Candiru, an Israeli Company That Spies for Arab Regimes and Works 'Against the Interests' of Washington

Once again, the Israeli spying companies returned after the United States included the most prominent of them on the “blacklist” claiming that they work against national interests, American national security, and human rights around the world.

Among these companies, which Washington announced on November 16, 2021 to list, is the Israeli Candiru, which specializes in cyber-attacks.

In conjunction with this listing, international media revealed a highly dangerous spyware program produced by the Candiru company, which was widely used to target opponents of Arab regimes.

Candiru was not the only one authorized to carry out the super-espionage, but it came in parallel with an equally important case of the Israeli “Pegasus” spy program, which witnessed the filing of a lawsuit against the “NSO” company that made it, on November 24, 2021.

The American company Apple filed that lawsuit to target NSO users of its devices, arguing that the Israeli company involved in the scandal should be held accountable.

Middle Eastern regimes have always used Israeli spyware as a net to trap opponents, especially in the midst of the Arab Spring revolutions, by monitoring users of the World Wide Web and mobile phones, and it came to targeting senior politicians, journalists and statesmen.

 

Black List

One of the most prominent results of listing the Israeli Candiru and NSO on the blacklists is the prohibition of American institutions from dealing with the two companies, exchanging information and expertise, or selling technology.

“The United States is committed to aggressively using export controls to hold companies that develop, handle, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” Secretary of State Gina Raimondo said on the day of the listing.

The Guardian British newspaper indicated, on November 16, 2021, that the Israeli company Candiru used its spyware program to carry out attacks on important websites in Britain and the Middle East.

"The program produced by the Candiru company has been used to target opponents of Saudi Arabia and other dictators, as well as readers of a news site in Britain,” according to the newspaper.

On the same day, researchers at the Slovakian company ESET revealed information about attacks in which hackers, through the Israeli company, send malware to well-known sites that attract readers and users classified as targets of interest.

The company stated that “the sophisticated attacks allow the malicious user to identify characteristics of the individuals who visited the site.”

It added that “in some cases, a malware user can create a vulnerability that allows gaining control of a targeted individual's computer.”

The company devoted its talk about the Candiru program specifically, which targets computers, unlike Pegasus that targets mobile phones.

Among the entities targeted by Candiru are the British news website Middle East Eye, and several websites linked to government ministries in Iran and Yemen.

 

Candiru Company

On September 7, 2020, the Hebrew newspaper, Haaretz, said that Candiru “is one of the most obscure electronic warfare companies in Israel, and it does not have a website, and also requires employees to sign non-disclosure agreements and not disclose their workplace on LinkedIn.”

It added that “the company is recruiting extensively officers and employees from the 8200 Intelligence Unit of the Israeli army.”

The company was founded in 2014, by Eran Schurer and Jacob Weizmann, and is headquartered in Tel Aviv, yet there is no sign indicating its name in its building, due to the secret work and security precautions.

It shares with Israel's NSO Group the chairman and largest shareholder, Isaac Zak.

One of the interesting points about the company is its name which refers to a fish that lives in the Amazon River Basin, which is Candiru.

This fish is small in size, not more than 4 inches, and it enters the human body through the urethra and works from the inside to destroy the testicles of the man, or causes a complete destruction of the female reproductive system, in addition to causing pain to the injured before a confirmed death occurs because of it, as mentioned by the Haaretz.

The company's choice of the name of the fish apparently indicates the harm it can cause to its hackers.

On October 3, 2019, the American magazine Forbes revealed that "the Uzbek Intelligence Agency is using the Candiru spy program, and that it has tested its operational security vulnerabilities."

Indeed, the researchers identified the most prominent vulnerabilities through the Uzbek test computer, and through it revealed a web address that regularly connects to it, which was registered by the Uzbek National Security Service, according to the magazine.

The results showed the identification of two other Candiru clients, namely Saudi Arabia and the United Arab Emirates.

Candiru’s tracking methods have allowed Uzbek cybersecurity experts to identify and fix up to 8 daily vulnerabilities in the Windows operating system.

 

The Severity of the Program

According to the results of a joint international investigation conducted by the Canadian Citizen Lab, which specializes in information controls, web monitoring and content filtering that affects the openness and security of the Internet, and that poses threats to human rights, and between the American company Microsoft, the Candiru program used the addresses of URL to fake websites.

The company showed it up as web addresses for NGOs, activist groups, health organizations, and the news media to target targets.

The investigation, published in July 2021, also revealed more than 750 domains associated with Candiru.

Among the fake addresses, those that appear to imitate a website that publishes indictments from the Israeli court for Palestinian prisoners, and another site that criticizes Saudi Crown Prince Mohammed bin Salman.

The results showed that Candiru's cyber espionage tools are used to target civil society.

Microsoft has identified at least 100 targets, including politicians, human rights activists, journalists, academics, embassy workers and political opponents. It has also set targets in multiple countries across Europe and Asia.

Candiru’s systems have been found to be operated from several countries, including Saudi Arabia, "Israel," the United Arab Emirates, Hungary and Indonesia.

On January 3, 2019, an investigation by the Hebrew economic newspaper, The Marker, revealed that cyber-attack applications are considered a big “business” in "Israel," and generate about one billion dollars annually, in the form of direct sales from the exports of these systems abroad.

It added that the Israeli Candiru company sold its technology to countries such as Saudi Arabia and Mexico that used it to spy on its opponents, and it is one of the largest and most influential players in that market.

Candiru specializes in hacking computers and servers. According to the newspaper, most of its customers are from Western Europe and Gulf countries, and it does not have any customers in Africa, and does not sell its products inside "Israel."

The Marker newspaper said that “Candiru's sales policies are an internal Israeli decision, after the company was criticized for selling its technology to systems that have a bad record in the field of democracy and human rights.”