Candiru has likely sold spying tools to governments in the Middle East and Asia, according to the cybersecurity research group Citizen Lab, which identified people targeted by Candiru’s malicious software and helped Microsoft compile its report. Those governments then use the spying tools independently.
The report comes amid roiling concern about the proliferation of cyberweapons once limited to a handful of nations that are now becoming far more widespread. In addition to helping authoritarian regimes spy on dissidents and adversaries, that growth has enabled a wave of criminal hacks, including ransomware campaigns that have disrupted U.S. oil supplies and meat production.
The Biden administration has moved aggressively to confront the ransomware epidemic, including threatening Russian President Vladimir Putin with severe consequences if he doesn’t crack down on criminal groups operating on Russian territory. But the United States has been far less aggressive about the proliferation of spyware.
Microsoft is part of a chorus of large tech firms that are increasingly criticizing the spyware industry and calling on governments to regulate their products through export bans and other measures. As part of its investigation, Microsoft patched major bugs that Candiru used to spy on its users.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, said in a blog post.
Citizen Lab researchers identified targets of Candiru’s spyware across the globe, suggesting governments are using the tool to target and silence citizens and critics living outside their borders. The group, which is based at the University of Toronto’s Munk School, found victims in Israel and the Palestinian territories, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore.
“Every time we find one of these companies, it’s only a matter of time before we find abuses associated with them,” John Scott-Railton, a senior researcher at Citizen Lab, said. “We cannot allow authoritarian regimes to export self-censorship around the world, and that’s exactly what companies like Candiru are allowing them to do.”
The full capabilities of Candiru’s spying tools aren’t clear, but they probably allow users to intercept victims’ communications, steal their data, track their location and spy through microphones and cameras, Scott-Railton said. The tools were effective against both Windows and Mac computers, as well as iPhone and Android smartphones.
The researchers also found phony websites masquerading as international media, human rights organizations and other legitimate groups that were used to deliver Candiru spyware. Among them were phony sites that appeared to be affiliated with the Black Lives Matter movement and sites related to gender equality.
Spyware firms have effectively leveled the playing field for countries that wish to spy on dissidents and government critics but lack the technical resources to develop their own spying tools.
Human rights advocates have accused such firms of running roughshod over civil liberties and enabling harassment and oppression of government opponents, though the firms say they only aid legitimate law enforcement and intelligence operations.
Candiru did not respond to emails seeking comment. A phone call to a company number was not answered.
The most significant tech response came in 2019, when WhatsApp sued the most prominent spyware company, another Israeli firm called NSO, in U.S. federal court. The Facebook affiliate claimed NSO acted illegally by helping governments hack hundreds of its customers, including journalists, human rights workers and women who had been targeted with online attacks.
Microsoft filed a brief supporting WhatsApp’s position in that case, which is still working its way through the legal system. An NSO surveillance tool was also implicated in spying on Washington Post contributing writer Jamal Khashoggi before he was killed by people affiliated with Saudi Arabia’s security services in 2018.
Far less is known about Candiru’s activities. The firm has maintained a high level of secrecy, including by changing its official corporate name four times during its six years in operation, according to a Citizen Lab report. The firm is now officially named Saito Tech Ltd., though it is still widely known as Candiru, the report states.
“Candiru has tried to remain in the shadows ever since its founding but there is no space in the shadows for companies that facilitate authoritarianism,” Bill Marczak, a senior fellow at Citizen Lab, said.
Microsoft is referring to Candiru’s activities under the name Sourgum, part of a naming convention it has developed to describe nongovernment hacking groups using the names of trees and shrubs. The company has a separate naming convention for hacking groups linked with national governments based on elements on the periodic table.