Israeli firm helped governments hack activists, journalists and politicians

A Microsoft logo is seen on an office building (AFP)

MEE Staff

Middle East Eye  /  July 15, 2021

Spyware was installed via fake advocacy group websites, including those masquerading as Amnesty and Black Lives Matter, researchers found.

An Israeli spyware firm sold tools to a variety of governments to spy on politicians, dissidents, human rights activists, embassy workers and journalists, according to a Microsoft report.

Researchers from the Citizen Lab at the University of Toronto, who worked with Microsoft, issued a report on Thursday about the potential targets of Candiru, a Tel Aviv-based firm selling “untraceable” spyware. 

According to the report, the technology enabled clients to hack into Microsoft Windows, infecting and monitoring computers and phones.

In some cases, the spyware was initiated via fake advocacy group websites. Using internet scanning, Citizen Lab said it identified more than 750 sites linked to Candiru’s spyware infrastructure. 

“We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities,” the group said. 

Bill Marczak, a co-author of the report, told The Guardian that targeted activists may click on links that appear to be from trusted sources. “But this website, which was specially registered for the purpose of exploiting their computer, would run code in the background that would silently hijack control of their computer,” he said.

That code would then grant “persistent access to essentially everything on the computer”, he said, potentially allowing governments to steal passwords and documents or turn on a microphone to spy on a victim’s surroundings.

“The user wouldn’t recognize anything was amiss,” said Marczak. 

Victims around the world

Reportedly, Candiru’s spyware can infect and monitor iPhones, Android devices, Macs, PCs, and cloud accounts.

Technical analysis by security researchers details how Candiru’s hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the report shows.

Middle East Eye was unable to reach Candiru for comment. 

As part of their investigation, Microsoft observed at least 100 victims in the occupied Palestinian territories, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

“Candiru’s growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” Citizen Lab said in its report.

According to a lawsuit brought by a former employee, Candiru had sales of “nearly $30 million”, within two years of its founding. 

The firm’s reported clients are located in “Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America”, Citizen Lab reported, noting that Saudi Arabia, the United Arab Emirates and Qatar were also “likely Candiru customers”. 

Several Israeli companies – many of whose founders and employees hail from the intelligence and defence industries – have developed technologies to hack and spy on mobile phones.

In June, Quadream, another Tel Aviv-based company, was accused of selling a programme named Reign to Saudi authorities, which similarly has the ability to hack phones, extract their data and turn them into tracking devices. 

Reign, however, has the capacity to break into phones using zero-click technology, meaning a user does not have to click on a malicious link to be infected. Pegasus spyware, developed by Israel’s largest surveillance company NSO Group, also uses zero-click technology and has been sold to Saudi Arabia, among others. 

Microsoft fixes breach

Microsoft said it discovered flaws that were being manipulated on Tuesday through a software update, and fixed them, but the company did not directly attribute the exploits to Candiru. Instead it referred to the culprit as an “Israel-based private sector offensive actor” under the codename Sourgum.

“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”

Candiru’s tools also exploited weaknesses in other popular software products, such as Google’s Chrome browser.

On Wednesday, Google’s Threat Analysis Group (TAG) published a report that detailed nine websites that it determined were used to manipulate software flaws, eight of which pointed to IP addresses that matched Citizen Lab’s identified Candiru fingerprint, Thursday’s report said. 

Google also did not refer to Candiru by name, but described it as a “commercial surveillance company”. 

Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.

Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.

“No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its Wednesday statement.