Israeli firm accused of selling spyware used to target journalists and dissidents

The firm's spyware infrastructure included websites masquerading as advocacy group, such as Black Lives Matter and Amnesty International

More than 100 journalists, politicians, human rights activists and dissidents in multiple countries were targeted in a spyware campaign that used powerful "cyberweapons" developed by a secretive Israeli firm, researchers from Citizen Lab and Microsoft stated on Wednesday.

In a blog post, Citizen Lab said that Israel-based firm Candiru (which also uses other names) sells spyware exclusively to governments and authoritarian leaders who then use the tools to infect PCs, Macs, iPhones, Androids, and cloud accounts.

The current name of Candiru is Saito Tech Ltd, according to Citizen Lab, and it has some of the same investors as NSO Group.

NSO Group is another Israeli firm that has been accused of providing spyware to repressive governments. NSO denies such claims, saying it sells tools exclusively to governments and law enforcement agencies in fight against terrorism and crime.

Citizen Lab researchers said cyber actors operating in Israel, Saudi Arabia, Indonesia, Hungary, and other countries installed remote spying software on victim machines using a pair of security flaws (CVE-2021-31979 and CVE-2021-33771) in Microsoft's Windows operating system.

Citizen Lab found the bugs after obtaining a hard drive from 'a politically active victim in Western Europe'. It then alerted Microsoft about the flaws, and after detailed analysis, the software firm released patches to address the issues on 13 July in its Patch Tuesday update.

Israeli newspaper Haaretz said in a report that Candiru has clients in Russia, Middle East, Europe, Europe, Asia and Latin America.

Citizen Lab said that Candiru's clients can attempt to breach an unlimited number of devices for €16 million ($18.9 million), although they can actively track only 10 devices at a time. For an extra €1.5 million ($1.8 million), buyers can ask Candiru to monitor an additional 15 victims.

The researchers said that Candiru's spyware infrastructure included websites masquerading as advocacy group, such as Black Lives Matter and Amnesty International.

In a blog post published on Wednesday, Microsoft used the term "Sourgum" to refer to the Irasel-based maker of the espionage toolkit.

The company said that about half of at least 100 people targeted by Sourgum's spyware (code-named DevilsTongue by Microsoft) are in Palestine, while the rest are from Iran, Israel, Singapore, Turkey, Armenia, Lebanon, Yemen, Spain, and the UK.

Once a Windows PC is infiltrated, the spyware can obtain victim's login credentials for online and network accounts, exfiltrate their files, snoop on messages, and more.

"SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes," Microsoft said.

"Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp."

Candiru's tools also exploited security flaws in other common software products, including Google's Chrome browser, according to researchers.

On Wednesday, Google disclosed details of two Chrome bugs that were discovered by Citizen Lab and found to be linked to Candiru.

The bugs were patched by Google earlier this year.