An Israeli company that sells spyware is linked to fake websites that are used to hack targets, including in Armenia, according to a new report from the Citizen Lab at the University of Toronto and Microsoft.
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. However, Microsoft notes that the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that country is the offensive actor customer, as international targeting is common.
As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.
One way the company’s spyware infected targets was through web domains, and the researchers found that the firm’s software was associated with URLs masquerading as major NGOs, such as the Black Lives Matter and Amnesty International. Citizen Lab’s research uncovered websites tied to Candiru with domain names such as “Amnesty Reports”, “Refugee International”, “Woman Studies”, “Euro News” and “CNN 24-7”.
In Armenia, for instance, a fake website was created to impersonate Armenpress, the country's state news agency.
Microsoft said in a blogpost on Thursday, July 15 that it had disabled the “cyberweapons” of Candiru and built protections against the malware, including issuing a Windows software update.