Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild

Government hackers from several countries used spyware made by an Israeli company to target victims all over the world, according to new research by digital rights watchdog Citizen Lab and Microsoft. The spyware leveraged two unknown vulnerabilities—also known as zero-day exploits—in Windows. 

Citizen Lab, which is housed at the University of Toronto's Munk School, and Microsoft worked together on the research, and published reports detailing their findings on Thursday. The company said it detected hacking attempts on more than 100 victims including "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents" in Palestine, Israel, Iran, Lebanon, Spain, UK, and other countries. Citizen Lab said it was able to identify and reach out to a victim who let its researchers analyze their computer and extract the malware.

“This was someone who was targeted for their political positions and political beliefs, rather than someone who was the target of a terrorism investigation or something like this,” Bill Marczak, one of the researchers at Citizen Lab who worked on the investigations, told Motherboard in a phone call.

Citizen Lab concluded that the malware and the zero-days were developed by Candiru, a mysterious Israel-based spyware vendor that offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. Candiru was first outed by the Israeli newspaper in 2019, and has since gotten some attention from cybersecurity companies such as Kaspersky Lab. 

But, until now, no one had published an analysis of Candiru's malware, nor found someone targeted with its spyware.

“They seem to have successfully flown below the radar for quite some time,” Marczak said. 

These discoveries highlight once more the dangers of a loosely regulated global market for government spyware. In the last ten years, security researchers have uncovered dozens of cases where governments around the world, such as Mexico, Saudi Arabia, the United Arab Emirates, and Ethiopia, have used powerful malware sold by European or Israel based vendors—such as Hacking Team, NSO Group, and FinFisher—to target dissidents, human rights activists, and journalists. 

"A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes, and governments," Microsoft's general manager for the digital security unit Cristin Goodwin wrote in a blog post. 

Candiru did not immediately respond to a request for comment sent to a series of email addresses that belong to the company.

The first step that allowed Marczak to track Candiru down was to simply search for the word "Candiru" on Censys, a service that scans the internet. That led him to find an encryption certificate that included an "@candirusecurity.com" email address, which led to a domain registered to another company email address and a phone number listed on a global companies' database as belonging to Candiru. 

Then, Marczak and his colleagues developed fingerprints to scan the internet, which led them to find more than 750 domains linked to Candiru, some of them registered with names related to human rights NGOs like Amnesty International, or social movements like Black Lives Matter, according to Citizen Lab's report. While Citizen Lab admits it doesn't have the context around how these domains were used, researchers wrote that "their mere presence as part of Candiru’s infrastructure—in light of widespread harms against civil society associated with the global spyware industry—is highly concerning and an area that merits further investigation."

According to Citizen Lab's analysis, Candiru's Windows spyware can exfiltrate files from the victim's computer, export all messages from Windows' version of Signal, steal cookies and passwords from all major browsers.

Marczak said he and Citizen Lab researchers found Candiru systems operated from the UAE and Saudi Arabia, suggesting these are two of the companies' government customers. 

"I think it drives home the point that it's not just the case that there's maybe the one bad apple of NSO in the Israeli cyber industry," Marczak said, referring to the government's process to approve exports of spyware to other countries. "It's part of a more systemic issue with the regulation of the industry, and specifically with the Israeli Ministry of Defense, if they now have multiple, different spyware companies that are selling to these really dodgy governments."

Microsoft patched the two zero-days on Tuesday. 

"The protections we issued this week will both prevent Sourgum’s tools from working on computers that are already infected," Microsoft wrote in its blog post, using its codename for the malware provider that Citizen Lab identified as Candiru, "and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint." 

Subscribe to our cybersecurity podcast CYBER, here.