Arab Journalists and Activists Are Victims of Hacking Attacks: Who Is Behind This?

Israeli spyware makers have recently taken advantage of an active vulnerability in Google Chrome to target journalists in the Middle East.

The global cybersecurity company, Avast Threat Labs, linked the attacks to the Tel Aviv-based spyware vendor commonly known as Candiru.

Avast discovered the latest Candiru attacks in March using an updated toolkit intended to target individuals in Turkiye, Yemen, and Palestine as well as journalists in Lebanon, where it hacked a website operated by employees of an unnamed news agency.

 

Targeting Journalists

The actively exploited Google Chrome zero-day flaw appearing this month was used by the Israeli spyware company to target journalists in the Middle East.

Avast Threat Labs linked the recent attacks to the Tel Aviv-based spyware vendor commonly known as Candiru.

In 2021, ESET, the online security firm, said that Middle East Eye was also targeted by the hacking for hire group in April 2020.

Middle East Eye editor-in-chief David Hearst said, "Middle East Eye is no stranger to such attempts to take our website down by state and non-state actors. Substantial sums of money have been spent trying to take us out. They have not stopped us from reporting what is going on in all corners of the region, and it will not stop us in future. They will not stop us from reaching a global audience."

The Israeli spyware company was sanctioned in November 2021 by the US Commerce Department in charge of managing activities conflicting with US national security.

The latest Candiru attack was detected in March "using an updated toolset that aimed to target individuals in Turkiye, Yemen, and Palestine—as well as journalists in Lebanon where Candiru compromised a website used by employees of an unnamed news agency," MEE reported.

After the detection, Avast said in a statement: "We can't say for sure what the attackers might have been after; however, often the reason why attackers go after journalists is to spy on them and the stories they're working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press."

 

Targeting Activists and Journalists

Candiru, the mercenary spyware firm, was selling "untraceable" spyware to government customers, providing solutions for spying on computers, mobile devices, and cloud accounts.

The Israeli firm is registered under the name Saito Tech in Tel Aviv. It was first detected by Microsoft and Citizen Lab in July last year. The Israeli hacking company had targeted more than 100 activists, journalists, and dissidents from at least 10 countries.

Last year's release of the Citizen Lab's report, the company stopped its spying activities to update its malware and abstract detection efforts.

According to an August 2020 report from Intelligence Online, "the company is selling its products to government agencies only, after receiving all needed licenses from the Israeli Ministry of Defense export control."

Citizen Lab has earlier revealed that the UAE and Saudi Arabia are "likely Candiru customers." The firm also "has become closer to Qatar" recently.

Citizen Lab also reported that governments like Morocco, Saudi Arabia, and the United Arab Emirates use Candiru spyware and Pegasus software produced by the Israeli NSO Group to illegally access the phone data of journalists, activists, politicians, dissidents, and embassy workers across the world.

MEE's Turkiye bureau chief, Ragip Soylu, was also targeted by Israeli spyware produced by the Israeli cyber-arms company NSO Group by infiltrating his mobile phone.

 

Candiru Spyware Infection

Citizen Lab has defined Candiru as "a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts."

More than 750 websites connected to Candiru's spyware were identified through internet scanning, in addition to many domains masquerading as advocacy organizations, including Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities, as revealed by Citizen Lab.

The spyware has gained multi-million dollar revenue by selling the program to various government customers located in Europe, the former Soviet Union, the Persian Gulf, Asia, and Latin America.

According to Citizen Lab, the spyware was developed by Candiru to contain multiple features, including "malicious links, man-in-the-middle attacks, and physical attacks."

Candiru sells its spyware with licenses according to the customer's need for infections.

Candiru has recruited hackers from the ranks of Unit 8200, representing the signals intelligence unit of the Israeli Defense Forces.

The spyware can hack private data from apps and accounts like Gmail, Skype, Telegram, and Facebook.

Not only that, but the program can also steal "browsing history and passwords, turn on the target's webcam and microphone, take pictures of the screen, and capture data from additional apps," according to Citizen Lab.