Formerly | Candiru Ltd (2014) |
---|---|
Company type | Private |
Industry | Surveillance technology, Cyber espionage |
Founded | 2014 |
Founders | Eran Shorer, Yaakov Weizman |
Headquarters | , Israel |
Key people | Isaac Zack (Chairman), Eitan Achlow (CEO) |
Products | Sherlock (software exploit) DevilsTongue (spyware) |
Owner | Isaac Zach, Eran Shorer,Yaakov Weizman |
Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage [1] [2] services to government clients. [3] Its management and investors overlap significantly with that of NSO Group. [4] Its operations began being uncovered in 2019 by researchers at CitizenLab, Kaspersky, ESET (among others). Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat" [5] [6]
Their products exploit zero-days vulnerabilities in a variety of operating systems and web browsers to deploy persistent spyware implant (dubbed "DevilsTongue" by Microsoft) to remotely control the victim's device. [5] Their products are also reportedly capable of compromising Mac, Android, and iPhone devices. Victims are often social engineered into visiting malicious websites which install spyware via a chain of exploits. Their business model is similar to a managed service provider for cyber-espionage, providing exploits, tools and infrastructure for government clients. [7] [4] [8] [9]
It has minimal public presence, requiring employees to sign non-disclosure agreements and follow strict operational security practices to conceal their source of employment. [4] Its corporate name has changed multiple times from 2014 to 2020. [8]
As does many Israeli technology companies [10] it recruits heavily from Unit 8200, which handles signals intelligence and cyberwarfare for the Israeli military. [2] Its name and logo references the parasitic fish candiru which has the (likely apocryphal) ability to implant in the human urethra. [2] [8]
Candiru was founded in 2014 by Eran Shorer and Yaakov Weizman. [4] [8] Early NSO Group investor Isaac Zach serves as its chairman. [4] Those three have a controlling interest in the company. It reportedly received investment from "Founders Group", an angel investment syndicate operated by NSO Group co-founders Omri Lavie and Shalev Hulio. [9] It is reportedly Israel's second-largest cyber-espionage firm after NSO Group. [2] [4]
The company has frequently relocated its offices [4] and changed its corporate registration from 2014 to 2020, most recently to "Saito Tech Ltd". [1] [8] [4] [11]
Public court filings [4] pertaining to a lawsuit by a former senior employee indicated that Candiru grew from 12 employees in 2015 to 150 in 2018. By 2016, it had begun closing deals with clients from Europe, the Middle East, Asia, and Latin America. It grossed $10 million in 2016 and $20-$30 million by 2018 with $367 million worth of pending deals with 60 governments. It purportedly uses in-country intermediaries during negotiations. In 2017, Candiru purportedly began development of mobile device spyware. Candiru asked the court to seal documents and hold closed hearings, claiming national security as justification. [4]
In 2019, Candiru was valued at $90 million based on the sale of a 10% stake from venture capitalist Eli Wartman to Israel's Universal Motors. [4] The Qatari sovereign wealth fund has reportedly invested in Candiru. [8] [12] In 2020 Candiru incorporated a subsidiary named "Sokoto". [8]
As of 2020, its board comprised founding team Eran Shorer, Yaakov Weitzman, chairman/investor Isaac Zach, and a representative of Universal Motors Israel. Its 2021 filings listed minority shareholders Universal Motors Israel, ESOP Management and Trust Services (manager of corporate stock programs), and Optas Industry Ltd (a proxy for the Qatari sovereign wealth fund). [8]
Vice reported in 2019 [7] that Kaspersky Lab had identified Candiru spyware in use by the Uzbekistan State Security Service. The intelligence agency reportedly used Kaspersky antivirus software to test whether the spyware would be detected and configured an official domain ("itt.uz") for the spyware's network communications. This discovery allowed Kaspersky to identify other intelligence agencies using Candiru spyware such as Saudi Arabia and United Arab Emirates. [9]
In April 2021 ESET identified an espionage campaign, possibly perpetrated by Saudi Arabian intelligence, which leveraged Candiru spyware to compromise news outlet Middle East Eye via a watering hole attack. Other targets of this campaign included an Iranian embassy, Italian aerospace companies, and the Syrian and Yemeni government. [13]
In July 2021, CitizenLab and Microsoft reported [8] widespread usage of Candiru spyware by various government clients to compromise at least 100 worldwide victims across civil society, including politicians, human rights activists, journalists, academics, embassy workers, and dissidents. Spyware control infrastructure was identified in Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia. Highly targeted social engineering tricked victims into visiting malicious websites under the pretext of relevant content. [1] [3]
Microsoft's threat intelligence center identified and patched a Windows vulnerability exploited by Candiru spyware [1] in July 2021. [3] Microsoft's analysis of the spyware revealed that in addition to enabling exfiltration of files, messages, and passwords, the spyware also enables the operator to send messages from logged in email and social media accounts directly from the target's computer. [8] Additionally, CitizenLab reported that Candiru exploited two vulnerabilities in the browser Google Chrome. [3] Google also linked a Microsoft Office exploit to Candiru. [8]
In November 2021, the United States Commerce Department added both Candiru and NSO Group to its sanctioned entities list for supplying spyware to hostile foreign governments. [14] [15]
In April 2022, CitizenLab reported that members of the Catalan independence movement were infected with Candiru spyware as part of a Spanish government sanctioned domestic surveillance operation [16] against elected officials and activists. NSO Group's Pegasus spyware was also heavily used in this operation. Investigations by Amnesty International and public protest led to CatalanGate and official acknowledgement by the Spanish government. Victims were sent emails leveraging social engineering to convince them to visit a malicious URL, which covertly installed spyware via browser and operating system exploits. These emails leveraged credible pretexts such as official health advisories during the COVID epidemic. [17]
Candiru purportedly [3] sells exclusively to government law enforcement agencies and intelligence agencies. It appears to act as "middleman" or "managed service provider", providing delivery mechanisms, remote control infrastructure, spyware tools and software exploits. Clients seems to be responsible for targeting, logistics and the operational security. [7] Candiru has reportedly provided exploits for many zero-day vulnerabilities to clients, which have been patched by the relevant software companies after they are discovered. [4] [8] In at least one case, poor operational security by a client (Ubeki intelligence) resulted in multiple zero-days and network infrastructure being "burned". [7]
The company claims that clients are not allowed within the United States, Israel, Russia, China, and Iran. [4] Researchers, including CitizenLab and Microsoft have identified Candiru spyware victims in Israel and Iran, and potential victims in Russia. [1] [8]
Leaked documents and contracts show that Candiru offers a range of exploit delivery methods, including drive-by exploits, tampering with network data, malicious documents, and physical intrusion. It appears to be able to develop new tools as needed and has access to exploits for zero-day vulnerabilities. After compromising the device, a persistent spyware implant (dubbed "DevilsTongue" by Microsoft) is installed to remotely control the victim's device. [5] Social media data, browser cookies and messages from SMS, Viber, WhatsApp, and Signal can be captured. The device's camera/microphone can be captured as well. [1] [2] [8]
Services are priced in the tens of millions of dollars based on number of targeted devices and affected countries. Upsold services include access to additional victim data and full remote control of the device. A multi-million dollar add-on called "Sherlock" (likely a cross-operating-system zero-day web browser exploit) purports to provide access on Windows, Android and iOS devices. [8] [3]
An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.
Spyware is any malware that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in other malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness and security of the Internet and that pose threats to human rights. The organization uses a "mixed methods" approach which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods. The organization has played a major role in providing technical support to journalists investigating the use of NSO Group's Pegasus spyware on journalists, politicians and human rights advocates.
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.
Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.
An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.
Operation Red October or Red October was a cyberespionage malware program discovered in October 2012 and uncovered in January 2013 by Russian firm Kaspersky Lab. The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices. The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel. Later, a webpage was found that exploited a known vulnerability in the Java browser plugin. Red October was termed an advanced cyberespionage campaign intended to target diplomatic, governmental and scientific research organizations worldwide.
Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.
Hacking Team was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.
Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.
NSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones. It employed almost 500 people as of 2017.
Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. The sale of Pegasus licenses to foreign governments must be approved by the Israeli Ministry of Defense.
DarkMatter Group is a computer security company founded in the United Arab Emirates (UAE) in 2014 or 2015. The company has described itself as a purely defensive company, however in 2016, it became a contractor for Project Raven, to help the UAE surveil other governments, militants, and human rights activists. It has employed former U.S. intelligence operatives and graduates of the Israel Defense Force technology units.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).
FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.
CatalanGate is a 2022 political scandal involving accusations of espionage using the NSO Group's Pegasus spyware, against figures of the Catalan independence movement. Targets of the supposed espionage included elected officials, activists, lawyers, and computer scientists; in some cases, families of the main targets were also purportedly targeted.
Cytrox is a company established in 2017 that makes malware used for cyberattacks and covert surveillance. Its Predator spyware was used to target Egyptian politician Ayman Nour in 2021 and to spy on 92 phones belonging to businessmen, journalists, politicians, government ministers and their associates in Greece. In 2023, the U.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Crt in Hungary to its Entity List and on March 5, 2024, the U.S. Department of Treasury imposed sanctions upon Cytrox AD of North Macedonia and the Intellexa Consortium, which is the parent firm of Cytrox AD, "for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide."
Operation Triangulation is a targeted cyberattack on iOS devices conducted using a chain of four zero-day vulnerabilities. It was first disclosed in June 2023 and is notable for its unprecedented technical complexity among iOS attacks. The number of victims is estimated to be in the thousands.
The firm has maintained a high level of secrecy, including by changing its official corporate name four times during its six years in operation, according to a Citizen Lab report. The firm is now officially named Saito Tech Ltd., though it is still widely known as Candiru, the report states.