Data Protection Authority Sounds Alarm Over Unlawful Use of Graphite Spyware
The Italian Data Protection Authority has issued a stern warning regarding the misuse of Graphite spyware, following alarming reports of extensive hacking activities involving the tool. This notification underscores the authority’s commitment to upholding European privacy laws amid rising concerns about the exploitation of commercial spyware within its jurisdiction.
The concerns were directed at the spyware developed by Israeli company Paragon Solutions. Complaints have surfaced suggesting that the software breaches established privacy regulations, prompting the Italian regulator to act. The warning was specifically aimed at the application after investigations revealed its alleged involvement in severe breaches of privacy rights, particularly affecting prominent journalists and civil society members.
Recent investigative reports highlighted that the Graphite spyware was used to infiltrate the WhatsApp accounts of over 90 individuals across more than twenty countries. Notably, the findings indicated that seven of these individuals were Italian citizens, stirring up further scrutiny regarding the implications for both privacy and national security within Italy.
In a clear message, the Italian privacy regulator stated that any interception of electronic communications must be predicated on purposes related to national security, crime prevention, investigation, detection, or prosecution. The regulator emphasized that deviations from these mandates could lead to penalties, weighing in at either 20 million euros or 4% of the annual revenue of the offending entity.
In response to the reported incidents, WhatsApp has confirmed that it took measures to disrupt Graphite-driven hacking attempts in December. Meanwhile, Meta, WhatsApp’s parent company, is actively pursuing legal means against Paragon Solutions, having issued a cease and desist notice citing the serious implications of their software’s use.
Paragon Solutions, which was co-founded by former Israeli Prime Minister Ehud Barak, has recently garnered attention after its acquisition by the American private equity firm AE Industrial for $900 million. Given that Graphite purportedly operates at capabilities comparable to the controversial NSO Group’s Pegasus software, concerns about its functionalities—particularly its zero-click capabilities that allow interception of messages on encrypted platforms such as WhatsApp, Telegram, and Signal—remain high.
Although the company did not provide a detailed comment on these allegations, a spokesperson noted that Paragon serves around 35 governmental clients. Speculation has arisen regarding whether the Italian government continues to engage Paragon, amidst claims from Italian officials that no termination of service has occurred. Alfredo Mantovano, secretary of the Council of Ministers, refuted rumors suggesting otherwise, insisting that the contract remains intact.
In terms of cyber tactics, the incident illustrates several potential methods consistent with the MITRE ATT&CK framework, particularly regarding adversary tactics such as initial access through social engineering and privilege escalation to gain unauthorized access to sensitive communications. The exploitation of such vulnerabilities reveals both the sophistication involved in these cyber espionage operations and the urgent need for robust data protection measures in today’s digital landscape.
