Candiru (spyware company)

Candiru is a Tel Aviv-based technology company offering surveillance and cyberespionage technology to governmental clients.

Candiru offers cyberespionage tools that can be used to infiltrate computers, servers, mobile devices, and cloud accounts. Its specialty appears to be infiltration of computers, particularly those running Windows OS.

The company has been described as secretive, with Haaretz describing it as "one of Israel’s most mysterious cyber warfare companies". It does not have a website and requires employees to sign non-disclosure agreements and not to reveal their place of employment on LinkedIn. The company recruits heavily from the IDF's intelligence unit Unit 8200.

The company is named after the candiru, an Amazonian parasitic fish notorious for its apocryphal ability to invade and parasitise the human urethra. The company also uses a silhouette of the candiru fish as its logo.

Corporate profile
 Overview 

Candiru was founded by Eran Shorer and Yaakov Weizman in 2014 as Candiru Ltd. Its chairman and largest shareholder is Isaac Zach, who is also a founding funder of the NSO Group. Additionally, Candiru was reportedly financially backed by Founders Group, which was co-founded by Omri Lavie, who is also one of the founders of NSO Group. Candiru is thought to be Israel's second-largest cyberespionage company after NSO Group, and it has been suggested that Candiru may seek to merge with NSO Group.

The company has frequently relocated its offices and – though still known under its original name Candiru  – has also undergone multiple changes of its registered name  (including to Grindavik Solutions, LDF Associates, Taveta, D.F. Associates, Greenwick Solutions, Tabatha, and, finally, Saito Tech (current registered name) ).

 Corporate history 

Candiru was founded by Eran Shorer and Yaakov Weizman in 2014 as Candiru Ltd.

According to information from court filings of a lawsuit filed against Candiru by a former senior employee, the company had 12 employees at the end of 2015, 70 employees by the end of 2018, and had since grown to a 150 employees. During the first year after its founding, the company had no clients, but by the beginning 2016, the company had a number of deals in the advanced stage with clients from Europe, former Soviet Union, the Persian Gulf, Asia, and Latin America. According to the plaintiff, the company grossed $10 million worth in sales in 2016, and nearly $30 million in 2017, though the figures appear to refer to multi-year deals. In another part of the lawsuit, the plaintiff indicates that the company's 2018 revenues were worth about $20 million. A document appended to the lawsuit suggests that the company was in negotiations with potential clients from over 60 countries with a total value of $367 million. According to information from the lawsuit provided to the court by the defendant (Candiru), the company collaborates with intermediaries in target countries that help complete the deals and earn a 15% commission for their services. According to the plaintiff, Candiru senior management decided to begin development of spyware for mobile phones in 2017, however, the sale and marketing of phone spyware was halted by the company's chairman in early 2018. As defendant, Candiru complained that the plaintiff had revealed secret security information in the lawsuit and demanded that the proceedings continue as closed hearings and that information about the proceedings be concealed from the public.

According to reporting from January 2019, Candiru was believed to employ 120 people and to have generated annual sales of $30 million, which would make it Israel's second-largest cyberespionage firm.

According to reporting from December 2019, Candiru's market capitalisation was $90 million (based on the sale of a 10% stake in Candiru which was sold by venture capitalist Eli Wartman to Universal Motors for $9 million).

Candiru has reportedly been carrying out business negotiations with Singapore (reported in 2019), and Qatar (reported in 2020). A company linked to the Qatari sovereign wealth fund has invested in Candiru.

According to a report in July 2021 by CitizenLab, Candiru's exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia, Qatar, Singapore, and the United Arab Emirates.

The cyber firm receives boost from the investors of Qatar, as several investment funds ties to Qatar Investment Authority took a stake in the spyware firm Candiru.

Candiru has at least one subsidiary – Sokoto – which was incorporated in March 2020.

As of December 2020, the company's board members were Shorer, Weitzman, Zach, and a representative of Universal Motors Israel (which is a Candiru shareholder). According to 2021 filings, the largest shareholders were Shorer, Weitzman, and Zach. Other shareholders were Universal Motors Israel LTD, ESOP management and trust services, and Optas Industry Ltd.

History
In 2019, a researcher at Kaspersky Lab revealed that Candiru spyware was being used by the Uzbekistan's intelligence agency. Operational security lapses committed by the Uzbek client while testing the tools against various antivirus systems (including Kaspersky antivirus) tipped off the researchers. The researchers identified the Uzbeki test computer and uncovered a web address to which it regularly connected, which was registered by the Uzbeki National Security Service. The findings subsequently allowed researchers to identify two more of Candiru's clients: Saudi Arabia and the United Arab Emirates. Tracking Candiru's infiltration tactics allowed cybersecurity experts to identify and fix as many as eight Windows zero-day exploits.

In April 2021, the London-based publication Middle East Eye was compromised for two days, and used to deploy malicious code onto visitors' devices. As many as 20 organisation – including an Iranian embassy, Italian aerospace companies, and Syrian and Yemeni government entities – were targeted. The attack was uncovered by ESET, which tied the malicious code used in the attack to Candiru.

According to the findings of a joint investigation by CitizenLab and Microsoft (report released in July 2021), Candiru has used mock website URLs made to appear like web addresses of NGOs, activist groups, health organisations, and news media organisations to ensnare targets. The investigation uncovered over 750 domains that appeared to be linked to Candiru. Among the sham URLs were ones that appeared to imitate a website that publishes Israeli court indictments of Palestinian prisoners, and a website critical of the Saudi crown prince Mohammed bin Salman. The findings indicated that Candiru's cyberespionage tools were being used to target civil society. Microsoft identified at least 100 targets that included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. Microsoft identified targets in multiple countries across Europe and Asia. Candiru's systems were found to have been operated from multiple countries, including (but not limited to) Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia. The investigation commenced after CitizenLab identified a computer suspected of hosting a persistent Candiru infection using telemetry data. CitizenLab then approached the user of the device – a politically active individual in Western Europe – to obtain an image of the device's hard drive.

In November 2021, the United States Commerce Department added Candiru (as well as NSO Group, the other major Israeli spyware vendor) to its trade blacklist for supplying spyware to foreign governments which then used it to malicious ends, which the Commerce Department deemed commercial activities contrary to U.S. national security or foreign policy interests. The U.S. Commerce Department subsequently sent Candiru a list of questions about how Candiru's spyware operates.

In April 2022, CitizenLab published a report in which it revealed that four Catalan independence proponents were targeted with Candiru spyware as part of a larger campaign to spy on proponents of Catalan independence (CatalanGate) which was mainly conducted using Pegasus spyware. The targets were enticed to click a link in an email message that was sent to them, with their personal computers becoming infected with Candiru spyware upon clicking the link. CitizenLab identified a total of seven such malicious emails; some of the emails were made to appear like messages from a Spanish governmental institution with public health recommendations in connection to the 2019 coronavirus epidemic.

Products and services
Candiru offers its products and services to governmental law enforcement agencies and intelligence agencies to aid surveillance, data exfiltration, and offensive cyber operations. It deals with government clients only. The company states that it prohibits deployment of its products within the U.S., Israel, Russia, China, or Iran (though Microsoft identified Candiru targets in Israel and Iran).

 Candidate target platforms, infiltration methods, and capabilities 

Candiru's specialty appears to be computer spyware (particularly for Windows devices, though it has also developed spyware for computers running Apple's MacOS ). It also offers spyware for mobile platforms, servers, and cloud accounts. Candiru allegedly offers a range of target infiltration approaches, including infiltration through hyperlinks, man-in-the-middle attacks, weaponised files, physical attack,  and a program called "Sherlock"  (it is unclear what the program does, but is claimed to be effective for Windows, iOS, and Android, according to Candiru ). The company would reportedly also design new custom spyware in cases where none of the tools in its standard repertoire are successful in infiltrating the target.

According to a leaked company document published in 2020, the company's products can be used to infiltrate PC computers, networks, mobile handsets, are compatible with multiple operating system environments ("PC/Windows, iOX, and Android"), require minimal target interaction to achieve infiltration, and are "silently deployed" and "untraceable". The leaked document goes on to state that once deployed, the spyware can exfiltrate data from the compromised device (including data from social media accounts, communication programs/apps, or the device's microphone or camera) and can also identify and map networks the target is connected to. According to a 2019 marketing document, the spyware does not cause any interruption of the target device.

 Services and prices 

According to a leaked Candiru document, the company offers various services bundles to customers that vary in price depending on the number of devices targeted and number of countries in which the spyware is deployed against targets (the client is offered an unlimited number of deployment attempts). Clients are also charged extra if they choose to capture browser cookie data or data from apps (including Twitter, Viber, and Signal), or if they wish to gain full command-and-control access to the target's device (which may be used to implant incriminating materials onto the devices). The basic bundle was priced at €16 million and allowed for monitoring of 10 devices, the ability to monitor 15 additional devices and operate in one additional countries cost a further €1.5 million, the ability to monitor 25 additional devices and conduct espionage in 5 more countries cost a further €5.5 million, and remote control access of a device cost a further €1.5 million, with exfiltration of cookies or app data costing €200.000 or – in the case of Signal – €500.000.

 Uncovered Candiru spyware vulnerability exploits 

According to findings of a joint investigation by CitizenLab and Microsoft (published in July 2021), Candiru uses sham websites with URLs made to resemble real websites to covertly infiltrate devices, potentially enabling persistent access to the device (including exfiltration capabilities). Microsoft's threat intelligence center identified and patched a Windows vulnerability exploited by Candiru spyware in July 2021. Microsoft's analysis of the spyware revealed that in addition to enabling exfiltration of files, messages, and passwords, the spyware also enables the operator to send messages from logged in email and social media accounts directly from the target's computer. Additionally, CitizenLab reported that Candiru exploited two vulnerabilities in the browser Google Chrome. Google also linked a Microsoft Office exploit to Candiru.