Microsoft disrupts products from Israeli tech firm used to hack journalists, activists

Microsoft on Thursday announced that it had disrupted the use of what it described as “cyberweapons” manufactured and sold by an Israeli-based company to target victims worldwide including journalists and human rights activists.

The group, known as “Sourgum,” is what Microsoft described as a “private sector offensive actor,” and was known to sell weapons to government agencies around the world that were then used to hack into the personal devices of targeted individuals, including phones, computers and other internet-connected devices. 

“These agencies then choose who to target and run the actual operations themselves,” Cristin Goodwin, general manager of Microsoft’s Digital Security Unit, wrote in a blog post published Thursday.

“The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers and political dissidents,” Goodwin noted. 

The discovery of the use of Sourgum products to target people was due to a tip given to Microsoft by Citizen Lab about the malware used by the group. Citizen Lab worked with Microsoft’s Threat Intelligence to analyze the malware, with new vulnerabilities found that Microsoft issued a patch for earlier this week to protect targeted customers.

According to a report from Citizen Lab published Thursday, the victims were based in countries including Israel, Palestine, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore.

Citizen Lab researchers labeled the group as “Candiru” instead of Sourgum, and wrote in the report that it was based in Tel Aviv and was “a mercenary spyware firm that markets ‘untraceable’ spyware to government customers.”

Citizen Lab concluded that it was likely that Candiru, which recruits from Israeli Defense Forces for employees, had likely sold spyware in recent years to the governments of Uzbekistan, Qatar, Saudi Arabia, the United Arab Emirates and Singapore. 

The products sold by the company can be used to infiltrate data from Gmail, Telegram, Skype and Facebook accounts of victims, along with having the ability to turn on a device’s camera and microphone, take screenshots, and steal passwords and browsing history. 

The spyware was often delivered to victims through fake websites masquerading as major organizations, including faked websites of Black Lives Matter, Refugees International, the World Health Organization, Amazon and a host of other big tech companies.  

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” the Citizen Lab report reads. “This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”

Goodwin noted that Microsoft was “grateful to Citizen Lab for sharing the malware that sparked this work and for its offer to work with potential victims of these attacks.”

This case is not the first that Microsoft has faced involving private sector offensive actors and spyware. The company filed an amicus brief in support of a case brought by WhatsApp in 2019 against Israeli firm NSO Group, alleging that NSO marketed spyware hack accounts of specific targeted individuals. 

Goodwin stressed that Microsoft would continue its work against these types of companies.

“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Goodwin wrote.