An Israeli cyber warfare group weaponised vulnerabilities in Microsoft and Google products, allowing governments to hack more than 100 journalists, activists and political dissidents globally, new research has found.
The relatively unknown player, which markets itself as Candiru, is part of a lucrative Israeli offensive cyber industry that often recruits veterans of the army’s elite units, and sells software that allows its clients to hack computers and cell phones remotely.
Companies like Candiru and the largest player in this opaque industry, NSO Group, which was valued at $1bn in a 2019 transaction, said their software is designed to be used by government and law enforcement agencies to thwart potential terrorism and crime.
But the UN, the University of Toronto’s Citizen Lab and rights groups such as Amnesty International have regularly traced the spyware to the phones and computers of journalists, political dissidents and activists critical of repressive regimes.
Emails sent to multiple addresses listed for Candiru executives seeking comment either bounced back or went unanswered.
In this instance, Microsoft and Citizen Lab found that Candiru sold a spyware tool that exploited flaws in Microsoft Windows, allowing those deploying it to steal passwords, export files and messages from devices, including from encrypted messaging app Signal, and send messages from email and social media accounts.
The report said that its analysis found Candiru’s systems, which are sold exclusively to governments, had been “operated from Saudi Arabia, Israel, UAE, Hungary, and Indonesia, among other countries”.
Candiru’s spyware targeted at least 100 members of civil society, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents, the report said, in places like the UK, Spain, Singapore and within Israel and the occupied Palestinian territories.
The researchers also found more than 750 fake websites posing as groups including Amnesty International, the Black Lives Matter movement and the Russian postal service that were laced with its spyware.
“Candiru has tried to remain in the shadows ever since its founding,” said Bill Marczak, senior fellow at the Citizen Lab. “But there is no space in the shadows for companies that facilitate authoritarianism by selling spyware used against journalists, activists, and civil society.”
Microsoft said in a blog post that it had issued a software update this week “that will protect Windows customers from exploits [the company] was using to help deliver its malware”.
Separately, the Citizen Lab report found that two Google Chrome vulnerabilities disclosed by the Silicon Valley company on Wednesday had been exploited by Candiru. While Google did not explicitly link the exploits to Candiru, it attributed them to a “commercial surveillance company”.
The report shines a harsh spotlight on the growing mercenary spyware industry, which is increasingly drawing ire from the Big Tech platforms whose software can be weaponised by the groups. Candiru’s larger rival NSO group is currently facing a lawsuit from WhatsApp, supported by other technology groups, for allegedly selling tools that allowed clients to inject its software surreptitiously into phones via WhatsApp calls.
In a Candiru marketing document from 2019, seen by the Financial Times, the group promoted its “superpower-grade cyber intelligence system”, saying that “installation and exfiltration processes are stealth and covert, with no interruption to the regular activity of the target”.
It added that “proprietary infiltration agents are silently deployed into the target’s device, using our in-house developed set of attack vectors and zero-day vulnerabilities” — suggesting that the Microsoft Windows flaw is just one of those it has been exploiting.
Google said in its post this week that there were “more commercial vendors selling access to 0-days than in the early 2010s”.
Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said: “A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments.”