In a detailed investigation published by Google’s Threat Analysis Group, a team dedicated to examining state-sponsored cyber activities, it was revealed that government operatives exploited previously unidentified vulnerabilities in Apple’s iPhone operating system. These exploits were used to distribute spyware created by Variston, a European-based startup, demonstrating a growing trend in the use of sophisticated cyber surveillance tools by nation-states.
Google’s report sheds light on various government-led cyber campaigns utilizing technologies developed by spyware and exploit merchants, including the Barcelona-headquartered company, Variston. This particular campaign involved the exploitation of three “zero-day” vulnerabilities in iPhones—flaws unknown to Apple at the time of their exploitation. The spyware in question, developed by Variston, has been subject to Google’s scrutiny twice before, in 2022 and 2023, indicating the company’s increasing prominence in the surveillance technology sector.
The report highlights a specific instance where Indonesian iPhone users were targeted in March 2023 through SMS messages containing malicious links. These links not only delivered spyware to the devices but also redirected victims to a legitimate news article, further concealing the cyber attack’s footprint. Google, however, refrained from identifying the government behind this operation.
Despite repeated inquiries, Apple has remained silent on the matter, neither confirming nor denying awareness of the said hacking campaign. Meanwhile, Variston has experienced a notable decline in its workforce over the past year, as reported by former employees speaking under the condition of anonymity due to non-disclosure agreements.
The scope of Variston’s operations and its clientele remains largely undisclosed. Google’s investigation suggests that Variston collaborates with various organizations, including Protected AE—a cybersecurity firm based in the United Arab Emirates, to develop and market its spyware solutions. Protected AE, known officially as Protect Electronic Systems, is described as a pioneer in cybersecurity and forensic services, founded in 2016 and based in Abu Dhabi.
Variston’s origins trace back to 2018 in Barcelona, established by Ralf Wegener and Ramanan Jayaraman. The company expanded its capabilities through the acquisition of Italian zero-day research firm Truel IT, positioning itself alongside other notable European spyware developers.
Google’s report brings attention not only to Variston but to the broader landscape of commercial surveillance vendors (CSVs), which includes around 40 companies worldwide. These entities supply government clients with tools for espionage and surveillance, often targeting journalists, activists, and political figures. Despite the purported lawful applications of these technologies in law enforcement and counterterrorism, their misuse raises significant concerns regarding privacy, freedom of speech, and democratic integrity.
Google’s commitment to disrupting these harmful cyber activities underscores the critical need for vigilance and regulatory oversight in the global digital ecosystem, aiming to protect individuals from unwarranted surveillance and uphold the principles of a free and secure internet.
Someone’s gotta say something