with Aaron Schaffer
Microsoft and the research group Citizen Lab are pulling back the veil on one industry leader that goes by the name Candiru, as I reported. That Israeli firm helped government clients hack devices from Microsoft and other major firms to track more than 100 journalists, dissidents and human rights activists ranging from Israel, the Palestinian territories and Lebanon to Turkey, Spain and the United Kingdom.
Candiru’s customers aren’t known but they probably include intelligence and law enforcement agencies in the Middle East and Asia.
The Microsoft and Citizen Lab reports offer a small window into how a relatively tiny group of companies — no one is sure just how many — are enabling a surge in global espionage and helping authoritarian regimes harass critics far outside their borders.
“Candiru has tried to remain in the shadows ever since its founding but there is no space in the shadows for companies that facilitate authoritarianism,” Bill Marczak, a senior fellow at Citizen Lab, which is based at the University of Toronto’s Munk School, told me.
Microsoft slammed the spyware industry, describing it in terms often applied to criminal hackers and government-backed hackers from Russia and China.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, warned in a blog post.
In a previous blog post, Microsoft President Brad Smith called such firms “21st-century mercenaries.”
To underscore the similarity with government-backed and criminal hackers, Microsoft is assigning code names to spyware organizations in the same way it and other tech and cybersecurity firms do for government-backed hacking teams. It’s dubbing Candiru Sourgum — in accordance with a system that names spyware firms for trees and shrubs. Microsoft names government hacking groups based on the periodic tables, while FireEye assigns numbers and CrowdStrike uses animal names.
The full capabilities of Candiru’s spying tools aren’t clear.
But they probably allow users to intercept victims’ communications, steal their data, track their location and spy through microphones and cameras, Citizen Lab Senior Researcher John Scott-Railton told me. The tools were effective against both Windows and Mac computers, as well as iPhone and Android smartphones.
Candiru also helped its government clients hack targets by luring them to phony websites masquerading as international media, human rights organizations and other legitimate groups. Among them were phony sites that appeared to be affiliated with the Black Lives Matter movement and sites related to gender equality.
The most nefarious aspect of such surveillance is it forces critics of authoritarian governments to be circumspect or silent about their criticisms even if they’ve fled to democracies that prize free speech, Scott-Railton said.
“We cannot allow authoritarian regimes to export self-censorship around the world, and that’s exactly what companies like Candiru are allowing them to do,” he said.
Candiru did not respond to emails seeking comment. A phone call to a company number was not answered.
Candiru joins a handful of well-known spyware firms whose activities have been outed by researchers, tech firms and leakers.
The most prominent of those is another Israeli firm, NSO, which is embroiled in a lawsuit with WhatsApp over its hacking exploits.
The Facebook affiliate claimed NSO acted illegally by helping governments hack hundreds of its customers, including journalists, human rights workers and women who had been targeted with online attacks. Microsoft wrote a legal brief supporting WhatsApp in that case.
Candiru has changed its names several times during the last half-decade while still being generally described as Candiru. It’s currently named Saito Tech Ltd.
The keys
Iranian hackers targeted U.S. military and aerospace contractors on Facebook.
The TortoiseShell hacking group cultivated fake personas on social media sites that posed as recruiters and employees at well-known defense and aerospace firms, Facebook said.
It’s a notable change in tactics for the Iranian hacking group, which previously focused its efforts on compromising Middle Eastern IT companies. Fewer than 200 people were targeted in the latest campaign on Facebook and its Instagram platform, Facebook head of cyberespionage operations Mike Dvilyanski told The Cybersecurity 202.
Facebook linked some of the malware used in the hacks to an Iranian company that it said had ties to Iran’s Islamic Revolutionary Guard Corps. The Trump administration designated the IRGC as a terrorist organization in 2019.
The NSA is beginning its search for a top lawyer three months after a former Republican operative resigned from the post.
The NSA’s general counsel role was swept up in controversy six months ago when former GOP political operative Michael Ellis was installed as the agency’s general counsel, the Record’s Martin Matishak writes. Former president Donald Trump’s acting defense secretary ordered NSA Director Paul Nakasone to install Ellis.
Nakasone placed Ellis on administrative leave as Trump left the White House, and Ellis resigned from the post in April.
Republicans including House Minority Leader Kevin McCarthy (R-Calif.) have criticized the NSA for sidelining Ellis. Tensions between Republicans and the NSA have been heightened recently by Fox News host Tucker Carlson, who accused the NSA of spying on him. The spy agency said Carlson “has never been an intelligence target” in a rare public statement.
Experts are skeptical that a purported Kremlin document on Trump’s Russia ties is genuine.
It’s hard not to be skeptical of the document, Philip Bump writes. One big problem: The document seems to align too neatly with critics' views of Trump, describing him as “mentally unstable.” It also dangles the possibility the Kremlin has compromising information about Trump but never describes it further.
The document, which was seen and reported on by the Guardian, purports to be an internal Kremlin memo focused on plotting to interfere in U.S. politics to get Trump elected president in 2016. Representatives for the Kremlin and Trump dismissed the report.
Experts in Russia, cyberespionage and the spread of baseless claims on social media are warning readers to be cautious. Thomas Rid, a professor of strategic studies at Johns Hopkins School of Advanced International Studies:
Other reasons to be very cautious:
— Thomas Rid (@RidT) July 15, 2021
—timing: seems too early for such of top-level meeting
—participants: very sensitive meeting not locked down
—UK gov: no quote, not even anonymous
—Guardian doesn't even mention risk of op or forgery
—and: that strange reference to "kompromat" pic.twitter.com/C9mP9KuRXS
Former Cybersecurity and Infrastructure Security Agency director Chris Krebs:
Agree w/ @RidT on this Guardian reporting on Russian plans for the former President. This is far too convenient & reeks of #disinfo operation. It could all be individually or collectively true and at the same time planted & fake. So in the meantime, I’m taking this approach: https://t.co/0ZMSUfeJ9I pic.twitter.com/9vNSASnEB9
— Chris Krebs (@C_C_Krebs) July 15, 2021
Global Cyberspace
Securing the ballot
Cyber Insecurity
Hill watch
Daybook
- A House Intelligence Committee panel holds a hearing on microelectronics security and innovation on July 20 at 10 a.m.
- The House Committee on Small Business holds a hearing on small businesses’ cybersecurity on July 20 at 10 a.m.
- A House Energy and Commerce Committee panel holds a hearing on ransomware on July 20 at 10:30 a.m.
- The Senate Committee on Environment and Public Works holds a hearing on cybersecurity vulnerabilities in physical infrastructure on July 21 at 10 a.m.
Secure log off
Stephen used the 'old camera' to explain who Olivia Rodrigo is to a certain demographic. #LSSC https://t.co/aPFb1GLwFY pic.twitter.com/GLgopnAkWA
— The Late Show (@colbertlateshow) July 15, 2021