A private Israeli firm has helped governments hack journalists and human rights advocates


The Washington Post 15 July, 2021 - 10:36am 11 views

An Israeli hacking-for-hire firm has helped government clients spy on more than 100 victims around the world, including politicians, dissidents, human rights activists, embassy workers and journalists, according to a Microsoft report.

Candiru has likely sold spying tools to governments in the Middle East and Asia, according to the cybersecurity research group Citizen Lab, which identified people targeted by Candiru’s malicious software and helped Microsoft compile its report. Those governments then use the spying tools independently.

The report comes amid roiling concern about the proliferation of cyberweapons once limited to a handful of nations that are now becoming far more widespread. In addition to helping authoritarian regimes spy on dissidents and adversaries, that growth has enabled a wave of criminal hacks, including ransomware campaigns that have disrupted U.S. oil supplies and meat production.

The Biden administration has moved aggressively to confront the ransomware epidemic, including threatening Russian President Vladimir Putin with severe consequences if he doesn’t crack down on criminal groups operating on Russian territory. But the United States has been far less aggressive about the proliferation of spyware.

Microsoft is part of a chorus of large tech firms that are increasingly criticizing the spyware industry and calling on governments to regulate their products through export bans and other measures. As part of its investigation, Microsoft patched major bugs that Candiru used to spy on its users.

“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said in a blog post.

Citizen Lab researchers identified targets of Candiru’s spyware across the globe, suggesting governments are using the tool to target and silence citizens and critics living outside their borders. The group, which is based at the University of Toronto’s Munk School, found victims in Israel and the Palestinian territories, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore.

“Every time we find one of these companies, it’s only a matter of time before we find abuses associated with them,” John Scott-Railton, a senior researcher at Citizen Lab, said. “We cannot allow authoritarian regimes to export self-censorship around the world, and that’s exactly what companies like Candiru are allowing them to do.”

The full capabilities of Candiru’s spying tools aren’t clear, but they probably allow users to intercept victims’ communications, steal their data, track their location and spy through microphones and cameras, Scott-Railton said. The tools were effective against both Windows and Mac computers, as well as iPhone and Android smartphones.

The researchers also found phony websites masquerading as international media, human rights organizations and other legitimate groups that were used to deliver Candiru spyware. Among them were phony sites that appeared to be affiliated with the Black Lives Matter movement and sites related to gender equality.

Spyware firms have effectively leveled the playing field for countries that wish to spy on dissidents and government critics but lack the technical resources to develop their own spying tools.

Human rights advocates have accused such firms of running roughshod over civil liberties and enabling harassment and oppression of government opponents, though the firms say they only aid legitimate law enforcement and intelligence operations.

Candiru did not respond to emails seeking comment. A phone call to a company number was not answered.

The most significant tech response came in 2019, when WhatsApp sued the most prominent spyware company, another Israeli firm called NSO, in U.S. federal court. The Facebook affiliate claimed NSO acted illegally by helping governments hack hundreds of its customers, including journalists, human rights workers and women who had been targeted with online attacks.

Microsoft filed a brief supporting WhatsApp’s position in that case, which is still working its way through the legal system. An NSO surveillance tool was also implicated in spying on Washington Post contributing writer Jamal Khashoggi before he was killed by people affiliated with Saudi Arabia’s security services in 2018.

Far less is known about Candiru’s activities. The firm has maintained a high level of secrecy, including by changing its official corporate name four times during its six years in operation, according to a Citizen Lab report. The firm is now officially named Saito Tech Ltd., though it is still widely known as Candiru, the report states.

“Candiru has tried to remain in the shadows ever since its founding but there is no space in the shadows for companies that facilitate authoritarianism,” Bill Marczak, a senior fellow at Citizen Lab, said.

Microsoft is referring to Candiru’s activities under the name Sourgum, part of a naming convention it has developed to describe nongovernment hacking groups using the names of trees and shrubs. The company has a separate naming convention for hacking groups linked with national governments based on elements on the periodic table.

Read full article at The Washington Post

Citizen Lab: Spyware by Israel’s Candiru used to target activists

Aljazeera.com 15 July, 2021 - 02:00pm

Using a pair of vulnerabilities in Microsoft Corp.’s Windows, cyber operatives operating in Saudi Arabia, Israel, Hungary, Indonesia and elsewhere purchased and installed remote spying software made by Candiru, according to the researchers. The tool was used in “precision attacks” against targets’ computers, phones, network infrastructure and internet-connected devices,” said Cristin Goodwin, general manager of Microsoft’s Digital Security Unit.

Microsoft was alerted to these attacks by researchers at Citizen Lab, and after weeks of analysis, the company released patches on July 13 for a pair of Windows vulnerabilities believed to be the point of entry for the spyware, according to a Microsoft blog published Thursday. Microsoft doesn’t name Candiru but instead refers to an “Israel-based private sector offensive actor” it calls Sourgum.

Candiru didn’t immediately respond to a message seeking comment. Candiru is the name of an eel-like fish native to the Amazon River region that allegedly enters the urethra of humans before deploying short spines – a story some have dismissed as a myth.

The users of the spyware also hacked politicians and human rights activists, according to the researchers, who declined to name the victims.

The Citizen Lab researchers said the Candiru spyware is part of a thriving private industry selling technology to governments and authoritarian leaders so they can gain access to the communications of private citizens and political opposition. Another Israeli company, NSO Group Ltd., has been accused of providing spyware to repressive governments that have used it to snoop on journalists and activists.

NSO has maintained that it sells its technology exclusively to governments and law enforcement as a tool against terrorism and crime. In a report published on June 30, NSO Group said it refuses to sell spyware to 55 countries and has taken steps to curb misuse by customers.

John Scott-Railton, senior researcher at Citizen Lab, said the Candiru research “shows there’s a whole ecosystem selling to authoritarian regimes.”

“Tools like Candiru are used to export fear,” he added.

Citizen Lab’s findings also offered some fresh insight into the cost of doing business in the spyware industry.

For 16 million euros ($18.9 million), Candiru’s clients can attempt to compromise an unlimited number of devices but are limited to actively tracking only 10 at a time, according to Citizen Lab. For an extra 1.5 million euro ($1.8 million), buyers can monitor an additional 15 victims.

Candiru has clients in Europe, Russia, the Middle East, Asia and Latin America, according to the Israeli newspaper Haaretz. Local news organizations have reported contracts in Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore and Qatar, according to Citizen Lab’s report.

Candiru’s clients are restricted to operating only in “agreed upon territories,” according to Citizen Lab. The company’s clients sign contracts that limit operations outside the U.S., Russia, China, Israel and Iran, according to the report. But Microsoft said it has recently discovered activity with the spyware in Iran, suggesting the rules aren’t concrete, according to the report.

Amnesty says Pegasus spyware is used by repressive governments to target human rights activists and journalists.

Watchdog suspects Saudi Arabia, the UAE behind the attack on 36 journalists earlier this year.

The technology gives the army the power to listen in on calls, view text messages & emails and track user location.

Microsoft says it blocked spying on rights activists, others

Associated Press 15 July, 2021 - 01:45pm

Microsoft said people targeted in “precision attacks” by the spyware were located in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. Microsoft did not name the targets but described them generally by category.

Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.

The reports by Microsoft and Citizen Lab shine new light on an opaque and lucrative industry of selling sophisticated hacking tools to governments and law enforcement agencies. Critics say such tools are often misused by authoritarian governments against innocent people.

“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said in a blog post.

Attempts to reach representatives of Candiru were unsuccessful.

Microsoft said the business model for companies such as Candiru is to sell its services to government agencies, which then likely choose the targets and run the operations themselves.

Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.

Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.

Facebook filed a federal civil suit in 2019 allegedly that NSO Group targeted some 1,400 users of Facebook’s encrypted messaging service WhatsApp with highly sophisticated spyware.

Microsoft accuses Israeli group of selling tool to hack into Windows

The Times of Israel 15 July, 2021 - 01:24pm

That’s why we come to work every day - to provide discerning readers like you with must-read coverage of Israel and the Jewish world.

So now we have a request. Unlike other news outlets, we haven’t put up a paywall. But as the journalism we do is costly, we invite readers for whom The Times of Israel has become important to help support our work by joining The Times of Israel Community.

For as little as $6 a month you can help support our quality journalism while enjoying The Times of Israel AD-FREE, as well as accessing exclusive content available only to Times of Israel Community members.

Microsoft says Israeli company is behind malware that affected Windows PCs

CNBC 15 July, 2021 - 12:51pm

Microsoft said it believes an Israeli company was behind malware that was used to attack PCs running its Windows operating system.

The move represents a new step Microsoft is taking to reduce online security incidents. The company has also sought to identify government-backed hackers, such as the Chinese group it calls Hafnium, which it claims was behind attacks on its Exchange Server email software.

Microsoft calls the organization that sold the software Sourgum, although the University of Toronto's Citizen Lab has said the company is Candiru, Cristin Goodwin, general manager of Microsoft's Digital Security Unit, wrote in a blog post.

The company said Sourgum sells products to government agencies, which can then kick off hacks on various devices. The malware, dubbed DevilsTongue, has been used to attack over 100 victims, including activists, politicians, journalists and embassy workers, Goodwin wrote. Rather than go after large companies, attackers have mainly used DevilsTongue to infiltrate consumer accounts, she wrote.

The Citizen Lab and Microsoft found two security vulnerabilities that Candiru had exploited, and Microsoft issued updates to address them on Tuesday, Citizen Lab researchers said in their own blog post.

Windows 10, originally released in 2015, is the world's most popular operating system, and the two patches are available for multiple Windows 10 versions, along with older versions and Windows Server releases.

While Microsoft needs to protect its users from attacks such as those mounted with Candiru malware, the company is also trying to build a meaningful business around security software. On Monday the company announced the acquisition of RiskIQ.

WATCH: These Big Tech investors discuss strategies, their Microsoft positions

Got a confidential news tip? We want to hear from you.

Sign up for free newsletters and get more CNBC delivered to your inbox

Get this delivered to your inbox, and more info about our products and services. 

Data is a real-time snapshot *Data is delayed at least 15 minutes. Global Business and Financial News, Stock Quotes, and Market Data and Analysis.

Microsoft disrupts products from Israeli tech firm used to hack journalists, activists

The Hill 15 July, 2021 - 12:10pm

The Hill 1625 K Street, NW Suite 900 Washington DC 20006 | 202-628-8500 tel | 202-628-8503 fax

The contents of this site are ©2021 Capitol Hill Publishing Corp., a subsidiary of News Communications, Inc.

Israeli spyware firm linked to fake Black Lives Matter and Amnesty websites – report

The Guardian 15 July, 2021 - 10:18am

Researchers from the Citizen Lab at the University of Toronto, who worked with Microsoft, issued a report on Thursday about the potential targets of Candiru, a Tel Aviv-based firm marketing “untraceable” spyware that can infect and monitor computers and phones.

One way the company’s spyware allegedly infects targets is through web domains, and the researchers found that the firm’s software was associated with URLs masquerading as NGOs, women’s rights advocates, activist groups, health organizations and news media. Citizen Lab’s research uncovered websites tied to Candiru with domain names such as “Amnesty Reports”, “Refugee International”, “Woman Studies”, “Euro News” and “CNN 24-7”.

The findings suggest that a secretive and little-known company with a wide global reach could be helping governments hack and monitor people in civil society. The report comes amid growing concerns about surveillance technologies that can aid human rights abuses and law enforcement monitoring and crackdowns on Black Lives Matter and related activist groups.

Microsoft’s threat intelligence center, which tracks security threats and cyberweapons, conducted its own analysis and said it found at least 100 targets of malware linked to Candiru, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. Microsoft found targets in the UK, Palestine, Israel, Iran, Lebanon, Yemen, Spain, Turkey, Armenia and Singapore, the report said.

Microsoft said in a blogpost on Thursday that it had disabled the “cyberweapons” of Candiru and built protections against the malware, including issuing a Windows software update.

There are no legitimate reasons for intelligence firms or their government customers to create websites that impersonate high-profile activist groups and not-for-profit organizations, said Bill Marczak, a co-author of the report, in an interview.

Activists who are targeted may click on links that appear to be from trusted sources and then be taken to a site with innocuous content or redirected elsewhere, he explained. “But this website, which was specially registered for the purpose of exploiting their computer, would run code in the background that would silently hijack control of their computer,” he said.

The malware could enable “persistent access to essentially everything on the computer” potentially allowing governments to steal passwords and documents or turn on a microphone to spy on a victim’s surroundings.

“The user wouldn’t recognize anything was amiss,” said Marczak, a senior research fellow with the Citizen Lab, which has scrutinized British, German and Italian spyware firms, and previously exposed the activities of NSO Group, another Israeli company that allegedly enabled government hacking of journalists and activists.

The use of spyware can have devastating consequences for activists and dissidents. Ahmed Mansoor, a human rights activist in the the United Arab Emirates, was jailed and faced violence after he was hacked and monitored through spyware purchased by the UAE. He was targeted by sophisticated government phishing attempts, including a 2016 text message with a link on his phone that purported to include information about the torture of detainees in UAE prisons.

There is minimal information publicly available about Candiru, which was founded in 2014 and has undergone several name changes, the report said. It is now believed to be registered as Saito Tech Ltd, but is still known as Candiru. In 2017, the firm had sales worth nearly $30m, serving clients in the Gulf, western Europe and Asia, according to a lawsuit reported in an Israeli newspaper. Candiru may have deals with Uzbekistan, Saudi Arabia and the UAE, Forbes has reported.

Candiru allegedly offers a range of ways for clients to hack targets, including through hyperlinks, physical attacks and a program called “Sherlock”, the report said, citing a leaked project proposal document from the company. It’s unclear what “Sherlock” does. The firm also sells tools for Signal and Twitter, according to the report. The leaked proposal document included an agreement that said the product would not be used in the US, Russia, China, Israel or Iran.

Microsoft, however, reported finding victims in Israel and Iran.

Citizen Lab said it was able to identify a computer that had been hacked by Candiru’s malware, and then used that hard drive to extract a copy of the firm’s Windows spyware. The owner of the computer was a “politically active” individual in western Europe, the report said.

“Candiru’s apparent presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” the report said. “This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”

The report does not allege specific violations of the law, though it’s difficult to evaluate legality without knowing which nations were involved in the hacking.

The findings about Candiru suggest that there are systematic problems with the spyware industry and how it is regulated, said Marczak. “It’s not just one bad apple,” he said, referencing NSO Group, whose spyware was allegedly used against a New York Times reporter who authored a book on Prince Mohammed and an Amnesty International staff member.

“We desperately need to understand this industry better, because it’s growing much faster than we can track, and it’s larger than we know,” added John Scott-Railton, another Citizen Lab researcher and co-author, noting that governments are also becoming increasingly vulnerable to hacking and spying by other states. “It’s an urgent national security concern, and governments around the world are going to find themselves targeted by this technology, if they haven’t already.”

Candiru representatives did not immediately respond to the Guardian’s requests for comment on Thursday.

Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild

VICE 15 July, 2021 - 10:11am

Citizen Lab, which is housed at the University of Toronto's Munk School, and Microsoft worked together on the research, and published reports detailing their findings on Thursday. The company said it detected hacking attempts on more than 100 victims including "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents" in Palestine, Israel, Iran, Lebanon, Spain, UK, and other countries. Citizen Lab said it was able to identify and reach out to a victim who let its researchers analyze their computer and extract the malware.

“This was someone who was targeted for their political positions and political beliefs, rather than someone who was the target of a terrorism investigation or something like this,” Bill Marczak, one of the researchers at Citizen Lab who worked on the investigations, told Motherboard in a phone call.

Citizen Lab concluded that the malware and the zero-days were developed by Candiru, a mysterious Israel-based spyware vendor that offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. Candiru was first outed by the Israeli newspaper in 2019, and has since gotten some attention from cybersecurity companies such as Kaspersky Lab

But, until now, no one had published an analysis of Candiru's malware, nor found someone targeted with its spyware.

“They seem to have successfully flown below the radar for quite some time,” Marczak said. 

These discoveries highlight once more the dangers of a loosely regulated global market for government spyware. In the last ten years, security researchers have uncovered dozens of cases where governments around the world, such as Mexico, Saudi Arabia, the United Arab Emirates, and Ethiopia, have used powerful malware sold by European or Israel based vendors—such as Hacking Team, NSO Group, and FinFisher—to target dissidents, human rights activists, and journalists. 

"A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes, and governments," Microsoft's general manager for the digital security unit Cristin Goodwin wrote in a blog post. 

Candiru did not immediately respond to a request for comment sent to a series of email addresses that belong to the company.

The first step that allowed Marczak to track Candiru down was to simply search for the word "Candiru" on Censys, a service that scans the internet. That led him to find an encryption certificate that included an "@candirusecurity.com" email address, which led to a domain registered to another company email address and a phone number listed on a global companies' database as belonging to Candiru. 

Then, Marczak and his colleagues developed fingerprints to scan the internet, which led them to find more than 750 domains linked to Candiru, some of them registered with names related to human rights NGOs like Amnesty International, or social movements like Black Lives Matter, according to Citizen Lab's report. While Citizen Lab admits it doesn't have the context around how these domains were used, researchers wrote that "their mere presence as part of Candiru’s infrastructure—in light of widespread harms against civil society associated with the global spyware industry—is highly concerning and an area that merits further investigation."

According to Citizen Lab's analysis, Candiru's Windows spyware can exfiltrate files from the victim's computer, export all messages from Windows' version of Signal, steal cookies and passwords from all major browsers.

Marczak said he and Citizen Lab researchers found Candiru systems operated from the UAE and Saudi Arabia, suggesting these are two of the companies' government customers. 

"I think it drives home the point that it's not just the case that there's maybe the one bad apple of NSO in the Israeli cyber industry," Marczak said, referring to the government's process to approve exports of spyware to other countries. "It's part of a more systemic issue with the regulation of the industry, and specifically with the Israeli Ministry of Defense, if they now have multiple, different spyware companies that are selling to these really dodgy governments."

Microsoft patched the two zero-days on Tuesday. 

"The protections we issued this week will both prevent Sourgum’s tools from working on computers that are already infected," Microsoft wrote in its blog post, using its codename for the malware provider that Citizen Lab identified as Candiru, "and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint." 

By signing up to the VICE newsletter you agree to receive electronic communications from VICE that may sometimes include advertisements or sponsored content.

Microsoft says Israeli group sold tools to hack Windows

Reuters 15 July, 2021 - 09:21am

July 15 (Reuters) - An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.

The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.

Technical analysis by security researchers details how Candiru's hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show.

Attempts to reach Candiru for comment were unsuccesful.

Evidence of the exploit recovered by Microsoft Corp (MSFT.O) suggested it was deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.

"Candiru's growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab said in its report.

Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an "Israel-based private sector offensive actor" under the codename Sourgum.

"Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices," Microsoft wrote in a blog post. "These agencies then choose who to target and run the actual operations themselves."

Candiru's tools also exploited weaknesses in other common software products, like Google's Chrome browser.

On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a "commercial surveillance company." Google patched the two vulnerabilities earlier this year.

Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target's knowledge, computer security experts say.

Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.

"No longer do groups need to have the technical expertise, now they just need resources," Google wrote in its blog post.

Our Standards: The Thomson Reuters Trust Principles.

An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.

The most comprehensive solution to manage all your complex and ever-expanding tax and compliance needs.

The industry leader for online information for tax, accounting and finance professionals.

Information, analytics and exclusive news on financial markets - delivered in an intuitive desktop and mobile interface.

Access to real-time, reference, and non-real time data in the cloud to power your enterprise.

Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.

All quotes delayed a minimum of 15 minutes. See here for a complete list of exchanges and delays.

© 2021 Reuters. All rights reserved

Business Stories

Top Stores