Full Report
Citizen Lab says it found ‘digital fingerprints’ of military-grade spyware that Italy has admitted using against activistsThe hacking mystery roiling the Italian prime minister Giorgia Meloni’s rightwing government is deepening after researchers said they found new evidence that two more journalists were targeted using the same military-grade spyware that Italy has admitted to using against activists.A parliamentary committee overseeing intelligence confirmed earlier this month that Italy used mercenary spyware made by Israel-based Paragon Solutions against two Italian activists. Continue reading...
Analysis Summary
# Incident Report: Targeting of European Journalists with Paragon Solutions Spyware
## Executive Summary
This incident involves the targeted surveillance of European journalists and pro-immigrant human rights activists using spyware developed by Paragon Solutions. The motivation appears to be related to monitoring activities concerning "irregular immigration." While specific dates of compromise are not detailed, the reporting highlights the use of sophisticated spyware against sensitive journalistic and advocacy targets, raising severe concerns about press freedom and state-sponsored surveillance.
## Incident Details
- **Discovery Date:** Not explicitly stated, uncovered by researchers.
- **Incident Date:** Ongoing attack likely spanning a period leading up to the report date (June 2025).
- **Affected Organization:** Multiple unnamed European journalists and human rights activists (including Luca Cassarini and Giuseppe Caccia).
- **Sector:** Media/Journalism, Non-Governmental Organizations (NGOs).
- **Geography:** Europe (implied, with mention of Italian activists).
## Timeline of Events
*Note: Specific dates are unavailable based on the provided text.*
### Initial Access
- **Vector:** Unspecified, but involves the deployment of Paragon Solutions spyware onto targets' devices.
- **Details:** The targets were spied upon due to their connection to “irregular immigration.”
### Lateral Movement
- **Details:** Not mentioned in the source material; the focus is on endpoint compromise and surveillance capability.
### Data Exfiltration/Impact
- **Details:** The primary impact is surveillance and monitoring of the targets' communications and activities, enabled by the deployed spyware.
### Detection & Response
- **How it was discovered:** The targeting and use of the spyware were uncovered by security researchers.
- **Response actions taken:** Not detailed; the response appears centered on the research and public disclosure of the findings.
## Attack Methodology
- **Initial Access:** Custom/commercial spyware deployment (Paragon Solutions spyware).
- **Persistence:** Assumed necessary for long-term espionage, though details are missing.
- **Privilege Escalation:** Not detailed, but required for full functionality of sophisticated spyware.
- **Defense Evasion:** Implied through the nature of advanced commercial spyware designed to operate stealthily.
- **Credential Access:** Likely included, given the objective of monitoring journalists.
- **Discovery:** Reconnaissance would have been necessary to identify high-value journalist and activist targets.
- **Lateral Movement:** Not specified.
- **Collection:** Gathering of sensitive information pertinent to the targets' investigations (e.g., concerning irregular immigration).
- **Exfiltration:** Data gathered from compromised endpoints would be exfiltrated to the operator(s).
- **Impact:** Extensive monitoring used by state actors/prosecutors in limited circumstances (e.g., for terrorism, organized crime, or, in this case, potentially for political reasons under the guise of other investigations).
## Impact Assessment
- **Financial:** Not estimated.
- **Data Breach:** Sensitive communications and data related to journalistic investigations and human rights activism regarding irregular immigration.
- **Operational:** Potential chilling effect on press freedom and the ability of activists to operate without surveillance.
- **Reputational:** Damage to the victims' security and trust, and scrutiny towards the entity deploying the spyware.
## Indicators of Compromise
- **Network indicators:** None provided (URLs/IPs needed to be defanged).
- **File indicators:** References to "Paragon Solutions spyware."
- **Behavioral indicators:** Covert surveillance of journalists and activists focused on immigration issues.
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- **Key takeaways:** Sophisticated, commercially available spyware is actively being leveraged against journalists and activists, often under the justification of combating serious organized crime or terrorism.
- **What could have been done better:** Improved awareness and defense mechanisms within media organizations against targeted spyware deployment, particularly concerning spear-phishing or zero-click exploits.
## Recommendations
- Implement enhanced endpoint detection and response (EDR) solutions across journalist and activist communication devices.
- Conduct regular security awareness training focused specifically on recognizing sophisticated social engineering or spyware delivery mechanisms.
- Vet and audit third-party software vendors (like Paragon Solutions) if their products are known to be adopted by potentially hostile state or government entities.
- Establish secure communication channels impervious to known commercial spyware capabilities.