Skip to main content

Candiru: Israeli spyware, blacklisted by US, ‘suspected’ in attack on Middle East Eye

Software ‘strongly suspected’ to have been used to infiltrate websites across the Middle East

Editor's note: This piece was updated on 26 November to include comment from Candiru.

Spyware described as having “strong links” to an Israeli company blacklisted by the US earlier this month has been used to target Middle East Eye and other websites in the region.

The “watering hole” attack, discovered by online security firm ESET, targeted MEE’s website during two days in April 2020.

The attack had “strong links” to Candiru, a highly-secretive Israeli firm that only sells its spyware to governments, ESET said in a statement.

Stay informed with MEE's newsletters

Sign up to get the latest alerts, insights and analysis, starting with Turkey Unpacked


'Middle East Eye is no stranger to such attempts to take our website down by state and non-state actors'

- David Hearst, editor-in-chief, Middle East Eye

ESET reported that the attacks on MEE and others used similar techniques to those used by Candiru and reported on by Citizen Lab in July; and that the activity stopped shortly after Citizen Lab, Google, and Microsoft publicised the use of Candiru elsewhere.

Such an attack “compromises websites that are likely to be visited by targets of interest” said the researchers at ESET. “The compromised websites are only used as a jumping-off point to reach the final targets.”

Twenty other websites were targeted by the campaign, which came in two waves: from April to July 2020 and from January to August 2021.

ESET said that the targets had “links to the Middle East and a strong focus on Yemen and the surrounding conflict”.

They included several government websites, including the government, finance and interior ministries and parliament in Yemen; the foreign ministry in Iran; Syria’s ministry of electricity; internet service providers in Yemen and Syria; media sites linked to Hezbollah and the Houthis; and a website run by Saudi dissidents.

Several aerospace companies in South Africa and Italy, which have traded with the Middle East and have experienced financial difficulties, were also targeted.

David Hearst, editor-in-chief of Middle East Eye, said: “Middle East Eye is no stranger to such attempts to take our website down by state and non-state actors. Substantial sums of money have been spent trying to take us out. They have not stopped us reporting what is going on in all corners of the region and it will not stop us in future. They will not stop us reaching a global audience.”

In a statement, MEE said it is exploring possible legal action that could be taken against parties it believed may have played a role in the attack.

“This only further demonstrates the challenges of reporting independently and has serious consequences for the future of press freedom,” MEE said.

“At present we are confident that this has not compromised our ability to continue to focus our efforts on bringing to light original, quality reporting from the region.”

Candiru is currently registered in Tel Aviv under the name Saito Tech. When asked by MEE on Tuesday for a response to the allegations, an employee said that they had no knowledge of the incident, before saying that they did not want to be quoted and that the company did not attack websites.

A company executive later told Middle East Eye: “The product of the company is purposed to help law enforcement agencies to fight terror and crime, at a time all unlawful activities are encrypted, hiding from the law.

"The company is selling its products to government agencies only, after receiving all needed licences from the Israeli MOD [Ministry of Defence] export control.

“The company and its product don't hack websites. The licence and the law prohibit the company or its employees from operating the product for the client, or even to be exposed to whomever the target is.”

Echoes of Pegasus software

It remains unclear how the spyware took control of the websites, who exactly was targeted, and what the hackers obtained as a result.

ESET said the techniques used during the “highly targeted” campaign showed there was a “significant likelihood” that the perpetrators, who remain unknown, were Candiru customers.

Citizen Lab has previously reported that Saudi Arabia and the UAE are “likely Candiru customers”. The firm also “has become closer to Qatar” recently, according to an August 2020 report from Intelligence Online.

NSO Group: US blacklists Israeli firms for harming 'national security interests'
Read More »

In July, Citizen Lab reported that Candiru spyware, along with Pegasus software produced by the Israeli NSO Group, has been used by governments, including Morocco, Saudi Arabia, and the United Arab Emirates, to illegally access the phone data of activists and journalists worldwide.

The spyware was used to weaponise vulnerabilities in Google and Microsoft products which allowed government clients to hack more than 100 activists, journalists, politicians, dissidents and embassy workers.

A mobile phone belonging to Ragip Soylu, MEE's Turkey bureau chief, was among those hacked using spyware produced by the NSO Group.

Hearst said: “Once again this episode belies attempts by producers of this software to distance themselves from their client users. It underscores the need to identify and sanction the companies who produce software of this nature, because their products are potentially a threat to every internet user, irrespective of geography, nationality or belief.”

Candiru: Secret company

Since its founding in 2014, Candiru – named after a parasitic catfish and one of at least five names the company has had during the past six years - has operated largely out of the public eye.

It does not have a website and employees are reportedly forced to sign nondisclosure agreements. Nor do they list the company on their LinkedIn profiles.

Like its better-known Israeli tech rival NSO Group, Candiru only sells its products to government clients, including systems that can spy on computers, mobile phones and cloud accounts, according to Citizen Lab.

The company is required to obtain an export license from Israel’s Ministry of Defence before selling its systems abroad.

The US government blacklisted both companies earlier this month, saying their activities are contrary to US foreign policy and national security interests.

According to Citizen’s Lab, Candiru was backed early on by Isaac Zack, an Israeli venture capitalist who in 2013 also established Founders Group, an investment firm, along with NSO Group founders Shulev Hulio and Omri Lavie.

On its website, the Founders Group describes itself as “proactive guerrilla angels, taking companies to the next level”.

In a leaked document, the details of which were published by Haaretz and a Hebrew language sister publication, TheMarker, last year, the company said it was restricted from operating in the US, Israel, Russia, China and Iran.

This article is available in French on Middle East Eye French edition.

Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.