An Austrian firm that Microsoft said created malware that was detected on the computer systems of some of its customers in at least three countries said its “Subzero” spying tool is intended for official use only in EU states.
Microsoft said the firm, DSIRF, deployed spyware — capable of accessing confidential information such as passwords or login credentials — at an unspecified number of banks, law firms and unidentified strategic consultancies.
“Subzero is a software of the Austrian DSIRF GesmbH, which was developed exclusively for official use in EU states. It is neither offered, sold nor made available for commercial use,” DSIRF said in an emailed statement.
“Given the facts described by Microsoft, DSIRF strongly rejects the impression that it misused the Subzero software,” it added.
Austria’s interior ministry told local news agency APA that it was investigating Microsoft’s claims.
Spyware tools have come under increased scrutiny in Europe and the United States after Pegasus, the spyware program developed by Israel’s NSO, was discovered to have been used by governments to spy on journalists and dissidents.
The DSIRF said it had commissioned an independent expert to investigate the issues raised by Microsoft and had contacted the US tech giant for “collaboration on this matter”.
In Thursday’s blog post, the company said DSIRF had developed four so-called “zero-day exploits,” serious software flaws of great value to both hackers and spies because they work even when software is updated.
DSIRF listed a handful of previous, commercial customers as references in an internal presentation promoting Subzero that was published by German news site Netzpolitik last year.
Two of the companies named in that presentation, SIGNA Retail and Dentons, told Reuters they did not use the spyware and did not consent to being a company reference.