Gone FinFishing

The minds at Citizen Lab are at it again: detailing how surveillance software developed by Gamma International is being implemented by countries around the world to target the work of pro-democracy groups

We preciously reviewed their report on Blue Coat, a U.S.-based company whose firewall and web filtering products have ended up in Syria, Burma, and other countries with a history of internet surveillance and censorship.

This report adds to ongoing research to pinpoint implementation of Western-made surveillance and censorship technologies, particularly in countries that have been subject to unilateral or multilateral sanctions from the US and EU. Gamma International, the parent company of FinFisher, and Blue Coat are two countries featured in Reporters without Borders’ “Corporate Enemies of the Internet” report, for creating and selling technologies that “in the hands of authoritarian regimes, ... can be turned into formidable censorship and surveillance weapons against human rights defenders and independent news providers”.

The countries where Gamma International’s products have been detected are:

Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.

The report identifies that Gamma International’s products (in particular FinFisher and Finspy) were able to remotely adapt these products so that previous means to detect use of these tools would be rendered ineffective.

In determining where FinFisher and FinSpy was being used, researchers at Rapid7 fingerprinted servers used in Bahrain and compared this information with historical internet scanning data to find FinFisher and FinSpy tools in other locations. After sharing their initial finds, according to the report:

Immediately after publication, the servers were apparently updated to evade detection by the Rapid7 fingerprint. We devised a different fingerprinting technique and scanned portions of the internet. We confirmed Rapid7’s results, and also found several new servers, including one inside Turkmenistan’s Ministry of Communications. We published our list of servers in late August 2012, in addition to an analysis of mobile phone versions of FinSpy. FinSpy servers were apparently updated again in October 2012 to disable this newer fingerprinting technique, although it was never publicly described.

This is particularly troubling as users who may be unfairly targeted by these tools will have no way to continue to know if their online activities are being monitored. Even more troubling is evidence pointing to use of FinSpy in targeted malware sent to activists.

JPG images embedded with FinSpy malware are sent to activists groups, first in Bahrain and then in Ethiopia. In the Ethiopia case, the sample malware contains Ethiopia-specific imagery (designed to lure viewers of these images to open and save them on their computer), and communicates with a command and control server that is still active.  

In Vietnam, targeted malware attacks have expanded to mobile phones. FinSpy Mobile for Android has been found to exfiltrate SMS and send them to a Vietnamese telephone number.  FinFisher suite, available on all major mobile phone platforms, has the same functionalities as its PC-based version but also includes GPS tracking and functionality for silent ‘spy’ calls to snoop on conversations near the phone.

These actions by FinSpy are incredibly worrisome. The availability of these technologies to be obtained (and in many cases, quite easily despite sanctions or other economic restrictions), subsequently used to gain access to people’s devices without their knowledge, and then change their identifiable features to make it difficult for people to realize that their activities are being monitored. Increasingly, these targeted attacks are much less obvious to individuals with some knowledge of computer and mobile safety practices, and it becomes nearly impossible for average users to know if and when their devices have been hijacked.

In fact, in February of this year, Privacy International, the European Centre for Constitutional and Human Rights (ECCHR), the Bahrain Center for Human Rights, Bahrain Watch, and Reporters Without Borders filed a complaint with the Organization for Economic Cooperation and Development (OECD), calling for investigations into Gamma International’s services role in human rights abuses in Bahrain.

While no other formal complaints have been filed for its use in other countries, we will keep an eye out for further developments.