Citizen Lab Exposes Mercenary Spyware Vendor Candiru using Censys Data
Case Study Abstract
The Censys Universal Internet Dataset is a vital asset to threat hunters, including the Citizen Lab out of the University of Toronto, whose researchers used the data to understand spyware used to target human rights workers, journalists, and activists.
The spyware, from company Candiru, had been used to impersonate sites from well known advocacy organizations, such as Amnesty International, and target at least 100 people working in activist and human rights organizations. Candiru claims that their products are “untraceable,” which makes finding domains, certificates, and other command and control infrastructure affiliated with their software especially challenging. However, using Censys data, Citizen Lab was able to understand sites impersonated and to pass on details to Microsoft that allowed the Microsoft Threat Intelligence Center (MSTIC) to find exploits.
The Universal Internet Dataset from Censys is the most comprehensive Internet-wide scan data in the industry. Censys continuously walks the entire IPv4 space, detecting 101 protocols on over 3,500+ ports to produce a high-resolution map of the public Internet for threat hunters, attack surface managers, and other security professionals. Censys also provides free access to its datasets to researchers and non-profit organizations like Citizen Lab.