Candiru: Israeli spyware, blacklisted by US, ‘suspected’ in attack on Middle East Eye

MEE Staff

Middle East Eye  /  November 16, 2021

Software ‘strongly suspected’ to have been used to infiltrate websites across the Middle East.

Spyware described as having “strong links” to an Israeli company blacklisted by the US earlier this month has been used to target Middle East Eye and other websites in the region.

The “watering hole” attack, discovered by online security firm ESET, targeted MEE’s website during two days in April 2020.

The attack had “strong links” to Candiru, a highly-secretive Israeli firm that only sells its spyware to governments, ESET said in a statement.

ESET reported that the attacks on MEE and others used similar techniques to those used by Candiru and reported on by Citizen Lab in July; and that the activity stopped shortly after Citizen Lab, Google, and Microsoft publicised the use of Candiru elsewhere.

Such an attack “compromises websites that are likely to be visited by targets of interest” said the researchers at ESET. “The compromised websites are only used as a jumping-off point to reach the final targets.”

Twenty other websites were targeted by the campaign, which came in two waves: from April to July 2020 and from January to August 2021.

ESET said that the targets had “links to the Middle East and a strong focus on Yemen and the surrounding conflict”.

They included several government websites, including the government, finance and interior ministries and parliament in Yemen; the foreign ministry in IranSyria’s ministry of electricity; internet service providers in Yemen and Syria; media sites linked to Hezbollah and the Houthis; and a website run by Saudi dissidents.

Several aerospace companies in South Africa and Italy, which have traded with the Middle East and have experienced financial difficulties, were also targeted.

David Hearst, editor-in-chief of Middle East Eye, said: “Middle East Eye is no stranger to such attempts to take our website down by state and non-state actors. Substantial sums of money have been spent trying to take us out. They have not stopped us reporting what is going on in all corners of the region and it will not stop us in future. They will not stop us reaching a global audience.”

In a statement, MEE said it is exploring possible legal action that could be taken against parties it believed may have played a role in the attack.

“This only further demonstrates the challenges of reporting independently and has serious consequences for the future of press freedom,” MEE said.

“At present we are confident that this has not compromised our ability to continue to focus our efforts on bringing to light original, quality reporting from the region.”

Candiru is currently registered in Tel Aviv under the name Saito Tech. When asked by MEE on Tuesday for a response to the allegations, an employee said that they had no knowledge of the incident, before saying that they did not want to be quoted and that the company did not attack websites.

A Candiru spokesperson told the Forbes website that the company did not carry out attacks for customers and is not permitted to know how clients use its tools or who they target.

“The product of the company is intended to help law enforcement agencies fight terror and crime at a time when all unlawful activities are encrypted, hiding from the law,” the spokesperson told Forbes.

“The company is selling its products to government agencies only… the company and its product don’t hack websites.”

Echoes of Pegasus software

It remains unclear how the spyware took control of the websites, who exactly was targeted, and what the hackers obtained as a result.

ESET said the techniques used during the “highly targeted” campaign showed there was a “significant likelihood” that the perpetrators, who remain unknown, were Candiru customers.

Citizen Lab has previously reported that Saudi Arabia and the UAE are “likely Candiru customers”. The firm also “has become closer to Qatar” recently, according to an August 2020 report from Intelligence Online.

In July, Citizen Lab reported that Candiru spyware, along with Pegasus software produced by the Israeli NSO Group, has been used by governments, including MoroccoSaudi Arabia, and the United Arab Emirates, to illegally access the phone data of activists and journalists worldwide.

The spyware was used to weaponize vulnerabilities in Google and Microsoft products which allowed government clients to hack more than 100 activists, journalists, politicians, dissidents and embassy workers.

A mobile phone belonging to Ragip Soylu, MEE‘s Turkey bureau chief, was among those hacked using spyware produced by the NSO Group.

Hearst said: “Once again this episode belies attempts by producers of this software to distance themselves from their client users. It underscores the need to identify and sanction the companies who produce software of this nature, because their products are potentially a threat to every internet user, irrespective of geography, nationality or belief.”

Candiru: Secret company

Since its founding in 2014, Candiru – named after a parasitic catfish and one of at least five names the company has had during the past six years – has operated largely out of the public eye.

It does not have a website and employees are reportedly forced to sign nondisclosure agreements. Nor do they list the company on their LinkedIn profiles.

Like its better-known Israeli tech rival NSO Group, Candiru only sells its products to government clients, including systems that can spy on computers, mobile phones and cloud accounts, according to Citizen Lab.

The company is required to obtain an export license from Israel’s Ministry of Defence before selling its systems abroad.

The US government blacklisted both companies earlier this month, saying their activities are contrary to US foreign policy and national security interests.

According to Citizen’s Lab, Candiru was backed early on by Isaac Zack, an Israeli venture capitalist who in 2013 also established Founders Group, an investment firm, along with NSO Group founders Shulev Hulio and Omri Lavie.

On its website, the Founders Group describes itself as “proactive guerrilla angels, taking companies to the next level”.

In a leaked document, the details of which were published by Haaretz and a Hebrew language sister publication, TheMarker, last year, the company said it was restricted from operating in the US, Israel, Russia, China and Iran.