Gamma International is a company that makes spyware for government intelligence agencies around the world. In 2014, an anti-surveillance hacker going by the name of PhineasFisher broke into the company’s systems, exposing its advanced surveillance software FinFisher. The hack revealed a detailed list of monitoring products available from the firm, as well as a long list of countries that had purchased from them.
Among those locations were a number of nations with questionable human rights records such as Bahrain and the United Arab Emirates. With evidence also revealing that it was instrumental in targeting activists Moosa Abd-Ali Ali and Ala’a Shehabi from Bahrain.
Fast Forward to a year on, and despite the high-profile hack – which the anti-surveillance hacker no doubt hoped would damage the company’s reputation – and Finfisher is still going strong. This revelation comes courtesy of CitizenLab, from the University of Toronto’s Munk School of Global Affairs, who have discovered that FinFisher is now a stand-alone company in its own right.
Alarmingly, the investigation carried out by the digital watchdog has revealed that FinFisher is now being used by even more governments than back in 2014. With evidence suggesting that the snooping software is now in use by, at least, a total of 32 agencies. Including Mexico, Venezuela, Paraguay, Oman, Saudi Arabia, Jordan, Lebanon and Kazakhstan to name a few.
The surveillance suite, which is described by CitizenLab as ‘sophisticated and user-friendly’ can be used by governments to hack any target’s computer or smartphone. Once inside, the software monitors everything that a target does, including SMS, app messages, emails and phone calls – as well as according to reporters without borders – being capable of reading encrypted files.
In its report, CitizenLab explains how it managed to map the locations that use the spyware. According to the Toronto University watchdog, despite the surveillance firm’s bold claims that it’s proxies are ‘practically impossible to trace’ (pdf), CitizenLab devised a method ‘for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers’. With that done the digital watchdog was quite easily able to unmask some of the governments that use the software,
‘Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.’
According to the report that was published on Thursday, CitizenLab had to scan the entire Internet six times to uncover the master servers revealed in its research. Commenting on the alarming spread of FinFisher since it was breached last year, lead researchers Bill Marczak and John Scott-Railton said,
‘There is growing global demand for ‘targeted intrusion in a box’ capabilities. Despite extensive, and often critical, publicity, products like FinFisher are purchased and deployed by countries all over the world. As the customer list grows, so should concern over the abuse potential of this technology.’
During CitizenLab’s investigation, the digital watchdog was at times able to cross reference its findings about a particular IP address with information leaked to the Internet during an entirely different hacking incident: that of Italian firm Hacking Team. Hacking Team is a company that like FinFisher makes surveillance spyware for government agencies, and was earlier this year also breached (under almost identical circumstances) by the anti-surveillance hacker.
When CitizenLab cross-referenced the IP addresses it discovered during its Internet scans with those that had been leaked from Hacking Team, the team quickly realized that the two firms share some clients. In one case, for example, evidence of a demo that Hacking Team performed for the Indonesian Military (on site in Indonesia) had exactly the same IP address as one of the ones discovered during its scans. Thus allowing CitizenLab to assign the Indonesian government to that particular Finfisher master server.
Despite trying its hardest, the research team was not able to uncover every location for every IP address discovered by its scans. In total, the team was able to identify 135 distinct FinFisher IP addresses, which according to Marczak means ‘there’s definitely more customers’ out there.
It is for that reason that the digital watchdog has gone public with its findings. To allow other researchers, journalists and interested parties to conduct further research if possible – helping to uncover more locations that use FinFisher.
Despite publishing most of the locations of the IP addresses it uncovered, CitizenLab does admit that it decided not to publish any locales that were lacking a Firewall – because they are vulnerable to attack. In these cases, the watchdog decided not to publish just in case it caused a legitimately detrimental effect to ongoing inquiries,
‘We do not wish to disrupt or interfere with legally sanctioned investigations or other activities, but to ensure that citizens have the opportunity to hold their governments transparent and accountable.’