Report: Israel's Candiru provided spyware used against dissidents, journalists and human rights activists
The report from Citizen Lab and Microsoft claims to have identified websites tied to the cyber-surveillance company masquerading as advocacy groups such as Amnesty and as media companies
Spyware developed by Israeli company Candiru has been used to spy on more than 100 human rights activists, regime opponents, journalists, and scholars from countries such as Iran, Lebanon, Yemen, UK, Turkey, and even Israel, according to a joint study of Microsoft and the University of Toronto’s Citizen Lab published Thursday evening.
This is the first time fingers are being pointed at the cyber-surveillance company, which is considered a competitor of NSO, despite maintaining a low profile over the years. The investigation is expected to provoke international attention that will pull the company out of the relative anonymity in which it has been operating so far. "These companies increase the risk of weapons falling into the wrong hands and endangering human rights," Microsoft said, making clear that it intends to continue to utilize a variety of measures in the fight against spyware and surveillance keys.
Candiru was founded in 2014 by Yaakov Weizmann and Eran Shorer, with its veteran chairperson Itzik Zack also being its largest shareholder. The company makes considerable efforts to keep its operations below the radar, and over the years has changed its name several times. Its most current name is Saito Tech Inc., and previously was also called Taveta, Grindavik Solutions Ltd., and DF Associates but in the industry it is still known by its original name Candiru. Like many Israeli actors in the cyber-surveillance field, it enlists most of its employees from the IDF’s 8200 unit.
Candiru chairman Itzik Zack. Photo: Courtesy
According to a lawsuit filed by a former employee of the company, in Candiru’s first two years its sales reached nearly $30 million, and its customers include countries in Europe, the former Soviet Union, the Persian Gulf, Asia, and Latin America. According to previous reports from information security entities and the media, Candiru’s clientele includes Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore, and Qatar.
Citizen Lab’s report, co-authored by Bill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul-Razzak, and Ron Deibert, maps for the first time the scope and methods of the company's operations, and also goes into how its spyware works. Although Citizen Lab's research focuses on spyware that infiltrated a Windows-based computer, and victims identified thanks to this study used Microsoft’s operating systems, Candiru offers spyware solutions for both iPhone and Android devices, an area in which it competes directly with NSO.
Citizen Lab’s research began with identifying and mapping IP addresses and websites used by the company or its customers. "Using our web crawling methods, we were able to map 764 IP addresses of Candiru’s sites and servers," Dr. Bill Marczak, a senior research fellow at Citizen Lab and a researcher at the University of California at Berkeley who led the current study, told Calcalist. The relations between the sites were determined by mapping and fingerprinting techniques, which identify related sites based on similar and unique characteristics, the researchers concluded. The linking of these sites to Candiru was made possible as a result of a mistake made by the company.
"We were able to connect Candiru’s spyware with our scans. We found an encryption certificate (also known as an SSL certificate, which confirms that the communication between a user and an HTTPS-site is encrypted), which was used on six servers. The certificate included the email address firstname.lastname@example.org. Another address with this extension was used for registering a site called Verification.center. which also had the telephone number +972 54 2552428 in its registration. This number, according to D&B’s data is Candiru’s fax number in Israel. The SSL certificate we found is connected to 764 additional sites, which allowed us to map the company's network of sites. This was likely an operational mistake, they used this certificate accidentally in their spyware servers."
Could it be that someone else, unrelated to Candiru, entered this URL in the encryption certificate? Maybe a competitor who wanted to shift heat from itself on to an opponent?
"It's a possibility, but I tend to think it's unlikely. Mainly because there have been other security companies reporting on Candiru in the past. For example, Kaspersky reported in 2018 or 2019 that it identified a series of loopholes exploited by Candiru. They did not elaborate much but did mention several websites through which loopholes were exploited, and one of these sites appeared in our scans. We started our scanning from Candiru’s certificate and found another site to Kaspersky tied to the company in the past. There are a few more links like those that gives us confidence that this is something tied to Candiru and not a distraction".
The site mapping has spawned some insights into how the spyware works, and who the possible victims were. "We discovered several sites that impersonated sites of human rights organizations or activist organizations,” Marczak said. "For example, a site was named Amnestyreports.com that looks like an attempt to impersonate Amnesty’s website. A site called Refugeeinternational.org, which is deliberately similar to the official website of a refugee assistance organization whose URL is Refugeesinternational.org, with an S in the middle. There were also sites posing as news websites (cnn24-7.online), as technology companies (googlplay.store, apple-updates.online, faceb00k-live.onlive and more), and as international organizations such as the fake website of the UN envoy to Yemen.”
Other sites had academic characteristics in their URLs, such as womanstudies.co, which may indicate that among the targets of the spyware were also scholars and academics. Furthermore, Citizen Lab recognized domains impersonating local news sites or local entities from countries such as Russia, Indonesia, Iran, Turkey, Cyprus, Austria, the Palestinian Authority, and Saudi Arabia. These can be evidence of attempts to locate targets in those places or exiles who have moved to other countries. In addition, the scans revealed information that Candiru customers operate in Saudi Arabia, the United Arab Emirates, Hungary, and Indonesia. "There are probably more, these are just the customers we found," Marczak said.
A major achievement of the study was locating a copy of Candiru’s spyware and analyzing it. "We found a victim's computer that was linked to some of the sites we mapped," Marczak said. "We were able to perform a forensic analysis of the computer and take out a copy of the spyware, which communicated with these sites. We analyzed the spyware and studied how it works."
Among other things, Citizen Lab identified that the spyware remains on the computer even after rebooting or installing software updates. It can detect and copy passwords and cookies from browsers and allows its operator to send messages from people's active accounts on their computers. "If I'm connected to a Facebook, Gmail, or similar account on my computer, then the spyware operator can use my computer to send a message in my name directly from my Gmail or Facebook account to someone else. This is an interesting feature we have not seen in other spyware, the ability to impersonate the target by using their account directly from the infected computer.”
"We also found evidence that it can view signal messages if the victim uses the desktop app services, as well as retrieve files stored on the computer. We did not find any evidence, but according to company documents the spyware can remotely turn on the computer’s microphone and camera. It may be modular spyware, allowing customers to choose which functions to introduce.”
The victim mentioned in the report was a political activist from Western Europe, who asked that his identity not be revealed. "Based on conversations with him, he was the target because of his political views and not because of criminal activity or terrorism," Marczak said.
Citizen Lab shared a copy of the spyware with Microsoft, and an analysis by the technology giant revealed that the spyware exploited two Zero-Day vulnerabilities in Windows (vulnerabilities not previously known to the company), which were already fixed. Microsoft's analysis also identified more than 100 spyware victims around the world, including politicians, human rights activists, journalists, academics, embassy staff, and political dissidents, from Israel, the Palestinian Authority, Iran, Lebanon, Yemen, Spain, Britain, Turkey, Armenia, and Singapore. “The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) spent weeks examining the malware, documenting how it works, and building protections that can detect and neutralize it,” wrote General Manager of Microsoft’s Digital Security Unit Cristin Goodwin in a post published by the company. "We named the malware DevilsTongue.”
According to Goodwin, Microsoft’s cooperation with Citizen Lab is part of a broader legal, technological, policy effort that the company is leading to address the danger of companies creating and distributing cyber weapons. "These companies increase the risk that weapons fall into the wrong hands and threaten human rights. That’s why, for example, we filed an amicus brief in a legal case brought by WhatsApp against another PSOA called NSO Group."
The report sharply criticized Israel’s Ministry of Defense, which approves the export of goods Candiru and similar companies export to other countries. "Unfortunately, Israel’s Ministry of Defense— from whom Israeli-based companies like Candiru must receive an export license before selling abroad—has so far proven itself unwilling to subject surveillance companies to the type of rigorous scrutiny that would be required to prevent abuses of the sort we and other organizations have identified,” the report reads. “The export licensing process in that country is almost entirely opaque, lacking even the most basic measures of public accountability or transparency. It is our hope that reports such as this one will help spur policymakers and legislators in Israel and elsewhere to do more to prevent the mounting harms associated with an unregulated spyware marketplace.”
Candiru refused to comment on the report.