The hacking tool vendor, named Candiru,
created and sold a software exploit that can penetrate Windows, one of many
intelligence products sold by a secretive industry that finds flaws in common
software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers
details how Candiru's hacking tool spread around the globe to numerous unnamed
customers, where it was then used to target various civil society
organizations, including a Saudi dissident group and a left-leaning Indonesian
news outlet, the reports by Citizen Lab and Microsoft show.
Attempts to reach Candiru for comment were unsuccessful.
Evidence of the exploit recovered by
Microsoft Corp MSFT.O suggested it was deployed against users in several
countries, including Iran, Lebanon, Spain and the United Kingdom, according to
the Citizen Lab report.
"Candiru's growing presence, and the
use of its surveillance technology against global civil society, is a potent
reminder that the mercenary spyware industry contains many players and is prone
to widespread abuse," Citizen Lab said in its report.
Microsoft fixed the discovered flaws on
Tuesday through a software update. Microsoft did not directly attribute the
exploits to Candiru, instead referring to it as an "Israel-based private
sector offensive actor" under the codename Sourgum.
"Sourgum generally sells cyberweapons
that enable its customers, often government agencies around the world, to hack
into their targets’ computers, phones, network infrastructure, and
internet-connected devices," Microsoft wrote in a blog post. "These
agencies then choose who to target and run the actual operations
themselves."
Candiru's tools also exploited weaknesses
in other common software products, like Google's Chrome browser.
On Wednesday, Google GOOGL.O released a
blog post where it disclosed two Chrome software flaws that Citizen Lab found
connected to Candiru. Google also did not refer to Candiru by name, but
described it as a "commercial surveillance company." Google patched
the two vulnerabilities earlier this year.
Cyber arms dealers like Candiru often chain
multiple software vulnerabilities together to create effective exploits that
can reliably break into computers remotely without a target's knowledge,
computer security experts say.
Those types of covert systems cost millions
of dollars and are often sold on a subscription basis, making it necessary for
customers to repeatedly pay a provider for continued access, people familiar
with the cyber arms industry told Reuters.
"No longer do groups need to have the
technical expertise, now they just need resources," Google wrote in its
blog post.