Israeli spyware firm linked to watering hole attacks on Middle East, UK websites

Israeli spyware firm linked to watering hole attacks on Middle East, UK websites

Image:
Israeli spyware firm linked to watering hole attacks on Middle East, UK websites

The US placed Candiru on a trade blacklist earlier this month, along with fellow Israeli spyware firm NSO Group

Researchers at ESET have spotted a new cyber campaign that saw Tel Aviv-based Candiru's spyware used to target websites and services in several Middle Eastern countries, including Saudi Arabia and Iran.

Candiru sells spyware to government agencies, much like NSO Group; and like NSO, the US placed it on trade backlists earlier this month, along with a Russian firm and a business in Singapore.

The new offensive uses 'watering hole' attacks, where attackers embed malicious code on genuine websites that are likely to be visited by the targets.

Once someone lands on the website the code infects their machine, enabling attackers to spy on them or cause harm in various other ways.

According to ESET, the websites targeted included London-based news website Middle East Eye, as well as Yemeni media outlets like Almasirah, which is linked to the Houthi rebels fighting the Saudis.

The attackers also targeted websites belonging to the Iranian foreign ministry, Yemen's finance and interior ministries, and Syria's electricity ministry, along with internet service providers in Syria and Yemen.

Other targets included sites operated by Italian company Piaggio Aerospace, the pro-Iranian militant group Hezbollah, and The Saudi Reality, a dissident media outlet in Saudi Arabia.

According to researchers, the cyber actors also created a website that mimicked a medical trade fair in Germany.

ESET believes specific visitors to these sites were likely attacked via a browser exploit, although they could not acquire an exploit or the final payload.

ESET researcher Matthieu Faou who uncovered the cyber campaign, said, "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted."

The researchers have not seen any activity from this operation since the end of July 2021, shortly after the release of blog posts by Google, Citizen Lab and Microsoft detailing Candiru's activities - and around the same time that NSO Group became international news.

"The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier," Faou added.

There is little information available about Candiru, which has undergone several name changes since 2014 when it came into existence. It is currently known as Saito Tech Ltd., and shares some investors with NSO Group.

In July, researchers from Citizen Lab and Microsoft said more than 100 journalists, politicians, human rights activists and dissidents in multiple countries were targeted in a spyware campaign that used powerful 'cyberweapons' developed by Candiru.

Citizen Lab claimed that Candiru sells spyware exclusively to governments and authoritarian leaders, who then use the tools to infect PCs, Macs, smartphones and cloud accounts.

It added that Candiru's clients can attempt to breach an unlimited number of devices for €16 million (£13.4 million), although they can actively track only 10 devices at a time.

For an extra €1.5 million (about £1.25 million), buyers can ask Candiru to monitor an additional 15 victims.