Digital Conflicts is a bi-weekly briefing on the intersections of digital culture, AI, cybersecurity, digital rights, data privacy, and tech policy with a European focus.

Brought to you with journalistic integrity by Guerre di Rete, and authored by Carola Frediani and Andrea Signorelli.

N.22 - 27 February 2025

Surveillance, Spyware
Paragon: If No One Knows Anything, Start with the Victims

The most disconcerting aspect of the Paragon affair (if you're unfamiliar with it, read our previous newsletter) is not its potential use by Italy, but the apparent inability of everyone—especially politicians and institutions—to provide even basic information.

Weeks after the news of the attack using this government spyware on the phone of journalist Francesco Cancellato and various activists linked to migrant rescue operations in the Mediterranean, the incident and the spyware have become an elusive, almost ineffable entity (literally, as even institutions are threatening lawsuits, as reported by Fanpage, whose editor-in-chief is the same Cancellato).

We still know little about its technical workings (we are waiting for more detailed information from WhatsApp and Citizen Lab). We do know that Aise and Aisi (our foreign and domestic intelligence services, respectively) have admitted to being Paragon clients and to using it, but not against journalists and activists. Specifically, Aise Director Caravelli confirmed the use of Paragon's Graphite spyware, but not for spying on media or activists, according to Domani newspaper. Similar information, filtered through Copasir (the Parliament body that exercises control over the work of the Italian secret services) and reported by the press, was provided by Aisi Director Valensise.

It's also unclear whether Paragon's contracts with Italy have been terminated, as reported by foreign media, and subsequently denied by the Italian government. As summarized by Pagella Politica: "After the espionage was revealed, the government said it had nothing to do with it. According to The Guardian and Haaretz, Paragon Solutions terminated the contract with Italy because the government 'violated the terms and ethical framework,' but Minister Ciriani denied this account, saying the contract with Paragon Solutions is still in force."

Moreover, the Undersecretary of State to the Presidency of the Council of Ministers Alfredo Mantovano said the matter was "classified," yet the Minister of Justice Carlo Nordio discussed it in Parliament—as reported by Il Post—denying that his ministry's structures had contracts with companies like Paragon and stating that, in 2024, no one had been intercepted by the Penitentiary Police. (If you're wondering why this denial, it's because in this grotesque hunt for who used Paragon in Italy, in this mystery akin to "And Then There Were None," the Penitentiary Police were left holding the bag at one point).

So, What Now? Let's Start with the Spyware Targets

One of the targets is Luca Casarini, founder and mission leader of Mediterranea Saving Humans, an NGO that rescues migrants in the Mediterranean. Like others, he was notified on January 31 by a message from Meta/WhatsApp, informing him that he had been the target of a government hacking attack and advising him to contact Citizen Lab, a group of researchers that tracks government spyware, for phone analysis and support.
"The Meta message already suggested getting rid of the phone. Citizen Lab, which is conducting an initial analysis of the device, also recommended the same, as even a factory reset might not be enough," Casarini told Guerre di Rete.

I asked Valerio 'valerino' Lupi, CTO of Mentat and former developer at Hacking Team and Verint about this. He confirmed that, at least for some sophisticated spyware against Android devices, a factory reset may not be enough. Stefano Zanero, a professor of Computer Security and Digital Forensics and Cybercrime at the Politecnico di Milano, agreed, stating: "The reset is still controlled by the software, so it's not inconceivable that a well-made bootkit could survive."

Casarini also shared that Citizen Lab advised him to immediately put the phone in airplane mode, wrap it in aluminum foil, and leave it in a drawer, likely to prevent interference. "If the phone is infected, the best thing to do is remove the battery, if possible," Lupi added. "Or put it somewhere with no signal until the battery is dead."

Journalistic reports on the spyware's deployment against 90 Whatsapp users mentioned the use of PDFs and group chats to deliver the attack. Casarini doesn't recall a specific chat or PDF but he does remember an earlier incident. In February 2024, he received a Facebook alert that his account had been targeted by a government cyberattack and was advised to contact support. He only changed his password at the time, but recalled the incident when Citizen Lab asked about it. "They saw suspicious activity, an infection attempt that was blocked. Perhaps a preliminary activity for subsequent infections," Casarini commented (there’s also a press release from Mediterranea about the episode). Meta's February 2024 report detailed similar activities, including fake profiles on Facebook.

Ukraine, Satellites, USA
Starlink and the negotiations

U.S. negotiators discussing peace terms with Kyiv, particularly regarding access to Ukraine's mineral and natural resources, have reportedly suggested cutting Ukraine's access to the Starlink satellite internet system if no agreement is reached.

According to Reuters, which cited three sources familiar with the negotiations, the possibility of continuing or discontinuing the use of Starlink, owned by SpaceX and Elon Musk, was raised during discussions between U.S. and Ukrainian officials. This came after President Zelensky rejected an initial proposal from U.S. Treasury Secretary Scott Bessent, and again during meetings between U.S. Special Envoy for Ukraine Keith Kellogg and Zelensky. Zelensky had refused the initial U.S. demands for $500 billion in mineral wealth from Ukraine to repay Washington for wartime aid. Following the news, Musk tweeted that the article was "false" and that "Reuters is lying." Reuters has stood by its report.

SpaceX began providing Starlink terminals to Ukraine shortly after the Russian invasion, to support battlefield communications. Musk, however, has increasingly criticized Ukraine, as noted by the Kyiv Independent. Ukraine was also angered by a Starlink outage in 2022, which was linked to a drone attack on Russia's Black Sea fleet.

In addition, Musk, who heads the Department of Government Efficiency (DOGE), has called for the closure of the U.S. Agency for International Development (USAID), which provides vital humanitarian aid to Ukraine. Over the past four years, USAID has spent up to $500,000 and signed contracts worth up to $1 million for SpaceX's Starlink terminals, deploying them in Zimbabwe and South Africa. In its most significant partnership, USAID worked with SpaceX to send 5,000 Starlink terminals to Ukraine for free, worth about $3 million, after the war began in 2022, according to Forbes. In May 2024, USAID's Office of Inspector General announced an investigation into how Ukraine used the Starlink terminals and how USAID monitored their use.

The status of this investigation is unclear now that much of the agency's activities, if not the agency itself, are being shut down. The whole affair underscores the growing need for states to maintain full control over communications infrastructures.