Israel's Candiru hacking tools used against Middle East and U.K. sites

Israeli surveillance companies are under fire for providing tools to repressive regimes. Now, one of four spyware and cyber businesses blacklisted by the U.S. says it is legally obliged to remain in the dark about its customers’ activities, after researchers link it to attacks on swaths of websites in what are feared to be attempted hacks of government officials, journalists and dissidents.

In April last year, as many as 20 organizations—including an Iranian embassy, an Italian aerospace company, as well as Syrian and Yemeni government entities—were targeted by a group of hackers that cybersecurity experts have linked to an Israeli surveillance company recently blacklisted by the U.S. Department of Commerce.

One of the targets, London-based publication Middle East Eye, had its website hacked for two days. In that time, it became what’s known as a “watering hole,” where certain selected visitors were silently served with malicious code, potentially leading to attacks on their PCs or smartphones, according to research published by cybersecurity company ESET on Thursday.

Eset is “very confident” that the hackers behind the hits had tried to install a tool developed by Israeli-based Candiru on victims’ Apple Mac and Microsoft Windows computers via the website breaches, even though they never saw it happening.

Eset researcher Matthieu Faou told Forbes that he had made a number of links between the website breaches and a Candiru customer. Previous research from Citizen Lab, a research organization based at the University of Toronto, had highlighted a number of servers and websites believed to be operated by Candiru. Very similar websites were used to load malicious code on those hacked websites. The ways in which the sites were registered, and their attempts to mimic legitimate Web analytics services, also bore hallmarks of how Candiru operated, Faou said.

“We also got external confirmation that in one case, one of the watering hole domains redirected to a Candiru server,” he added, believing it provided more validation of the links.

Faou said that he did not uncover the identities of targets. “But based on the list of websites, we can imagine that they're dissidents, journalists, maybe officers from government, such as Iran, Syria,” he added.

Middle East Eye said it was considering legal action against entities allegedly responsible for the hack. “Middle East Eye is no stranger to such attempts to take our website down by state and nonstate actors. Substantial sums of money have been spent trying to take us out,” said editor-in-chief David Hearst. “Once again this episode belies attempts by producers of this software to distance themselves for their client users. It underscores the need to identify and sanction the companies who produce software of this nature. Because their products are potentially a threat to every internet user, irrespective of geography, nationality or belief.”

With a London-based entity on the target list, attention is now turning to whether or not there will be any regulatory action in the U.K., following the U.S. Commerce blacklisting. “If the U.K. government doesn’t take a clear and strong stand against mercenary hackers, U.K. citizens and institutions are going to keep finding themselves in the firing line,” said Bill Marczak, a researcher at Citizen Lab.

Though Faou would not go further than to say he had medium-to-high confidence in the links to Candiru, two other independent researchers who have long tracked the surveillance business and its customers said Eset’s research appeared to be accurate.

Candiru responds

But a Candiru spokesperson told Forbes the company never carries out attacks for customers and is not permitted to know how clients use its tools or whom they target. The executive added that it was heavily regulated by the Israeli military regarding to whom it could export and how. “The product of the company is intended to help law enforcement agencies fight terror and crime at a time when all unlawful activities are encrypted, hiding from the law,” the executive added. “The company is selling its products to government agencies only . . . the company and its product don’t hack websites.”

As for the identity of the alleged Candiru customer hacking all those websites, though Citizen Lab’s research pointed to a Saudi Arabia-based cyberespionage group, the ties are not definitive and Eset declined to comment on attribution to a nation-state.

Candiru was one of four companies to be placed on the Commerce-regulated entity list earlier this month, alongside rival Israeli spyware company NSO Group, Russian cybersecurity company Positive Technologies and Singapore-based developer of offensive cyber tools Coseinc. The Commerce Department alleged they posed unspecified threats to U.S. national security interests.

Forbes previously reported on links between the NSO Group and Candiru, as sources said the main Candiru financial backer was Founders Group. That company was cofounded by Omri Lavie, one of the three men who set up NSO.

Both businesses could be hit hard by the Commerce blacklisting. It prevents them from buying U.S. technologies, which could include the Androids, iPhones, Macs and Windows PCs they specialize in hacking, not to mention American servers from giants like Amazon and Google.