Elusive FinFisher Spyware Identified and Analyzed
The FinFisher spyware, produced by the UK-based Gamma Group, has been for years as elusive as it was notorious. Since protesters found FinFisher company records in an abandoned Egyptian state security building last year, security researchers and activists around the world have been eager to get their hands on a copy of the tools in the FinFisher suite, especially the component called FinSpy. FinSpy has been the subject of particular interest because of its ability to wiretap calls made over the Skype network, which is widely used among activists all over the world, often in the belief that it is more secure than other forms of communication.
Now for the first time, a copy of the spyware has been publicly analyzed. Morgan Marquis-Boire, a security researcher at Citizen Lab, and Bill Marczak, a founding member of Bahrain Watch, have published an in-depth analysis of FinSpy after obtaining a copies of the program used to target pro-democracy activists.1 The targeted activists were each involved with the government transparency organization Bahrain Watch, but were located in different cities around the world. The spyware was included in targeted attachments that purported to come from an Al-Jazeera journalist and contain pictures and information about current events in Bahrain.
It's not clear that Bahrain Watch was being targeted specifically. "The malware seemed to have targeted people who are involved in activist organizations, particularly activists who have significant contacts outside of Bahrain," said Marczak.
The activists were suspicious of the email attachments they had received and passed the files along to Bloomberg News, which turned them over to Marquis-Boire. In addition to posting materials on the Citizen Lab site, he will be presenting the results of his analysis at the BlackHat security conference today in Las Vegas. Perhaps the most notable difference Marquis-Boire has revealed between FinSpy and less sophisticated malware tools like those used by the Syrian government is the way in which this software was designed to defy analysis: not only was FinSpy actively avoiding detection by anti-virus programs, but it was also heavily "booby-trapped," causing many of the most popular debugging programs to crash during attempts to analyze and identify the code.
Gamma and FinFisher have come under heavy international scrutiny for their apparent willingness to export sophisticated surveillance technologies to oppressive government regimes. Hosni Mubarak's government in Egypt is just one example. According to Privacy International, "there is also evidence that this technology has been deployed in Turkmenistan, a one-party state that Human Rights Watch labelled 'one of the world's most repressive countries' in March 2012." Privacy International is currently engaged in legal action against the British government. The action arose after Privacy International issued repeated requests for information about why the government has chosen not to exercise its powers under the Export Control Act of 2002 to restrict sales of technical goods or services to governments that could be used to commit human rights abuses. FinFisher's products appear to fall into that category.
Similarly, EFF has been calling for companies that produce surveillance technology to adopt "Know Your Customer" standards, like those required by Foreign Corrupt Practices Act and other export regulations, and avoid becoming "repression's little helper." An EFF white paper from April of this year, "Human Rights and Technology Sales," addresses the problem in greater depth.
For its part, FinFisher has chosen to hide behind claims of client confidentiality. In an article in the Wall Street Journal last year, a lawyer for Gamma said it "cannot otherwise comment upon its confidential business transactions or the nature of the products it offers." But promotional materials, obtained through the files discovered in Egypt and through Wikileaks releases, are more forthcoming. As reported by OWNI, one 2007 presentation boasted of "Black Hat Hacking tactics to enable Intelligence Agencies to gather information from target systems that would be otherwise extremely difficult to obtain legally."
Citizen Lab has provided a set of straightforward recommendations that advise against opening unsolicited attachments, even from links that appear to be from friends. And now that security researchers have obtained a copy of FinSpy, work can begin on preparing tools that can detect and remove the program from infected computers.
- 1. Marquis-Boire has also co-written several entries on this site analyzing reports of Syrian government malware.