Skip to main content

Israeli spyware maker behind new attack on journalists, cybersecurity firm says

Avast Threat Labs says Tel Aviv-based spyware vendor commonly known as Candiru looked to exploit vulnerabilities in google chrome to target journalists
Spyware from Candiru and NSO Group has been used to target activists and journalists across the Middle East, cybersecurity companies have revealed (MEE)

Security researchers have linked the discovery of an actively exploited, but since-fixed, zero-day vulnerability in Google Chrome to an Israeli spyware maker known to target journalists in the Middle East.

Avast Threat Labs, a global cybersecurity company, attributed the attacks to the Tel Aviv-based spyware vendor commonly known as Candiru.

Last year online security firm ESET revealed that Middle East Eye was targeted by the hacking for hire group in April 2020.

At the time, Middle East Eye editor-in-chief David Hearst said: “Middle East Eye is no stranger to such attempts to take our website down by state and non-state actors. Substantial sums of money have been spent trying to take us out. They have not stopped us reporting what is going on in all corners of the region and it will not stop us in future. They will not stop us reaching a global audience.”

Candiru was sanctioned in November 2021 by the US Commerce Department for engaging in activities contrary to US national security.

Pegasus: US Supreme Court seeks Biden's input on lawsuit against Israel's NSO
Read More »

Avast detected the latest Candiru attack in March using an updated toolset that aimed to target individuals in Turkey, Yemen and Palestine - as well as journalists in Lebanon where Candiru compromised a website used by employees of an unnamed news agency.

“We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press,” Avast said in a statement.

Candiru was first exposed by Microsoft and Citizen Lab in July 2021. The findings showed that the hacking company had targeted at least 100 activists, journalists and dissidents across 10 countries. According to Avast, Candiru likely scaled back its activities following last year’s release of the Citizen Lab’s report in order to update its malware and evade detection efforts.

The company is currently registered in Tel Aviv under the name, Saito Tech.

Middle East Eye reached out to a Candiru executive last year following the revelations by online security firm ESET and was told that the company and its products don’t hack websites.

“The product of the company [Candiru] is purposed to help law enforcement agencies to fight terror and crime, at a time all unlawful activities are encrypted, hiding from the law.”

"The company is selling its products to government agencies only, after receiving all needed licences from the Israeli MOD [Ministry of Defence] export control.

Citizen Lab has previously reported that Saudi Arabia and the UAE are “likely Candiru customers”. The firm also “has become closer to Qatar” recently, according to an August 2020 report from Intelligence Online.

In July, Citizen Lab reported that Candiru spyware, along with Pegasus software produced by the Israeli NSO Group, has been used by governments, including MoroccoSaudi Arabia and the United Arab Emirates, to illegally access the phone data of activists and journalists worldwide.

The spyware was used to weaponise vulnerabilities in Google and Microsoft products which allowed government clients to hack more than 100 activists, journalists, politicians, dissidents, and embassy workers.

A mobile phone belonging to Ragip Soylu, MEE's Turkey bureau chief, was among those hacked using spyware produced by the NSO Group.