An Austrian firm which Microsoft said created malicious software that was detected on the computer systems of some of its clients in at least three countries has said its spying tool “Subzero” was for official use in EU states only.
On Wednesday, Microsoft said the firm, DSIRF, had deployed the spying software, or spyware — capable of accessing confidential information such as passwords or logon credentials — at an unspecified number of unidentified banks, law firms and strategic consultancies.
“Subzero is a software of the Austrian DSIRF GesmbH, which has been developed exclusively for official use in states of the EU. It is neither offered, sold nor made available for commercial use,” DSIRF said in an emailed statement.
“In view of the facts described by Microsoft, DSIRF resolutely rejects the impression that it has misused Subzero software,” it added.
It was not clear which EU member state governments, if any, were using the tool. DSIRF did not respond to requests for further comment.
Austria’s interior ministry told local news agency APA on Friday that it was investigating the Microsoft claims. The ministry did not respond to requests from Reuters for comment.
Spyware tools have come into increased focus in Europe and the United States after Pegasus, spyware developed by Israel’s NSO, was found to have been used by governments to spy on journalists and dissidents.
DSIRF said they had commissioned an independent expert to investigate the issues raised by Microsoft, and had reached out to the U.S. tech giant for “collaboration on the issue”.
Microsoft declined to offer further comment.
In its Thursday blog post, the company said DSIRF had developed four so-called “zero-day exploits”, serious software flaws of great value to both hackers and spies because they work even when software is up to date.
DSIRF listed a handful of previous, commercial, clients as references in an internal presentation promoting Subzero that was published by German news website Netzpolitik last year.
Two of the companies that were named in that presentation, SIGNA Retail and Dentons, told Reuters they had not used the spyware and had not consented to be a reference for the company.
DSIRF did not respond to a request for comment on the matter.