An investigation conducted by cybersecurity researchers at the University of Toronto’s Citizen Lab, who specialize in tracking illegal hacking and surveillance, discovered that at least 100 activists, journalists and government dissidents across 10 countries were targeted with spyware produced by an Israeli company named Candiru. The users of the spyware also hacked politicians and human rights activists, according to the researchers. The countries targeted include Armenia, Palestine, Israel, Iran, Lebanon, Yemen, Spain, The United Kingdom, Turkey, and Singapore
Candiru is a secretive Israel-based spyware firm with close ties to Unit 8200, the signals intelligence branch of the Israeli military. The company has made efforts to obscure its ownership structure, staffing, and investment partners. According to Microsoft, Candiru sells spyware exclusively to governments. Microsoft also states that their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.
Citizen Lab’s findings offer some fresh insight into the cost of doing business in the spyware industry. Using telemetry data from Team Cymru, along with assistance from civil society partners, Citizen Lab was able to identify a computer that was suspected to contain a persistent Candiru infection. After this discovery, the researchers at Citizen Lab identified more than 750 websites linked to Candiru’s spyware infrastructure. “We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities”, states researcher Bill Marczak.
Working with Microsoft Threat Intelligence Center (MSTIC), the researchers analyzed the spyware, resulting in the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation vulnerabilities, as described by Microsoft, exploited by Candiru. Microsoft then patched both vulnerabilities on July 13th, 2021.
Using the pair of vulnerabilities in Microsoft Corp.’s Windows, cyber operatives operating in Saudi Arabia, Israel, Hungary, Indonesia and elsewhere purchased and installed remote spying software made by Candiru, according to the researchers. The tool was used in “precision attacks” against targets’ computers, phones, network infrastructure and internet-connected devices,” said Cristin Goodwin, general manager of Microsoft’s Digital Security Unit.