Candiru (spyware company)

Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage^[1][2] services to government clients.^[3] Its management and investors overlap significantly with that of NSO Group.^[4] Its operations began being uncovered in 2019 by researchers at Citizen Lab, Kaspersky, ESET (among others). Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat"^[5][6]

Candiru (Saito Tech Ltd.)

Formerly	Candiru Ltd (2014)
Company type	Private
Industry	Surveillance technology, Cyber espionage
Founded	2014; 11 years ago (2014)
Founders	Eran Shorer, Yaakov Weizman
Headquarters	Tel Aviv , Israel
Key people	Isaac Zack (Chairman), Eitan Achlow (CEO)
Products	Sherlock (software exploit) DevilsTongue (spyware)
Owner	Isaac Zach, Eran Shorer,Yaakov Weizman

Their products exploit zero-days vulnerabilities in a variety of operating systems and web browsers to deploy persistent spyware implant (dubbed "DevilsTongue" by Microsoft) to remotely control the victim's device.^[5] Their products are also reportedly capable of compromising Mac, Android, and iPhone devices. Victims are often social engineered into visiting malicious websites which install spyware via a chain of exploits. Their business model is similar to a managed service provider for cyber-espionage, providing exploits, tools and infrastructure for government clients.^[7][4][8][9]

It has minimal public presence, requiring employees to sign non-disclosure agreements and follow strict operational security practices to conceal their source of employment.^[4] Its corporate name has changed multiple times from 2014 to 2020.^[8]

As does many Israeli technology companies^[10] it recruits heavily from Unit 8200, which handles signals intelligence and cyberwarfare for the Israeli military.^[2] Its name and logo references the parasitic fish candiru which has the (likely apocryphal) ability to implant in the human urethra.^[2][8]

Corporate history

Candiru was founded in 2014 by Eran Shorer and Yaakov Weizman.^[4][8] Early NSO Group investor Isaac Zach serves as its chairman.^[4] Those three have a controlling interest in the company. It reportedly received investment from "Founders Group", an angel investment syndicate operated by NSO Group co-founders Omri Lavie and Shalev Hulio.^[9] It is reportedly Israel's second-largest cyber-espionage firm after NSO Group.^[2][4]

The company has frequently relocated its offices^[4] and changed its corporate registration from 2014 to 2020, most recently to "Saito Tech Ltd".^{[1][8][4][11]}

Public court filings^[4] pertaining to a lawsuit by a former senior employee indicated that Candiru grew from 12 employees in 2015 to 70 in 2018.^[4] By 2016, it had begun closing deals with clients from Europe, the Middle East, Asia, and Latin America. It grossed $10 million in 2016 and $20-$30 million by 2018 with $367 million worth of pending deals with 60 governments. It purportedly uses in-country intermediaries during negotiations. In 2017, Candiru purportedly began development of mobile device spyware. Candiru asked the court to seal documents and hold closed hearings, claiming national security as justification.^[4]

In 2019, Candiru was valued at $90 million based on the sale of a 10% stake from venture capitalist Eli Wartman to Israel's Universal Motors.^[4] The Qatari sovereign wealth fund has reportedly invested in Candiru.^[8][12] In 2020 Candiru incorporated a subsidiary named "Sokoto".^[8]

As of 2020, its board comprised founding team Eran Shorer, Yaakov Weitzman, chairman/investor Isaac Zach, and a representative of Universal Motors Israel. Its 2021 filings listed minority shareholders Universal Motors Israel, ESOP Management and Trust Services (manager of corporate stock programs), and Optas Industry Ltd (a proxy for the Qatari sovereign wealth fund).^[8]

Operational history

Vice reported in 2019^[7] that Kaspersky Lab had identified Candiru spyware in use by the Uzbekistan State Security Service. The intelligence agency reportedly used Kaspersky antivirus software to test whether the spyware would be detected and configured an official domain ("itt.uz") for the spyware's network communications. This discovery allowed Kaspersky to identify other intelligence agencies using Candiru spyware such as Saudi Arabia and United Arab Emirates.^[9]

In April 2021 ESET identified an espionage campaign, possibly perpetrated by Saudi Arabian intelligence, which leveraged Candiru spyware to compromise news outlet Middle East Eye via a watering hole attack. Other targets of this campaign included an Iranian embassy, Italian aerospace companies, and the Syrian and Yemeni government.^[13]

In July 2021, Citizen Lab and Microsoft reported^[8] widespread usage of Candiru spyware by various government clients to compromise at least 100 worldwide victims across civil society, including politicians, human rights activists, journalists, academics, embassy workers, and dissidents. Spyware control infrastructure was identified in Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia. Highly targeted social engineering tricked victims into visiting malicious websites under the pretext of relevant content.^[1][3]

Microsoft's threat intelligence center identified and patched a Windows vulnerability exploited by Candiru spyware^[1] in July 2021.^[3] Microsoft's analysis of the spyware revealed that in addition to enabling exfiltration of files, messages, and passwords, the spyware also enables the operator to send messages from logged in email and social media accounts directly from the target's computer.^[8] Additionally, Citizen Lab reported that Candiru exploited two vulnerabilities in the browser Google Chrome.^[3] Google also linked a Microsoft Office exploit to Candiru.^[8]

In November 2021, the United States Commerce Department added both Candiru and NSO Group to its sanctioned entities list for supplying spyware to hostile foreign governments.^[14][15]

In April 2022, Citizen Lab reported that members of the Catalan independence movement were infected with Candiru spyware as part of a Spanish governmentsanctioned domestic surveillance operation^[16] against elected officials and activists. NSO Group's Pegasus spyware was also heavily used in this operation. Investigations by Amnesty International and public protest led to CatalanGate and official acknowledgement by the Spanish government. Victims were sent emails leveraging social engineering to convince them to visit a malicious URL, which covertly installed spyware via browser and operating system exploits. These emails leveraged credible pretexts such as official health advisories during the COVID epidemic.^[17]

Products and services

Candiru purportedly^[3] sells exclusively to government law enforcement agencies and intelligence agencies. It appears to act as "middleman" or "managed service provider", providing delivery mechanisms, remote control infrastructure, spyware tools and software exploits. Clients seems to be responsible for targeting, logistics and the operational security.^[7] Candiru has reportedly provided exploits for many zero-day vulnerabilities to clients, which have been patched by the relevant software companies after they are discovered.^[4][8] In at least one case, poor operational security by a client (Ubeki intelligence) resulted in multiple zero-days and network infrastructure being "burned".^[7]

The company claims that clients are not allowed within the United States, Israel, Russia, China, and Iran.^[4] Researchers, including Citizen Lab and Microsoft have identified Candiru spyware victims in Israel and Iran, and potential victims in Russia.^[1][8]

Leaked documents and contracts show that Candiru offers a range of exploit delivery methods, including drive-by exploits, tampering with network data, malicious documents, and physical intrusion. It appears to be able to develop new tools as needed and has access to exploits for zero-day vulnerabilities. After compromising the device, a persistent spyware implant (dubbed "DevilsTongue" by Microsoft) is installed to remotely control the victim's device.^[5] Social media data, browser cookies and messages from SMS, Viber, WhatsApp, and Signal can be captured. The device's camera/microphone can be captured as well.^[1][2][8]

Services are priced in the tens of millions of dollars based on number of targeted devices and affected countries. Upsold services include access to additional victim data and full remote control of the device. A multi-million dollar add-on called "Sherlock" (likely a cross-operating-system zero-day web browser exploit) purports to provide access on Windows, Android and iOS devices.^[8][3]