imported, exported or passed from one organization to another within the US.
US government uses Paragon Graphite spyware instead
But a Financial Times report claims that the US government instead uses almost identical spyware: Paragon’s Graphite.
According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite.
The malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like Signal or WhatsApp, sometimes harvesting the data from cloud backups – much like Pegasus does.
The DEA did not directly comment, but it has been claimed that the agency bought Graphite for use by law enforcement partners in Mexico to fight drug cartels. A DEA spokesperson said only that it uses “every lawful investigative tool available to pursue the foreign-based cartels and individuals operating around the world responsible for the drug poisoning deaths of 107,735 Americans last year.”
However, the claim that the US bought it for use in Mexico isn’t exactly reassuring.
Congressman Adam Schiff, the chair of the House Intelligence Committee, wrote to the DEA in December asking for more details on the purchase. Mexico is among the worst abusers of NO’s Pegasus which it bought nearly a decade ago.
Schiff wrote: “such use [of spyware] could have potential implications for US national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them.”
Paragon sought US permission for customer list
The FT report paints a very clear picture of Paragon having learned from the NSO ban, and very carefully targeting sales to the US government.
The Israeli company deliberately sought funding from two US-based venture capital firms, Battery Ventures and Red Dot, in order to have American backing. It then hired a US political consultancy to advise it on what it should and shouldn’t do to win government orders.
Paragon hired DC-based WestExec Advisors, the influential advisory group staffed by ex-Obama White House officials including Michele Flournoy, Avril Haines and Antony Blinken. Ex-US ambassador to Israel, Dan Shapiro, was also consulted, people with knowledge of the advisory effort said. Shapiro declined to comment.
Paragon also reportedly asked for US guidance on its target customer list – countries whose use of Graphite wouldn’t upset the White House. FT sources said that 35 countries were approved, mostly in Europe and Asia.
One of the greatest concerns about Pegasus was the role it played in human rights abuses. It was sold to governments who used it to spy on political opponents, journalists, lawyers, and human rights activists. To that extent, Paragon’s decision to informally consult the US government on which countries should be allowed to buy it places it one notch above NSO.
However, that doesn’t change the fact that Graphite is, like Pegasus, malware designed to break Apple’s security and allow governments to remotely access and control phones belonging to their own citizens. Using Graphite may not be quite as bad as using Pegasus, but it is still unethical and unacceptable. Hopefully Apple’s alerts will work for this spyware too.
We’ve reached out to Apple for comment, and will update with any response.
FTC: We use income earning auto affiliate links. More.