Candiru (spyware company)

Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage[1][2] services to government clients.[3] Its management and investors overlap significantly with that of NSO Group.[4] Its operations began being uncovered in 2019 by researchers at CitizenLab, Kaspersky, ESET (among others). Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat"[5][6]

Candiru (Saito Tech Ltd.)
FormerlyCandiru Ltd (2014)
Company typePrivate
IndustrySurveillance technology, Cyber espionage
Founded2014; 10 years ago (2014)
FoundersEran Shorer, Yaakov Weizman
Headquarters,
Israel
Key people
Isaac Zack (Chairman), Eitan Achlow (CEO)
ProductsSherlock (software exploit) DevilsTongue (spyware)
OwnerIsaac Zach, Eran Shorer,Yaakov Weizman

Their products exploit zero-days vulnerabilities in a variety of operating systems and web browsers to deploy persistent spyware implant (dubbed "DevilsTongue" by Microsoft) to remotely control the victim's device.[5] Their products are also reportedly capable of compromising Mac, Android, and iPhone devices. Victims are often social engineered into visiting malicious websites which install spyware via a chain of exploits. Their business model is similar to a managed service provider for cyber-espionage, providing exploits, tools and infrastructure for government clients.[7][4][8][9]

It has minimal public presence, requiring employees to sign non-disclosure agreements and follow strict operational security practices to conceal their source of employment.[4] Its corporate name has changed multiple times from 2014 to 2020.[8]

As does many Israeli technology companies[10] it recruits heavily from Unit 8200, which handles signals intelligence and cyberwarfare for the Israeli military.[2] Its name and logo references the parasitic fish candiru which has the (likely apocryphal) ability to implant in the human urethra.[2][8]

Corporate history

edit

Candiru was founded in 2014 by Eran Shorer and Yaakov Weizman.[4][8] Early NSO Group investor Isaac Zach serves as its chairman.[4] Those three have a controlling interest in the company. It reportedly received investment from "Founders Group", an angel investment syndicate operated by NSO Group co-founders Omri Lavie and Shalev Hulio.[9] It is reportedly Israel's second-largest cyber-espionage firm after NSO Group.[2][4]

The company has frequently relocated its offices[4] and changed its corporate registration from 2014 to 2020, most recently to "Saito Tech Ltd".[1][8][4][11]

Public court filings[4] pertaining to a lawsuit by a former senior employee indicated that Candiru grew from 12 employees in 2015 to 150 in 2018. By 2016, it had begun closing deals with clients from Europe, the Middle East, Asia, and Latin America. It grossed $10 million in 2016 and $20-$30 million by 2018 with $367 million worth of pending deals with 60 governments. It purportedly uses in-country intermediaries during negotiations. In 2017, Candiru purportedly began development of mobile device spyware. Candiru asked the court to seal documents and hold closed hearings, claiming national security as justification.[4]

In 2019, Candiru was valued at $90 million based on the sale of a 10% stake from venture capitalist Eli Wartman to Israel's Universal Motors.[4] The Qatari sovereign wealth fund has reportedly invested in Candiru.[8][12] In 2020 Candiru incorporated a subsidiary named "Sokoto".[8]

As of 2020, its board comprised founding team Eran Shorer, Yaakov Weitzman, chairman/investor Isaac Zach, and a representative of Universal Motors Israel. Its 2021 filings listed minority shareholders Universal Motors Israel, ESOP Management and Trust Services (manager of corporate stock programs), and Optas Industry Ltd (a proxy for the Qatari sovereign wealth fund).[8]

Operational history

edit

Vice reported in 2019[7] that Kaspersky Lab had identified Candiru spyware in use by the Uzbekistan State Security Service. The intelligence agency reportedly used Kaspersky antivirus software to test whether the spyware would be detected and configured an official domain ("itt.uz") for the spyware's network communications. This discovery allowed Kaspersky to identify other intelligence agencies using Candiru spyware such as Saudi Arabia and United Arab Emirates.[9]

In April 2021 ESET identified an espionage campaign, possibly perpetrated by Saudi Arabian intelligence, which leveraged Candiru spyware to compromise news outlet Middle East Eye via a watering hole attack. Other targets of this campaign included an Iranian embassy, Italian aerospace companies, and the Syrian and Yemeni government.[13]

In July 2021, CitizenLab and Microsoft reported[8] widespread usage of Candiru spyware by various government clients to compromise at least 100 worldwide victims across civil society, including politicians, human rights activists, journalists, academics, embassy workers, and dissidents. Spyware control infrastructure was identified in Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia. Highly targeted social engineering tricked victims into visiting malicious websites under the pretext of relevant content.[1][3]

Microsoft's threat intelligence center identified and patched a Windows vulnerability exploited by Candiru spyware[1] in July 2021.[3] Microsoft's analysis of the spyware revealed that in addition to enabling exfiltration of files, messages, and passwords, the spyware also enables the operator to send messages from logged in email and social media accounts directly from the target's computer.[8] Additionally, CitizenLab reported that Candiru exploited two vulnerabilities in the browser Google Chrome.[3] Google also linked a Microsoft Office exploit to Candiru.[8]

In November 2021, the United States Commerce Department added both Candiru and NSO Group to its sanctioned entities list for supplying spyware to hostile foreign governments.[14][15]

In April 2022, CitizenLab reported that members of the Catalan independence movement were infected with Candiru spyware as part of a Spanish governmentsanctioned domestic surveillance operation[16] against elected officials and activists. NSO Group's Pegasus spyware was also heavily used in this operation. Investigations by Amnesty International and public protest led to CatalanGate and official acknowledgement by the Spanish government. Victims were sent emails leveraging social engineering to convince them to visit a malicious URL, which covertly installed spyware via browser and operating system exploits. These emails leveraged credible pretexts such as official health advisories during the COVID epidemic.[17]

Products and services

edit

Candiru purportedly[3] sells exclusively to government law enforcement agencies and intelligence agencies. It appears to act as "middleman" or "managed service provider", providing delivery mechanisms, remote control infrastructure, spyware tools and software exploits. Clients seems to be responsible for targeting, logistics and the operational security.[7] Candiru has reportedly provided exploits for many zero-day vulnerabilities to clients, which have been patched by the relevant software companies after they are discovered.[4][8] In at least one case, poor operational security by a client (Ubeki intelligence) resulted in multiple zero-days and network infrastructure being "burned".[7]

The company claims that clients are not allowed within the United States, Israel, Russia, China, and Iran.[4] Researchers, including CitizenLab and Microsoft have identified Candiru spyware victims in Israel and Iran, and potential victims in Russia.[1][8]

Leaked documents and contracts show that Candiru offers a range of exploit delivery methods, including drive-by exploits, tampering with network data, malicious documents, and physical intrusion. It appears to be able to develop new tools as needed and has access to exploits for zero-day vulnerabilities. After compromising the device, a persistent spyware implant (dubbed "DevilsTongue" by Microsoft) is installed to remotely control the victim's device.[5] Social media data, browser cookies and messages from SMS, Viber, WhatsApp, and Signal can be captured. The device's camera/microphone can be captured as well.[1][2][8]

Services are priced in the tens of millions of dollars based on number of targeted devices and affected countries. Upsold services include access to additional victim data and full remote control of the device. A multi-million dollar add-on called "Sherlock" (likely a cross-operating-system zero-day web browser exploit) purports to provide access on Windows, Android and iOS devices.[8][3]

References

edit
  1. ^ a b c d e f "Israeli spyware firm linked to fake Black Lives Matter and Amnesty websites – report". the Guardian. 2021-07-15. Retrieved 2021-07-19.
  2. ^ a b c d e "Top secret Israeli cyberattack firm, revealed". Haaretz. Retrieved 2021-07-19.
  3. ^ a b c d e f "Israel's Candiru sold states spyware to hack journalists and dissidents". Financial Times. 15 July 2021. Archived from the original on 2021-07-15. Retrieved 2021-07-20.
  4. ^ a b c d e f g h i j k l m "Cellphone hacking, Gulf deals: Top secret Israeli cyberattack firm revealed". Haaretz. Retrieved 2021-07-19.
  5. ^ a b c Intelligence, Microsoft Threat (2021-07-15). "Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware". Microsoft Security Blog. Retrieved 2024-09-28.
  6. ^ "Caramel Tsunami" (PDF). www.microsoft.com. Retrieved 2024-09-28.
  7. ^ a b c d Zetter, Kim (2019-10-03). "Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC". VICE. Retrieved 2024-09-28.
  8. ^ a b c d e f g h i j k l m n o Marczak, Bill; Scott-Railton, John; Berdan, Kristin; Razzak, Bahr Abdul; Deibert, Ron (2021-07-15). "Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus". The Citizen Lab. Retrieved 2021-07-20.
  9. ^ a b c Brewster, Thomas. "Meet Candiru — The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit". Forbes. Retrieved 2021-07-19.
  10. ^ Tendler, Idan (2015-03-20). "From The Israeli Army Unit 8200 To Silicon Valley". TechCrunch. Retrieved 2024-09-28.
  11. ^ Marks, Joseph (2021-07-15). "A private Israeli firm has helped governments hack journalists and human rights advocates". The Washington Post. The firm has maintained a high level of secrecy, including by changing its official corporate name four times during its six years in operation, according to a Citizen Lab report. The firm is now officially named Saito Tech Ltd., though it is still widely known as Candiru, the report states.
  12. ^ "Singapore turns to Israeli cyber spies again". Intelligence Online. 4 March 2019. Archived from the original on 15 April 2024. Retrieved 28 September 2024.
  13. ^ Brewster, Thomas. "Blacklisted Israeli Surveillance Company Linked To Middle Eastern Hacks, Denies Knowing Whom Customers Spy On". Forbes. Retrieved 2022-01-30.
  14. ^ Bing, Christopher (2021-11-03). "U.S. blacklists Israeli hacking tool vendor NSO Group". Reuters. Retrieved 2021-11-04.
  15. ^ Mazzetti, Mark; Bergman, Ronen (2022-07-10). "Defense Firm Said U.S. Spies Backed Its Bid for Pegasus Spyware Maker". The New York Times. ISSN 0362-4331. Retrieved 2022-07-11.
  16. ^ "El CNI admite haber espiado a Aragonès y el entorno de Puigdemont con autorización". ElNacional.cat (in Spanish). 2022-05-05. Retrieved 2024-09-28.
  17. ^ Scott-Railton, John; Campo, Elies; Marczak, Bill; Razzak, Bahr Abdul; Anstis, Siena; Böcü, Gözde; Solimano, Salvatore; Deibert, Ron (2022-04-18). "CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru". The Citizen Lab. Retrieved 2022-04-26.