Researchers say web domains masquerading as activist, health and media groups are used by governments to hack targets
An Israeli company that sells spyware to governments is linked to fake Black Lives Matter and Amnesty International websites that are used to hack targets, according to a new report.
Researchers from the Citizen Lab at the University of Toronto, who worked with Microsoft, issued a report on Thursday about the potential targets of Candiru, a Tel Aviv-based firm marketing “untraceable” spyware that can infect and monitor computers and phones.
One way the company’s spyware allegedly infects targets is through web domains, and the researchers found that the firm’s software was associated with URLs masquerading as NGOs, women’s rights advocates, activist groups, health organizations and news media. Citizen Lab’s research uncovered websites tied to Candiru with domain names such as “Amnesty Reports”, “Refugee International”, “Woman Studies”, “Euro News” and “CNN 24-7”.
The researchers have not identified specific targets of the websites impersonating human rights groups, and have not confirmed the involvement of any specific government clients. Microsoft said it appeared that Candiru sells the spyware that enables the hacks, and that the governments generally choose who to target and run the operations themselves.
The findings suggest that a secretive and little-known company with a wide global reach could be helping governments hack and monitor people in civil society. The report comes amid growing concerns about surveillance technologies that can aid human rights abuses and law enforcement monitoring and crackdowns on Black Lives Matter and related activist groups.
Microsoft’s threat intelligence center, which tracks security threats and cyberweapons, conducted its own analysis and said it found at least 100 targets of malware linked to Candiru, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. Microsoft found targets in the UK, Palestine, Israel, Iran, Lebanon, Yemen, Spain, Turkey, Armenia and Singapore, the report said.
Microsoft said in a blogpost on Thursday that it had disabled the “cyberweapons” of Candiru and built protections against the malware, including issuing a Windows software update.
There are no legitimate reasons for intelligence firms or their government customers to create websites that impersonate high-profile activist groups and not-for-profit organizations, said Bill Marczak, a co-author of the report, in an interview.
Activists who are targeted may click on links that appear to be from trusted sources and then be taken to a site with innocuous content or redirected elsewhere, he explained. “But this website, which was specially registered for the purpose of exploiting their computer, would run code in the background that would silently hijack control of their computer,” he said.
The malware could enable “persistent access to essentially everything on the computer” potentially allowing governments to steal passwords and documents or turn on a microphone to spy on a victim’s surroundings.
“The user wouldn’t recognize anything was amiss,” said Marczak, a senior research fellow with the Citizen Lab, which has scrutinized British, German and Italian spyware firms, and previously exposed the activities of NSO Group, another Israeli company that allegedly enabled government hacking of journalists and activists.
The use of spyware can have devastating consequences for activists and dissidents. Ahmed Mansoor, a human rights activist in the the United Arab Emirates, was jailed and faced violence after he was hacked and monitored through spyware purchased by the UAE. He was targeted by sophisticated government phishing attempts, including a 2016 text message with a link on his phone that purported to include information about the torture of detainees in UAE prisons.
A ‘mercenary spyware industry’
There is minimal information publicly available about Candiru, which was founded in 2014 and has undergone several name changes, the report said. It is now believed to be registered as Saito Tech Ltd, but is still known as Candiru. In 2017, the firm had sales worth nearly $30m, serving clients in the Gulf, western Europe and Asia, according to a lawsuit reported in an Israeli newspaper. Candiru may have deals with Uzbekistan, Saudi Arabia and the UAE, Forbes has reported.
Candiru allegedly offers a range of ways for clients to hack targets, including through hyperlinks, physical attacks and a program called “Sherlock”, the report said, citing a leaked project proposal document from the company. It’s unclear what “Sherlock” does. The firm also sells tools for Signal and Twitter, according to the report. The leaked proposal document included an agreement that said the product would not be used in the US, Russia, China, Israel or Iran.
Microsoft, however, reported finding victims in Israel and Iran.
Citizen Lab said it was able to identify a computer that had been hacked by Candiru’s malware, and then used that hard drive to extract a copy of the firm’s Windows spyware. The owner of the computer was a “politically active” individual in western Europe, the report said.
The team also identified more than 750 domain names that appeared to be linked to Candiru and its customers. In addition to the sites masquerading as not-for-profits, the researchers found URLs that appeared to impersonate a left-leaning Indonesian publication; a site that publishes Israeli court indictments of Palestinian prisoners; a website critical of Saudi Arabia’s crown prince, Mohammed bin Salman; and a site that appeared to be associated with the World Health Organization.
“Candiru’s apparent presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” the report said. “This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”
The report does not allege specific violations of the law, though it’s difficult to evaluate legality without knowing which nations were involved in the hacking.
The findings about Candiru suggest that there are systematic problems with the spyware industry and how it is regulated, said Marczak. “It’s not just one bad apple,” he said, referencing NSO Group, whose spyware was allegedly used against a New York Times reporter who authored a book on Prince Mohammed and an Amnesty International staff member.
“We desperately need to understand this industry better, because it’s growing much faster than we can track, and it’s larger than we know,” added John Scott-Railton, another Citizen Lab researcher and co-author, noting that governments are also becoming increasingly vulnerable to hacking and spying by other states. “It’s an urgent national security concern, and governments around the world are going to find themselves targeted by this technology, if they haven’t already.”
Candiru representatives did not immediately respond to the Guardian’s requests for comment on Thursday.