Skip to main content

Microsoft says Israeli company's malware used to hack dissidents, activists

Microsoft said around half of the victims were located in the Palestinian territories, and many of the remaining targets were based in the Middle East.
Munk School

Microsoft says it disrupted an Israeli private company’s unique malware that hackers in other countries used to spy on political dissidents and rights campaigners. 

After receiving a tip from researchers at Citizen Lab, a watchdog organization at the University of Toronto's Munk School of Global Affairs, Microsoft began investigating malware from a group it dubbed “Sourgum.” 

Sourgum’s malware appeared to use a chain of browser and Windows exploits, including zero-day exploits, the company said. The hackers sent the browser exploits to targets with single-use URLs on messaging applications such as WhatsApp. 

Citizen Lab has assessed with high confidence that the actor Microsoft is calling Sourgum is an Israeli company that goes by the name Candiru. According to the watchdog, Candiru sells spyware that can infect and monitor a range of devices and platforms, including Microsoft's Windows operating system.

Its customers are exclusively foreign governments, Citizen Lab said. Candiru has reportedly previously sold to government agencies in Uzbekistan, the United Arab Emirates and Saudi Arabia. 

Microsoft and Citizen Lab say the malware was used in “precision attacks” targeting more than 100 people worldwide, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. 

Roughly half of the victims identified were located in the Palestinian territories, with the remaining targets in Israel, Iran, Lebanon, Yemen, Spain’s Catalonia region, the United Kingdom, Turkey, Armenia and Singapore. 

Citizen Lab said it linked Candiru’s spyware infrastructure to sites “masquerading as advocacy organizations,” including Amnesty International and Black Lives Matter. The researchers also detected “lookalike domains” for the United Nations, the World Health Organization and other international organizations. 

“Some of the themes strongly suggest that the targeting likely concerned civil society and political activity,” Citizen Lab said in its report. 

In a blog post Thursday, Microsoft said it is working to address the dangers caused when cyberweapons “fall into the wrong hands and threaten human rights.” As part of that effort, Microsoft joined Facebook in support of its legal case against NSO Group, accusing the Israeli-based spyware developer in December of selling “dangerous” surveillance tools to foreign governments. 

“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said. 

More from Al-Monitor Staff