Advanced Spyware From Israel's Candiru Discovered on Russian, Turkish, Palestinian Computers

Amitai Ziv
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
The entrance to Candiru's Tel Aviv office, in 2018.
The entrance to Candiru's Tel Aviv office, in 2018.Credit: Ofer Vaknin
Amitai Ziv

Spyware made by the Tel Aviv-based hacking tool company Candiru has been found on several computers in Europe and the Middle East, the cybersecurity company ESET reported.

In their September report, ESET wrote that according to research published by Citizen Lab and the Microsoft Threat Intelligence Center in July about Candiru's DevilsTongue malware, it is "sold to third parties, which can abuse it to spy on various victims, including human rights defenders, dissidents, journalists, activists and politicians."

ESET researchers, the report says, "Discovered indications of DevilsTongue malware in our telemetry data, affecting about 10 computers" in Albania, Russia and the Middle East. The malware was found in Israel, the Palestinian territories, Turkey and other parts of the region.

It also states that "The malware is highly targeted: each DevilsTongue victim we identified had a custom sample with PE resources unique to that victim." The mention of the "murky Israeli mercenary spyfirm," as Candiru is dubbed in the report, is likely to perturb Israelis.

In July, Microsoft and Google reported a number of zero-day vulnerabilities found in the Windows operating system and the popular Chrome web browser. Candiru had exploited these vulnerabilities in order to attack targets in about 100 countries, from Iran and Lebanon to Spain and the United Kingdom.

Candiru's CEO, Eitan Achlow.Credit: Ofer Vaknin

According to Citizen Lab, in that attack, Candiru's clients used a number of domains, including ones linked to gender and human rights, in order to implant malware into users' web browsers, such as blacklivesmatter.info and genderconference.org. Their goal was social engineering – exploiting human vulnerabilities to get people to click links and to affected websites.

The intended victims are still not definitively known. The Citizen Lab report said that human rights activists, political dissidents, journalists, human rights workers and politicians were among the targets.   

Similar discoveries have been made regarding another Israeli company, NSO, who shares some of its clients with Candiru. Countries like Qatar, Uzbekistan, Saudi Arabia and the United Arab Emirates appear to have patronized NSO alongside Candiru, using the latter's technology for PC computers.

"Candiru's growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab said in its report.

Microsoft fixed the discovered flaws through a software update soon after they were found. The company did not directly attribute the exploits to Candiru, instead referring to it as an "Israel-based private sector offensive actor" under the code name Sourgum.

Click the alert icon to follow topics:

Comments