Candiru has likely sold spying tools to governments in the Middle East and Asia, according to the cybersecurity research group Citizen Lab, which identified people targeted by Candiru’s malicious software and helped Microsoft compile its report. Those governments then use the spying tools independently.
The Biden administration has moved aggressively to confront the ransomware epidemic, including threatening Russian President Vladimir Putin with severe consequences if he doesn’t crack down on criminal groups operating on Russian territory. But the United States has been far less aggressive about the proliferation of spyware.
Microsoft is part of a chorus of large tech firms that are increasingly criticizing the spyware industry and calling on governments to regulate their products through export bans and other measures. As part of its investigation, Microsoft patched major bugs that Candiru used to spy on its users.
The researchers also found phony websites masquerading as international media, human rights organizations and other legitimate groups that were used to deliver Candiru spyware. Among them were phony sites that appeared to be affiliated with the Black Lives Matter movement and sites related to gender equality.
Spyware firms have effectively leveled the playing field for countries that wish to spy on dissidents and government critics but lack the technical resources to develop their own spying tools.
Candiru did not respond to emails seeking comment. A phone call to a company number was not answered.
The most significant tech response came in 2019, when WhatsApp sued the most prominent spyware company, another Israeli firm called NSO, in U.S. federal court. The Facebook affiliate claimed NSO acted illegally by helping governments hack hundreds of its customers, including journalists, human rights workers and women who had been targeted with online attacks.
Microsoft filed a brief supporting WhatsApp’s position in that case, which is still working its way through the legal system. An NSO surveillance tool was also implicated in spying on Washington Post contributing writer Jamal Khashoggi before he was killed by people affiliated with Saudi Arabia’s security services in 2018.
Far less is known about Candiru’s activities. The firm has maintained a high level of secrecy, including by changing its official corporate name four times during its six years in operation, according to a Citizen Lab report. The firm is now officially named Saito Tech Ltd., though it is still widely known as Candiru, the report states.
“Candiru has tried to remain in the shadows ever since its founding but there is no space in the shadows for companies that facilitate authoritarianism,” Bill Marczak, a senior fellow at Citizen Lab, said.
Microsoft is referring to Candiru’s activities under the name Sourgum, part of a naming convention it has developed to describe nongovernment hacking groups using the names of trees and shrubs. The company has a separate naming convention for hacking groups linked with national governments based on elements on the periodic table.