Citizen Lab’s report points to Israeli cyber’s lack of morals
Five years ago, when the University of Toronto's Citizen Lab Research Institute published its first report on Israeli company NSO, it transformed a once anonymous organization, into one of the most attacked companies in the world. The global attention the cyber-surveillance company received led to a series of lawsuits around the world, including one by Facebook. Activists, lawmakers, and the UN raged against it, calling to limit its steps and forcing it to change its means of action and choice of customers.
A new report released by Citizen Lab last week in
collaboration with Microsoft threatens to do the same to another anonymous
Israeli company: Candiru. Like NSO, Candiru has so far operated, mainly, in the
shadows. It too, developed powerful spyware meant for states and governmental
institutions, and it too will now take center stage thanks to the findings that
have been uncovered, most notably: Candiru’s software has been used to spy on
more than 100 human rights activists, dissidents, journalists and academics
from countries such as Iran, Lebanon, Yemen, Britain, Turkey, and even Israel.
"There is a
problem with the whole industry"
"I hope people
will begin to understand that the issues and damages associated with this type
of surveillance do not depend on just one company," Dr. Bill Marczak, a
senior research fellow at Citizen Lab and a researcher at the University of
California at Berkeley, who led the current study, told Calcalist. “We hear a
lot about NSO, and they dominated the headlines. Whenever there is a report of
spyware, people think of NSO. But this is a much broader problem. It's not that
there are only one or two bad companies in the hacking community, there are
problems with the whole industry."
Candiru was founded in 2014 by Yaakov Weizmann and Eran
Shorer. The company's chairman, Itzik Zack, is also its largest shareholder. It
goes to great lengths to keep its actions under the radar, and it changed its
name several times throughout the years. Like many other Israeli actors in the
field, Candiru recruits mostly from the IDF’s renowned 8200 intelligence unit
but maintains total anonymity online. It does not have a website and its name
does not even appear in the LinkedIn profile of its managers, whose job
description only includes "start-up company".
According to a lawsuit filed by a former employee of the
company, in the first two years, Candiru’s sales reached close to $30 million,
while its customers include countries in Europe, the former USSR, the Persian
Gulf, Asia and Latin America. Past intelligence and media reports claimed
Uzbekistan, Saudi Arabia, the United Arab Emirates, Singapore, and Qatar, were
part of the company’s clients list.
The current report maps, for the first time, the company’s
scope of activity and methods, as well as analyzes how its spyware works.
Although it focuses on spyware that has been introduced into Windows-based
computers, Candiru says it offers spyware solutions for iPhone and Android too,
an area in which it competes directly with NSO.
The researchers identified and mapped 764 IP addresses of
sites and servers belonging to Candiru. "We discovered several
impersonating human rights organizations or activist organizations’
websites," said Marczak. "For example, a site that looks like an
attempt to impersonate Amnesty, websites impersonating media sites such as CNN,
sites impersonating known tech companies, as well as international
organizations such as the website of the UN Secretary General's Special Envoy
to Yemen.” Other sites had URLs with academic characteristics, which may
indicate that academics were among the targets. Citizen Lab also identified
domains that impersonate those of local news sites or offices in countries such
as Russia, Indonesia, Iran, Turkey, Cyprus, Austria, the Palestinian Authority,
and Saudi Arabia. The scans revealed information that Candiru’s customers are
active in Saudi Arabia, the United Arab Emirates, Hungary, and Indonesia.
"There are probably more customers, these are just the ones we
found," Marczak said.
Sends messages on behalf of the victim
A major achievement of the study was locating a copy of
Candiru’s spyware and analyzing it. "We found a victim's computer that was
linked to some of the sites we mapped," Marczak said. "We were able
to perform a forensic analysis of the computer and take out a copy of the
spyware, which communicated with these sites. We analyzed the spyware and
studied how it works."
Among other things, Citizen Lab identified that the spyware
remains on the computer even after rebooting or installing software updates. It
can detect and copy passwords and cookies from browsers and allows its operator
to send messages from people's active accounts on their computers. "If I'm
connected to a Facebook, Gmail, or similar account on my computer, then the
spyware operator can use my computer to send a message in my name directly from
my Gmail or Facebook account to someone else. This is an interesting feature we
have not seen in other spyware, the ability to impersonate the target by using
their account directly from the infected computer.”
Citizen Lab shared a copy of the spyware with Microsoft, and
an analysis by the technology giant revealed more than 100 spyware victims
around the world, including politicians, human rights activists, journalists,
academics, embassy staff, and political dissidents. According to the company,
about half the victims were from the Palestinian Authority, and most of the
rest were from Israel, Iran, Lebanon, Yemen, Spain, Britain, Turkey, Armenia,
and Singapore. Microsoft emphasizes that the identification of victims'
nationality does not prove a country’s intelligence agency is a Candiru client
because of how common international espionage is. “The Microsoft Threat Intelligence
Center (MSTIC) and Microsoft Security Response Center (MSRC) spent weeks
examining the malware, documenting how it works, and building protections that
can detect and neutralize it,” wrote General Manager of Microsoft’s Digital
Security Unit, Cristin Goodwin, in a post published by the company last week.
"We named the malware Devil’s Tongue.”
According to Goodwin, Microsoft’s cooperation with Citizen
Lab is part of a broader legal, technological, and policy effort that the
company is leading to address the danger of companies creating and distributing
cyber weapons. "These companies increase the risk that weapons fall into
the wrong hands and threaten human rights. That’s why, for example, we filed an
amicus brief in a legal case brought by WhatsApp against another PSOA called
NSO Group."
The report sharply criticized Israel’s Ministry of Defense,
which approves the export of goods Candiru and similar companies export to
other countries. "Unfortunately, Israel’s Ministry of Defense has so far
proven itself unwilling to subject surveillance companies to the type of
rigorous scrutiny that would be required to prevent abuses of the sort we and
other organizations have identified,” the report reads. “The export licensing
process in that country is almost entirely opaque, lacking even the most basic
measures of public accountability or transparency.”
Marczak told Calcalist that he hopes the new report will
push for a change in the situation: "The solutions must be broader than
one specific company’s scope. There has to be a bigger solution, it's not that
NSO publishes a human rights policy and everything is fine. There is a need for
regulation for the entire industry, which will focus on human rights and the
prevention of export of these tools to oppressive regimes that will use them to
spy on journalists and activists."
And what do you think will actually happen?
"Similar to what we saw with NSO and other companies we
reported on, I estimated the company will say ‘we can not talk about how our
tools are used, but they are designed to fight terrorism and crime, and we can
tell you that they prevented terrorist attacks.' They say such things to
improve their image, without dealing with the real concerns. They will try to
come out of the shadows and do some public relations work to make the company
look good without dealing with the issues around their spyware."
Candiru refused to comment on the report
Comments
Post a Comment