Cellphone Hacking and Millions in Gulf Deals: Inner Workings of Top Secret Israeli Cyberattack Firm Revealed

Leaked documents confirm that Candiru does not just operate spyware for computers but also has operational mobile spytech. Here's what we know about the cyberattack firm offering 'untraceable' mic and camera manipulation

Amitai Ziv
Send in e-mailSend in e-mail
The Candiru offices in Tel Aviv, December 31, 2018.
The Candiru offices in Tel Aviv, December 31, 2018.Credit: Ofer Vaknin
Amitai Ziv

It has no website, its workers must sign stringent nondisclosure agreements and they do not even update their LinkedIn profiles with their place of employment. That’s how Candiru, one of Israel’s most mysterious cyber warfare companies, operates. But leaked documents obtained by TheMarker, Haaretz’s sister publication, and court filings made as part of a labor dispute between the company and a former senior employee reveal some details about it and provide a rare glimpse into their secret operations.

Offensive cyber is a big business in Israel, with industry sources saying it generates about $1 billion in sales a year. The biggest and most controversial of the players is NSO, which has been cited repeatedly for selling its equipment to countries like Saudi Arabia and Mexico that have used them to spy and crack down on dissidents.

>> Revealed:Israel's cyber-spy industry helps world dictators hunt dissidents and gays

NSO’s specialty is hacking smartphones. Up till now, little was known about Candiru. TheMarker has revealed that the firm offers hacking tools used to break into computers and servers, and now, for the first time, has confirmed it also has technology for breaking into mobile devices.

According to a document signed by an unnamed vice president for Candiru, they also offer a “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations." 

The system, the document explains, enables “effective and scalable cyber intelligence operations covertly within individual [mobile devices]. Proprietary infligtation agents are silently deployed into target PCs or mobile handsets with minimal requirements of target interaction." 

"Once deployed", the company boasts, “the untraceable agents immediately identify and map networks the target is connected to.” In tandem, the system "initiate[s] undetected data exfiltration tasks, throughout manipulation and control of device harward and local programs" - these include social media accounts, communication programs or apps and the phone or computer's microphone or camera.

Leaked documents confirm that Candiru does not just operate spyware for computers but also has operational mobile spytech
Leaked documents confirm that Candiru does not just operate spyware for computers but also has operational mobile spytech

For the full leaked document, click here

Boasting three different modes – PC/Windows, iOX (iPhone) and Android  –  the document says that, “Due to the sensitive and strategic nature of cyber intelligence operations the system is designed as an off-the-shelf product, deployable as a stand-alone platform.” Candiru claims the service can operate around the globe, but notes that it cannot be deployed in the U.S., Israel, Russia and China. NSO – which offers a similar service – includes a similar caveat.

The document is the first confirmation that much like its competitor NSO, the spyware company has not only finished developing spytech focused on mobile phones, but also that this technology is now operational and already up for sale. 

Inside Candiru

Candiru was founded in 2015 by Eran Shorer and Yaakov Weizman. The largest shareholder in Isaac Zack, who has been its chairman since the beginning and was also a founding funder of NSO. The company has moved offices frequently and is now located on Ha’arba’a Street in Tel Aviv. It has also changed names several times. It started out as Candiru, then became D.F. Associates, then morphed into Greenwick Solutions. Over the past year it’s also been called Tabatha Ltd., and now it’s known as Saito Tech, Ltd. But everyone in the industry still refers to it as Candiru. 

The company helps law enforcement and intelligence agencies in various countries hack into computer systems without permission, to conduct surveillance, steal information and even cause damage. But what the company actually does remains largely a riddle. However, a lawsuit filed by a former employee sheds light on some of their operations, which it seems the firm would prefer be kept in the dark.

The name of the senior employee can be found online, but we will call him S. He was vice president of sales for Candiru between November 2015 and December 2018. The lawsuit, which he filed through attorney Tomer Hadas and Maayan Weiss Levi from the Holin-Hadas law firm, centers on financial compensation he feels are coming to him, as well damages for aggravation caused to him by what he claims is humiliating treatment and a dismissal process that he says was improperly conducted. 

The little evidence there is indicates that Candiru’s specialty is hacking computers, but the court documents reveal Candiru began developing a solution for cellular attacks as an alternative to its regular services.

Isaac Zack, Candiru's main shareholder and chair who was also a funding founder of NSO
Isaac Zack, Candiru's main shareholder and chair who was also a funding founder of NSOCredit: Ofer Vaknin

“In 2017, the defendant’s senior management decided to develop a line of new products, include cyber capabilities in the world of cellular phones. Until then, the defendant had dealt with the cyber field and computers alone.,” S.’s attorneys wrote. “However, for some reason, in early 2018, Zack, for reasons known only to him, ordered a halt to the sale and marketing of these products.”

Candiru’s attorneys, however, describe the company as solely computer-focused: “The company has a product that collects intelligence from computer networks, which it has started to market to government agencies.” 

Code name Sphinx

According to the lawsuit, when S. joined the company at the end of 2015, the company had only 12 employees. It then states that by “the end of 2018,” it had 70 employees. How many does it have now? One of the announcements documented in the lawsuit speaks of “a company of 150 employees.”

Candiru’s CEO is Eitan Achlow
Candiru’s CEO is Eitan AchlowCredit: Ofer Vaknin

According to the suit, during its first year of existence Candiru had no clients but was in the midst of two different negotiations. However, S. claims that, “By the beginning of 2016 the defendant has a large number of deals in the advanced stage with clients in Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America. The results showed impressive sales of $10 million in 2016.” 

Later on, S. argues, “In 2017 the defendant had sales of nearly $30 million throughout the world, to clients in the Persian Gulf, Western Europe, the Far East and more.”

One of the lines of defense offered by offensive cyber companies is that they sell their services only to democratic regimes. According to this lawsuit, this is not the case with Candiru, since there are no democratic countries in the Persian Gulf, nor are most of the former Soviet countries democratic.

The Candiru logo
The Candiru logoCredit: Ofer Vaknin

These quotes also reveal information on Candiru’s revenues: agreements worth $30 million as of 2017. But it’s reasonable to assume that these were multiyear agreements, as one can discern from another part of the lawsuit, in which S. demands the bonus coming to him as vice president of sales – 1 percent of the company’s revenues. Based on his calculation, company revenues in 2018 were 65 million shekels (around $20 million).

But S. is also insisting on his share of deals, “For which payment was not yet received by the defendant as of the date of termination.” He attaches a fascinating appendix that ostensibly details the company’s entire stream of future transactions. The projects are given code names – Sphinx, Tiger, Ukulele, Otron1, Oltron2, Pointer1, Pointer2 and so on – a total of $367 million in deals (apparently over several years). The scope of the projects range from half a million dollars to $20 million. The lawsuit also reveals that Candiru conducts negotiations at various levels in dozens of countries. “The extent of the sales activity included all the world’s continents [that is, including Africa] and opportunities in more than 60 countries,” it states.

15% commission

The legal dispute sheds light on another significant component of the offensive cyber market – the innards of the industry – the use of “agents” in the target countries. These are intermediaries who live in the target countries who help complete the deals and get commissions. 

The legal action reveals that the commission paid to such agents is 15 percent, at least that’s what Candiru pays. It’s no small sum when taking into account the size of their different deals, at times worth millions of dollars.

According to Candiru, “To uphold the strict regulations that apply to it with regard to everything connected to engaging agents, the company set up an agents committee whose job is to approve all agents in advance before they are engaged, and to set the commission to be paid to him. Zack serves as chairman of the company’s agents committee and signing an agreement with an agent who hasn’t been approved in advance by the committee is forbidden.” The lawsuit argues that S. signed up agents “and engaged them without their being approved as required.”

Candiru argues that S. undermined these rules, set up to prevent bribery and corruption, an especially sensitive issue for weapons and cyberattack firms that are also subject to international conventions, and which has led to trouble for other big firms in the past.

Candiru, through its attorneys, complained that S. has revealed secret security information in his lawsuit, which is why it’s demanding the court conduct its hearings behind closed doors, “And order the secret information be stored in the court’s safe in a closed envelope, and that all secret information be removed the court system’s [public online system].”

A merger with NSO?

In addition to “problems with the product and its lack of technological readiness for the market,” as plaintiff’s attorneys put it, S. also claims a problem of conflict of interests at Candiru. “Even in 2017, [...] substantial difficulties stemmed from the intervention of the controlling shareholder, Zack, intervention that bordered on a serious conflict of interest that went against the financial interest of the [company].” 

Credit:

What conflict of interest might this be? It’s possible that the plaintiff is arguing that Zack has a conflict of interest because he holds a cyber offense company on the one hand (Candiru), while on the other hand is invested in several cyber defense firms. 

In the past, Zack (through the Founders Investment Fund) held shares in NSO, and coincidentally, the law firm that represents NSO, Erdinast, Ben Nathen Toledano, & Co., also represents Candiru.

In July we revealed that in December 2019, several companies had invested in Candiru, foremost among them Universal Motors. Universal invested $9 million in Candiru in exchange for 10 percent of the company. The importer thus replaced another shareholder who wanted to get out of the company – venture capitalist Eli Wartman. The deal sets Candiru’s value at $90 million – not a high value for a high-tech company, let alone one that deals in cyber offense.

Candiru’s future is unclear but based on cautious market estimates, at a certain point it will likely merge with NSO, either through a direct purchase by NSO or through Novalpina Capital, a private equity firm that controls NSO. These two cyber firms have complementary capabilities – one specializes in mobile phones (NSO) while the other in computers, so there would be logic to such a merger. In any case, if such a deal should go through, we will presumably see it through UMI’s public holdings in Candiru shares. 

Candiru refused to respond for this article.

Comments