Israeli company that sells spyware to governments is linked to fake Black Lives Matter and Amnesty International websites used to hack targets, new report says.
Researchers at the University of Toronto’s Citizen Lab, who worked with Microsoft, released a report on Thursday on the potential targets of Candiru, a Tel Aviv-based company that markets “untraceable” spyware that can infect and monitor computers and phones.
Company spyware infects targets through web domains, and researchers found that company software was associated with URLs masquerading as NGOs, women’s rights activists, groups activists, health organizations and the media. Citizen Lab research uncovered Candiru related websites with domain names such as “Amnesty Reports”, “Refugee International”, “Woman Studies”, “Euro News” and “CNN 24-7”.
The researchers did not identify specific targets of the websites posing as human rights groups, nor did they confirm the involvement of specific government clients. Microsoft said it appeared that Candiru was selling the spyware that enabled hacks, and that governments generally chose who to target and carry out the operations themselves.
The results suggest that a secret and little-known company with broad global reach could help governments hack and monitor members of civil society. The report comes amid growing concerns about surveillance technologies that may help human rights abuses and law enforcement surveillance and crackdown on Black Lives Matter and related activist groups.
Microsoft’s Threat Intelligence Center, which tracks security threats and cyber weapons, conducted its own analysis and said it found at least 100 Candiru-related malware targets, including politicians, human rights activists, man, journalists, academics, embassy workers and political dissidents. Microsoft has found targets in the UK, Palestine, Israel, Iran, Lebanon, Yemen, Spain, Turkey, Armenia and Singapore, according to the report.
Microsoft said in a blog post Thursday that it had disabled Candiru’s “cyber weapons” and implemented malware protections, including issuing a Windows software update.
There is no legitimate reason for intelligence companies or their government clients to create websites that masquerade as prominent activist groups and nonprofits, said Bill Marczak, co-author of the report, in an interview.
Targeted activists can click on links that appear to be from trusted sources and then be redirected to a site with harmless content or redirected elsewhere, he explained. âBut this website, specially registered for the purpose of exploiting their computer, would execute code in the background that would silently hijack control of their computer,â he said.
The malware could allow “persistent access to virtually everything on the computer,” potentially allowing governments to steal passwords and documents or activate a microphone to spy on a victim’s environment.
“The user wouldn’t recognize that something was wrong,” said Marczak, senior researcher at Citizen Lab, who has scrutinized UK, German and Italian spyware companies, and previously exposed the activities of NSO Group, another Israeli company that allegedly allowed the government to hack journalists and activists.
The use of spyware can have devastating consequences for activists and dissidents. Ahmed Mansoor, a human rights activist in the United Arab Emirates, has been jailed and abused after being hacked and monitored by spyware purchased by the United Arab Emirates. He has been the target of sophisticated government phishing attempts, including a 2016 text message with a link on his phone believed to contain information about the torture of detainees in UAE prisons.
A “mercenary spyware industry”
There is little publicly available information about Candiru, which was founded in 2014 and has undergone several name changes, according to the report. It is now believed to be registered as Saito Tech Ltd, but is still known as Candiru. In 2017, the company had nearly $ 30 million in revenue, serving clients in the Gulf, Western Europe and Asia, according to a lawsuit reported in an Israeli newspaper. Candiru may have deals with Uzbekistan, Saudi Arabia and the United Arab Emirates, Forbes reported.
Candiru would offer clients a range of means to hack targets, including through hyperlinks, physical attacks and a program called “Sherlock,” according to the report, citing a leaked project proposal document by the company. We don’t know what “Sherlock” is doing. The company also sells tools for Signal and Twitter, according to the report. The leaked proposal document included an agreement that the product would not be used in the United States, Russia, China, Israel or Iran.
Microsoft, however, reported finding casualties in Israel and Iran.
Citizen Lab said it was able to identify a computer that had been hacked by Candiru malware, and then used that hard drive to extract a copy of the company’s Windows spyware. The owner of the computer was a “politically active” individual in Western Europe, according to the report.
The team also identified more than 750 domain names that appeared to be related to Candiru and its customers. In addition to sites masquerading as nonprofits, the researchers found URLs that appeared to masquerade as a left-wing Indonesian publication; a site that publishes indictments from Israeli courts against Palestinian prisoners; a website critical of Saudi Arabia’s Crown Prince Mohammed bin Salman; and a site that appeared to be associated with the World Health Organization.
“The apparent presence of Candiru, and the use of its surveillance technology against global civil society, is a powerful reminder that the mercenary spyware industry contains many players and is subject to widespread abuse,” the report says. . “This case demonstrates, once again, that in the absence of international guarantees or strict government export controls, spyware vendors will sell to government customers who routinely abuse their services.”
The report does not allege specific violations of the law, although it is difficult to assess the legality without knowing which nations were involved in the hack.
The results on Candiru suggest that there are systematic issues with the spyware industry and the way it is regulated, Marczak said. “It’s not just a bad apple,” he said, referring to NSO Group, whose spyware was allegedly used against a New York Times reporter who wrote a book about Prince Mohammed and a Amnesty International staff member.
“We desperately need to understand this industry better because it is growing much faster than we can keep up with, and it is bigger than we think,” added John Scott-Railton, another researcher and co- Citizen Lab author, noting that governments are also becoming increasingly vulnerable to hacking and espionage by other states. “This is an urgent national security issue, and governments around the world will find themselves targeted by this technology, if they haven’t already.”
Representatives for Candiru did not immediately respond to requests for comment from the Guardian on Thursday.