At least 100 activists, journalists and government dissidents across 10 countries were targeted with spyware produced by an Israeli company called Candiru, according to cybersecurity researchers at the University of Toronto’s Citizen Lab, which tracks illegal hacking and surveillance.
Using a pair of vulnerabilities in Microsoft Corp.’s Windows, cyber operatives operating in Saudi Arabia, Israel, Hungary, Indonesia and elsewhere purchased and installed remote spying software made by Candiru, according to the researchers. The tool was used in “precision attacks” against targets’ computers, phones, network infrastructure and internet-connected devices,” said Cristin Goodwin, general manager of Microsoft’s Digital Security Unit.
Keep readinglist of 4 items
Microsoft was alerted to these attacks by researchers at Citizen Lab, and after weeks of analysis, the company released patches on July 13 for a pair of Windows vulnerabilities believed to be the point of entry for the spyware, according to a Microsoft blog published Thursday. Microsoft doesn’t name Candiru but instead refers to an “Israel-based private sector offensive actor” it calls Sourgum.
Candiru didn’t immediately respond to a message seeking comment. Candiru is the name of an eel-like fish native to the Amazon River region that allegedly enters the urethra of humans before deploying short spines – a story some have dismissed as a myth.
The users of the spyware also hacked politicians and human rights activists, according to the researchers, who declined to name the victims.
The Citizen Lab researchers said the Candiru spyware is part of a thriving private industry selling technology to governments and authoritarian leaders so they can gain access to the communications of private citizens and political opposition. Another Israeli company, NSO Group Ltd., has been accused of providing spyware to repressive governments that have used it to snoop on journalists and activists.
NSO has maintained that it sells its technology exclusively to governments and law enforcement as a tool against terrorism and crime. In a report published on June 30, NSO Group said it refuses to sell spyware to 55 countries and has taken steps to curb misuse by customers.
John Scott-Railton, senior researcher at Citizen Lab, said the Candiru research “shows there’s a whole ecosystem selling to authoritarian regimes.”
“Tools like Candiru are used to export fear,” he added.
Citizen Lab’s findings also offered some fresh insight into the cost of doing business in the spyware industry.
For 16 million euros ($18.9 million), Candiru’s clients can attempt to compromise an unlimited number of devices but are limited to actively tracking only 10 at a time, according to Citizen Lab. For an extra 1.5 million euro ($1.8 million), buyers can monitor an additional 15 victims.
Candiru has clients in Europe, Russia, the Middle East, Asia and Latin America, according to the Israeli newspaper Haaretz. Local news organizations have reported contracts in Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore and Qatar, according to Citizen Lab’s report.
Candiru’s clients are restricted to operating only in “agreed upon territories,” according to Citizen Lab. The company’s clients sign contracts that limit operations outside the U.S., Russia, China, Israel and Iran, according to the report. But Microsoft said it has recently discovered activity with the spyware in Iran, suggesting the rules aren’t concrete, according to the report.