Citzen Lab’s report co-author Dr. Bill Marczak Photo: Orel Cohen
A new report released by Citizen Lab last week in collaboration with Microsoft threatens to do the same to another anonymous Israeli company: Candiru. Like NSO, Candiru has so far operated, mainly, in the shadows. It too, developed powerful spyware meant for states and governmental institutions, and it too will now take center stage thanks to the findings that have been uncovered, most notably: Candiru’s software has been used to spy on more than 100 human rights activists, dissidents, journalists and academics from countries such as Iran, Lebanon, Yemen, Britain, Turkey, and even Israel.
“There is a problem with the whole industry”
“I hope people will begin to understand that the issues and damages associated with this type of surveillance do not depend on just one company,” Dr. Bill Marczak, a senior research fellow at Citizen Lab and a researcher at the University of California at Berkeley, who led the current study, told Calcalist. “We hear a lot about NSO, and they dominated the headlines. Whenever there is a report of spyware, people think of NSO. But this is a much broader problem. It’s not that there are only one or two bad companies in the hacking community, there are problems with the whole industry.”
Candiru was founded in 2014 by Yaakov Weizmann and Eran Shorer. The company’s chairman, Itzik Zack, is also its largest shareholder. It goes to great lengths to keep its actions under the radar, and it changed its name several times throughout the years. Like many other Israeli actors in the field, Candiru recruits mostly from the IDF’s renowned 8200 intelligence unit but maintains total anonymity online. It does not have a website and its name does not even appear in the LinkedIn profile of its managers, whose job description only includes “start-up company”.
According to a lawsuit filed by a former employee of the company, in the first two years, Candiru’s sales reached close to $30 million, while its customers include countries in Europe, the former USSR, the Persian Gulf, Asia and Latin America. Past intelligence and media reports claimed Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore, and Qatar, were part of the company’s clients list.
The current report maps, for the first time, the company’s scope of activity and methods, as well as analyzes how its spyware works. Although it focuses on spyware that has been introduced into Windows-based computers, Candiru says it offers spyware solutions for iPhone and Android too, an area in which it competes directly with NSO.
The researchers identified and mapped 764 IP addresses of sites and servers belonging to Candiru. “We discovered several impersonating human rights organizations or activist organizations’ websites,” said Marczak. “For example, a site that looks like an attempt to impersonate Amnesty, websites impersonating media sites such as CNN, sites impersonating known tech companies, as well as international organizations such as the website of the UN Secretary General’s Special Envoy to Yemen.” Other sites had URLs with academic characteristics, which may indicate that academics were among the targets. Citizen Lab also identified domains that impersonate those of local news sites or offices in countries such as Russia, Indonesia, Iran, Turkey, Cyprus, Austria, the Palestinian Authority, and Saudi Arabia. The scans revealed information that Candiru’s customers are active in Saudi Arabia, the United Arab Emirates, Hungary, and Indonesia. “There are probably more customers, these are just the ones we found,” Marczak said.
Sends messages on behalf of the victim
A major achievement of the study was locating a copy of Candiru’s spyware and analyzing it. “We found a victim’s computer that was linked to some of the sites we mapped,” Marczak said. “We were able to perform a forensic analysis of the computer and take out a copy of the spyware, which communicated with these sites. We analyzed the spyware and studied how it works.”
Among other things, Citizen Lab identified that the spyware remains on the computer even after rebooting or installing software updates. It can detect and copy passwords and cookies from browsers and allows its operator to send messages from people’s active accounts on their computers. “If I’m connected to a Facebook, Gmail, or similar account on my computer, then the spyware operator can use my computer to send a message in my name directly from my Gmail or Facebook account to someone else. This is an interesting feature we have not seen in other spyware, the ability to impersonate the target by using their account directly from the infected computer.”
Citizen Lab shared a copy of the spyware with Microsoft, and an analysis by the technology giant revealed more than 100 spyware victims around the world, including politicians, human rights activists, journalists, academics, embassy staff, and political dissidents. According to the company, about half the victims were from the Palestinian Authority, and most of the rest were from Israel, Iran, Lebanon, Yemen, Spain, Britain, Turkey, Armenia, and Singapore. Microsoft emphasizes that the identification of victims’ nationality does not prove a country’s intelligence agency is a Candiru client because of how common international espionage is. “The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) spent weeks examining the malware, documenting how it works, and building protections that can detect and neutralize it,” wrote General Manager of Microsoft’s Digital Security Unit, Cristin Goodwin, in a post published by the company last week. “We named the malware Devil’s Tongue.”
According to Goodwin, Microsoft’s cooperation with Citizen Lab is part of a broader legal, technological, and policy effort that the company is leading to address the danger of companies creating and distributing cyber weapons. “These companies increase the risk that weapons fall into the wrong hands and threaten human rights. That’s why, for example, we filed an amicus brief in a legal case brought by WhatsApp against another PSOA called NSO Group.”
The report sharply criticized Israel’s Ministry of Defense, which approves the export of goods Candiru and similar companies export to other countries. “Unfortunately, Israel’s Ministry of Defense has so far proven itself unwilling to subject surveillance companies to the type of rigorous scrutiny that would be required to prevent abuses of the sort we and other organizations have identified,” the report reads. “The export licensing process in that country is almost entirely opaque, lacking even the most basic measures of public accountability or transparency.”
Marczak told Calcalist that he hopes the new report will push for a change in the situation: “The solutions must be broader than one specific company’s scope. There has to be a bigger solution, it’s not that NSO publishes a human rights policy and everything is fine. There is a need for regulation for the entire industry, which will focus on human rights and the prevention of export of these tools to oppressive regimes that will use them to spy on journalists and activists.”
And what do you think will actually happen?
“Similar to what we saw with NSO and other companies we reported on, I estimated the company will say ‘we can not talk about how our tools are used, but they are designed to fight terrorism and crime, and we can tell you that they prevented terrorist attacks.’ They say such things to improve their image, without dealing with the real concerns. They will try to come out of the shadows and do some public relations work to make the company look good without dealing with the issues around their spyware.”
Candiru refused to comment on the report