Skip to main content

Israeli firm helped governments hack activists, journalists and politicians

Spyware was installed via fake advocacy group websites, including those masquerading as Amnesty and Black Lives Matter, reearchers found
A Microsoft logo is seen on an office building (AFP/File photo)

An Israeli spyware firm sold tools to a variety of governments to spy on politicians, dissidents, human rights activists, embassy workers and journalists, according to a Microsoft report.

Researchers from the Citizen Lab at the University of Toronto, who worked with Microsoft, issued a report on Thursday about the potential targets of Candiru, a Tel Aviv-based firm selling "untraceable" spyware. 

'The user wouldn’t recognise anything was amiss'

- Bill Marczak, Citizen Lab

According to the report, the technology enabled clients to hack into Microsoft Windows, infecting and monitoring computers and phones.

In some cases, the spyware was initiated via fake advocacy group websites. Using internet scanning, Citizen Lab said it identified more than 750 sites linked to Candiru's spyware infrastructure. 

"We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities," the group said. 

Stay informed with MEE's newsletters

Sign up to get the latest alerts, insights and analysis, starting with Turkey Unpacked


Bill Marczak, a co-author of the report, told the Guardian that targeted activists may click on links that appear to be from trusted sources. "But this website, which was specially registered for the purpose of exploiting their computer, would run code in the background that would silently hijack control of their computer," he said.

That code would then grant "persistent access to essentially everything on the computer", he said, potentially allowing governments to steal passwords and documents or turn on a microphone to spy on a victim's surroundings.

"The user wouldn't recognise anything was amiss," said Marczak. 

Victims around the world

Reportedly, Candiru's spyware can infect and monitor iPhones, Android devices, Macs, PCs, and cloud accounts.

Technical analysis by security researchers details how Candiru's hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various organisations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the report shows.

Middle East Eye was unable to reach Candiru for comment. 

Saudi Arabia deploys new Israeli spyware to hack activists' phones: Report
Read More »

As part of their investigation, Microsoft observed at least 100 victims in the occupied Palestinian territories, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

"Candiru's growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab said in its report.

According to a lawsuit brought by a former employee, Candiru had sales of "nearly $30 million", within two years of its founding. 

The firm's reported clients are located in "Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America", Citizen Lab reported, noting that Saudi Arabia, the United Arab Emirates and Qatar were also "likely Candiru customers". 

Several Israeli companies - many of whose founders and employees hail from the intelligence and defence industries - have developed technologies to hack and spy on mobile phones.

In JuneQuadream, another Tel Aviv-based company, was accused of selling a programme named Reign to Saudi authorities, which similarly has the ability to hack phones, extract their data and turn them into tracking devices. 

Reign, however, has the capacity to break into phones using zero-click technology, meaning a user does not have to click on a malicious link to be infected. Pegasus spyware, developed by Israel's largest surveillance company NSO Group, also uses zero-click technology and has been sold to Saudi Arabia, among others. 

Microsoft fixes breach

Microsoft said it discovered flaws that were being manipulated on Tuesday through a software update, and fixed them, but the company did not directly attribute the exploits to Candiru. Instead it referred to the culprit as an "Israel-based private sector offensive actor" under the codename Sourgum.

"Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft wrote in a blog post. "These agencies then choose who to target and run the actual operations themselves."

Candiru's tools also exploited weaknesses in other popular software products, such as Google’s Chrome browser.

'No longer do [malicious] groups need to have the technical expertise, now they just need resources'

- Google

On Wednesday, Google's Threat Analysis Group (TAG) published a report that detailed nine websites that it determined were used to manipulate software flaws, eight of which pointed to IP addresses that matched Citizen Lab's identified Candiru fingerprint, Thursday's report said. 

Google also did not refer to Candiru by name, but described it as a "commercial surveillance company". 

Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target's knowledge, computer security experts say.

Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.

"No longer do groups need to have the technical expertise, now they just need resources," Google wrote in its Wednesday statement.

Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.