A secretive Israeli company helped hack a British news site and used it to take over the devices of some people who visited the site, cyberreseachers say.
The cybersecurity firm ESET said in a report Tuesday that the company, Candiru, helped an unknown foreign government hack the London news site Middle East Eye with a so-called watering hole attack, which places malicious software on a website to infect and hack the computers of people who visit it.
The research is a rare insight into Candiru, which was blacklisted this month by the U.S. Commerce Department for supplying “spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
Candiru keeps an extremely low profile, and does not have a public website or contact information, and thus couldn’t be contacted for this article. But like many cyber arms dealers, Candiru sells hacking technology to governments with little restrictions on how it can be used, according to cybersecurity researchers. Earlier this year, researchers at Microsoft and the University of Toronto’s Citizen Lab cybersecurity research center found that Candiru had helped governments that paid for its services hack human rights activists around the world.
For several days last year, when some people visited Middle East Eye, which reports news and publishes opinion pieces about the Middle East, their devices were hacked if they matched a certain criteria, said Matthieu Faou, an ESET researcher.
It was part of a larger campaign in which Candiru helped the unnamed government break into a string of websites concerned with the Middle East, ESET found. The goal seemed to be to gather information on Yemen, Faou said.
A Candiru spokesperson told Forbes that it does not carry out attacks for customers and does not know how clients use its tools.
Companies that sell hacking tools to governments, like Candiru and NSO Group, also based in Israel, are popular with countries whose intelligence agencies lack the ability to hack individuals they want to spy on.
Human rights advocates have long warned that companies that sell software to governments for the purpose of national security do little to restrict their products’ use and help authoritarian regimes crack down on dissenters.
NSO Group, which has denied allegations that it provided the software used by Saudi Arabian security services before they murdered journalist Jamal Khashoggi in 2018, has suffered several setbacks recently. The U.S. added NSO to its blacklist on Nov. 4, saying that each company “is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States.” NSO CEO Isaac Benbenisti stepped down Friday after less than two weeks in the job.
But even by the industry’s standards, helping to hack a British news site to take over visitors’ devices is a brazen step. Even when such spyware is deployed against human rights defenders, software like NSO’s is used only to target specific individuals.
“It’s outrageous,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which researches hacking campaigns.
Middle East Eye didn’t respond to a request for comment.
In an article about ESET’s research published Tuesday, Middle East Eye said it “is exploring possible legal action that could be taken against parties it believed may have played a role in the attack.”
Brian Bartholomew, a researcher at the cybersecurity company Sentinel One who has researched Candiru, said the company is “very much like a modern arms dealer.”
“They’re selling the weapons that enable the attacks, and unfortunately they’re not being very good with who those weapons go to,” Bartholomew said.