A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments. Microsoft take this threat seriously and have disrupted the use of certain cyberweapons manufactured and sold by a group called Sourgum. The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. To limit these attacks, Microsoft focused on two actions. First, building protections into our products against the unique malware Sourgum created, and sharing those protections with the security community. Second, issuing a software update that will protect Windows customers from exploits Sourgum was using to help deliver its malware.
Citizen Lab has identified the group as a company called Candiru. Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure and internet-connected devices. These agencies then choose who to target and run the actual operations themselves.
Microsoft initially started this work after receiving a tip from Citizen Lab about malware used by Sourgum. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) spent weeks examining the malware, documenting how it works and building protections that can detect and neutralize it. The malware is named DevilsTongue. Protections against DevilsTongue were built into their security products, and they’ve shared these protections with others in the security community so they can protect their customers.
By examining how Sourgum’s customers were delivering DevilsTongue to victim computers, Microsoft saw they were doing so through a chain of exploits that impacted popular browsers and their Windows operating system. Earlier this week, updates where released, which, when installed, protect Windows customers from two key Sourgum exploits.
These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals. The protections they issued this week will prevent Sourgum’s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.
This is part of broader legal, technical and advocacy work Microsoft are undertaking to address the dangers caused when PSOAs build and sell weapons. These companies increase the risk that weapons fall into the wrong hands and threaten human rights. That’s why, for example, Microsoft filed an amicus brief in a legal case brought by WhatsApp against another PSOA called NSO Group.
Microsoft will continue to identify them using the names given to trees and shrubs, as they’ve done with Sourgum. This is similar to how they use elements of the periodic table to name nation-state actor groups they have identified.