Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Bill Marczak Profile picture
@billmarczak
Jul 18, 2021 4 tweets 3 min read Read on X
BREAKING: Major new investigation from @FbdnStories into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones washingtonpost.com/investigations…
The leaked number lists show data going back to 2016, and are believed to come from a subset of NSO clients in 10 countries (Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE).
.@FbdnStories worked with @AmnestyTech to investigate 67 phones on the leaked list, and discovered that 37 showed signs of hacking. We @citizenlab peer-reviewed the forensic methodology, and also examined four of the phones four of the phones: citizenlab.ca/2021/07/amnest…
The forensic analysis mainly involved using the DataUsage.sqlite file to look for Pegasus's distinctive process names (though there were also a couple other bits that @AmnestyTech used). You can read their full methodology here: amnesty.org/en/latest/rese…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Marczak

Bill Marczak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @billmarczak

Bill Marczak Profile picture
Jun 13
ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware: citizenlab.ca/2025/06/first-…
Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We made this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax) Image
And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver". Image
Read 7 tweets
Bill Marczak Profile picture
Oct 26, 2023
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria…
The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!
If you’re a researcher who’s never captured an exploit chain from a threat actor “on the wire” recently, then you might not have run up against several “annoying roadblocks” that face a defender who sets out to complete this task.
Read 23 tweets
Bill Marczak Profile picture
Apr 11, 2023
One neat technical detail we found while analyzing QuaDream's spyware () was the mechanism by which it subverts iCloud's two-factor authentication, presumably as part of a scheme to exfiltrate the user's data directly from iCloud.
iCloud's two-factor authentication appears to use a TOTP (time-based one-time-password) scheme, in which two-factor authentication codes valid for any time are entirely determined by applying a function to (1) the time and, (2) some private information present on the phone.
Rather than stealing (2), the way the spyware appears to defeat this scheme is by injecting code into the phone's heavily obfuscated "adid" process (part of the phone's Anisette framework), and hooking the "gettimeofday" syscall to fool "adid" about the current date and time.
Read 4 tweets
Bill Marczak Profile picture
Apr 11, 2023
Check out our NEW @citizenlab report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021 citizenlab.ca/2023/04/spywar…
The zero-click exploit, which we call ENDOFDAYS, appears to have made use of invisible malformed "Meeting" invitations processed by the iPhone's calendar app. ENDOFDAYS looks to have been deployed as a zero-day against iOS versions 14.4 and 14.4.2, and maybe other versions.
So, who are QuaDream's customers? Based on our Internet scanning and infrastructure analysis, we believe that QuaDream operators are located in AE, BG, CZ, HU, GH, IL, MX, RO, SG, and UZ (unclear if IL is customer or just QuaDream themselves) and potentially other countries too. Image
Read 16 tweets
Bill Marczak Profile picture
Sep 29, 2022
NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s…
You probably first read reporting about the Iranian and Chinese compromise of the CIA's covert communications network in @JennaMC_Laugh and @zachsdorfman's excellent 2018 Yahoo News story: news.yahoo.com/cias-communica…
The CIA network reportedly consisted of benign looking websites with a hidden communications functionality, used by assets around the world to communicate back and forth with their agency handlers.
Read 14 tweets
Bill Marczak Profile picture
Jan 13, 2022
New @citizenlab report, #ProjectTorogoz, documenting the use of NSO's Pegasus spyware in El Salvador, in collab w/ @AccessNow, w/ assistance from @FrontLineHRD @MohdMaskati, @socialtic, and @fundacionacceso, and w/ peer review from @AmnestyTech citizenlab.ca/2022/01/projec…
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
The targets included journalists at @_elfaro_, @GatoEncerradoSV, @prensagrafica, @Disruptiva2, @ElMundoSV, @EDHNoticias, and 2 independent journalists. Also NGOs @fundaciondtj, @cristosal, and another (anonymous) NGO.
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(