Microsoft says it has disrupted the use of a spyware variant, dubbed DevilsTongue, that was used by various governments to spy on more than 100 people, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents.
Both Microsoft and Citizen Lab at the University of Toronto’s Munk School have determined that DevilsTongue is being offered by an Israeli private sector firm known as Sourgum or Candiru. Citizen Lab describes Candiru as a Tel Aviv-based mercenary spyware firm that builds and sells specialised spyware to enable customers to spy on computers, mobile devices, and cloud accounts.
Possibly in an attempt to stay discreet and to hide its operations, infrastructure, and staff identities from scrutiny, Candiru changed its corporate registrations five times since it was founded. First registered as Candiru Ltd. in 2014, the firm changed its name to DF Associates Ltd. in 2017, then to Grindavik Solutions Ltd. in 2018, Taveta Ltd. in 2019, and finally Saito Tech Ltd. in 2020. The firm also has a subsidiary named Sokoto Ltd.
However, these attempts at deception didn’t really bear fruit, as a lawsuit brought by a former employee revealed that Candiru enjoyed $30 million in sales in the first two years since it was founded and that it has clients in “Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America.” Citizen Lab also discovered that Candiru likely made sweet deals with Uzbekistan’s National Security Service, Singapore’s intelligence services, a company linked to Qatar’s sovereign wealth fund, and Saudi Arabia and the UAE.
Candiru, referred to as Sourgom by Microsoft, developed DevilsTongue as specialized spyware that can be installed on victims’ Windows devices through man-in-the-middle and physical attacks. Offered to buyers for €16 million, the spyware can infect an unlimited number of devices but only ten devices can be monitored simultaneously in specific countries, namely the US, Russia, China, Israel, and Iran.
However, if a buyer pays an additional €1.5M, they can use the spyware to target victims in an additional country and can monitor fifteen devices simultaneously. If they pay an additional €5.5M, they can conduct surveillance in an additional five countries and can monitor twenty-five devices simultaneously. The pricing structure implies that customers can only be cash-rich organisations or foreign governments.
After reverse engineering a copy of the spyware, Citizen Lab found that its functionalities include exfiltrating files, exporting messages saved in the Windows version of the privacy-oriented messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. It is also capable of sending messages from logged-in email and social media accounts directly on the victim’s computer.
Citizen Lab and Microsoft discovered that DevilsTongue exploited two zero-day privilege escalation vulnerabilities in Windows, namely CVE-2021-31979 and CVE-2021-33771, to infiltrate devices and to enable its users to monitor targeted victims. Microsoft not only issued patches for the two vulnerabilities on 13th July, it also built protections into existing devices to prevent an infection.
“By examining how Sourgum’s customers were delivering DevilsTongue to victim computers, we saw they were doing so through a chain of exploits that impacted popular browsers and our Windows operating system,” wrote Cristin Goodwin, General Manager of Microsoft’s Digital Security Unit in a blog post.
“The protections we issued this week will prevent Sourgum’s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.”
By developing four digital footprints and using a unique Internet scanning technique, Citizen Lab found at least 764 domain names that Candiru and its customers have been using, and also found Candiru systems operating from Saudi Arabia, Israel, UAE, Hungary, Indonesia, and other countries.
An indication of who Candiru’s customers were interested in targeting comes from the organisations whose domains were spoofed by Candiru. These organisations included human rights NGOs such as Amnesty International as well as the World Health Organisation (WHO), the United Nations, Black Lives Matter, and Refugee International.
Candiru also registered domains that spoofed the websites of Wikipedia, Turkish defense contractor Vestel, Visa services provider VFS Global, Office of the Special Envoy of the Secretary-General for Yemen, CNN, France 24, Euronews, Deutsche Welle, and Big Tech giants Google, Amazon, and Microsoft.
“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” said Citizen Lab. “This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”
“Ultimately, tackling the malpractices of the spyware industry will require a robust, comprehensive approach that goes beyond efforts focused on a single high-profile company or country,” it added, criticizing Israel’s Ministry of Defense for failing to subject surveillance companies to the type of rigorous scrutiny that would be required to prevent abuses.