Candiru: UK government won't say whether it will complain to Israel over spyware attacks

The British government has refused to say whether it has or will complain to Israel following reports that UK-based Middle East Eye was among targets of an alleged cyber-attack linked to a Tel Aviv spyware firm already sanctioned in the United States.

The alleged attack, which a cybersecurity firm said has "strong links" to Candiru, a highly secretive Israeli firm that only sells its spyware to governments, follows earlier reports that the NSO Group's Pegasus software was used to target phones in the UK.  

On Wednesday, a member of parliament leading a group of politicians who, along with researchers and rights groups, is calling on the UK government to take a stronger stance, urged the government to speak up and take action against the two Israeli firms linked to the attacks.

'The prime minister must urgently condemn these attacks, and follow the lead of the US administration in sanctioning the groups'

- Layla Moran, Liberal Democrats' foreign affairs spokesperson

"The prime minister must urgently condemn these attacks, and follow the lead of the US administration in sanctioning the groups," Layla Moran, the Liberal Democrats' foreign affairs spokesperson, told MEE. "We cannot stay silent."

On Tuesday, researchers at cybersecurity company ESET reported that at least 20 websites, including MEE were targeted by spyware linked to Candiru.

In two separate waves, one in 2020 and another this year, the perpetrators used several of the Middle East-focused websites to distribute malware to those who visited the sites, according to ESET's Matthew Faou.

It is unclear how the spyware took control of the websites, who was targeted, and what the hackers may have obtained as a result.

Also unknown is who was behind the attack, although Candiru - which is required to obtain an export licence from the Israeli Defence Ministry to sell systems abroad - only sells to government clients.

Candiru has said the company did not carry out attacks for customers and is not permitted to know how clients use its tools or who they target.

In a Twitter post, the Committee to Protect Journalists (CPJ) said it was concerned by the reports that news sites such Middle East Eye were apparently compromised, adding it was "one of the reasons CPJ is calling for regulation of the surveillance industry."

Little response

Asked on Wednesday whether the British government had complained to Israel about Candiru, a Foreign, Commonwealth and Development Office spokesperson said: “It is vital that everyone uses cyber capabilities in a way that is legal, responsible and proportionate to ensure cyberspace remains a safe and prosperous place for everyone.

“We speak regularly with partners and work closely with allies to tackle threats, improve resilience and raise any concerns where they arise.”

Moran, who was among 10 MPs calling on Prime Minister Boris Johnson last week to take a tougher stance on the spyware attacks, said the revelations should be "a matter of utmost concern. Yet the UK government’s response has been deeply underwhelming".

"Despite evidence of cyberattacks against individuals in the UK - in breach of international human rights law - we have seen little in way of response. The reports of cyberattacks on Middle East Eye are the latest concerning example," Moran told MEE.

This latest report is the third case that has emerged since July of Israeli spyware targeting UK citizens and entities, and the second case involving Candiru. 

The case that has the most attention is that of the alleged targeting of 400 British citizens and residents with spyware made by the Israel-based NSO Group, which was revealed in a series of stories published by a consortium of journalists and tech researchers starting in July.

'If the UK government doesn't take a clear and strong stand against mercenary hackers, UK citizens and institutions are going to keep finding themselves in the firing line'

- Bill Marczak, Citizen Lab

Those believed to have been targeted in the UK include two members of the House of Lords, academics, lawyers, journalists, an imam at a popular London mosque and Middle East dissidents and activists.

The NSO Group has said it does not operate the spyware that it sells to its customers and does not have access to the data of its clients' targets.

The second case also emerged in July when the University of Toronto's Citizen Lab reported that Candiru spyware had weaponised vulnerabilities in Google and Microsoft products which allowed more than 100 activists, journalists and others to be hacked.

While around half of those hacked were in Palestine, the remaining victims included an unknown number of people in the United Kingdom, as well as Israel, Iran, Lebanon, Yemen, Spain, Turkey, Armenia and Singapore, according to a Microsoft analysis.

The US government blacklisted NSO Group and Candiru earlier this month, saying their activities were against US foreign policy objectives and national security interests.

In contrast, the UK government publicly has only said that it raised concerns with the Israeli government "several times" about NSO Group's operations, and has declined to answer questions about what sparked those complaints and when they were made.

Researchers and digital rights advocates have complained that the UK government has not taken enough action in the face of the attacks and alleged hacking.

"If the UK government doesn't take a clear and strong stand against mercenary hackers, UK citizens and institutions are going to keep finding themselves in the firing line," Bill Marczak, a Citizen Lab researcher, told Forbes this week.

His colleague, John Scott-Railton, tweeted on Tuesday as the latest attacks came to light: "What explains UK inaction?"