FinFisherA company called Gamma International has suffered a serious security breach, resulting in hackers posting its confidential data on the web for anyone to download.

You might think–there’s nothing so unusual in that. Organizations get hacked all the time.

What makes things different on this occasion, however, is the particularly type of work that Gamma International does: it develops commercial network intrusion malware for the purposes of surveillance, and sells it to governments around the world.

And, it has been claimed, authoritarian regimes in Bahrain, Egypt, Turkmenistan and Oman are amongst those who are using Gamma’s controversial FinFisher spyware.

FinSpy software

In 2013, Citizen Lab published a report claiming that 36 countries around the world were hosting FinFisher Command & Control Servers.

The list of countries, which contains some who have a poor record for human rights and democracy, was: Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.

Finfisher's global proliferation. Click for larger version

In April 2013, Gamma International’s antics raised the ire of Mozilla, developers of Firefox, after it was discovered that FinFisher had been deliberately disguised as the popular browser in an attempt to trick users into installing the malicious code.

Mozilla said in a public blog post that it had sent Gamma a cease and desist letter “demanding that these illegal practices stop immediately.”

Mozilla said that it had seen evidence that the Firefox disguise had been used by FinFisher in a spyware attack in Bahrain aimed at pro-democracy activists during Malaysia’s General Elections, and in a promotional demo produced by Gamma International.

So, campaigners sat up and listened when a hacker announced on Reddit this week that they had stolen 40GB worth of secret documents from Gamma International’s servers:

“It’s a European company that sells computer hacking and spying software to governments and police agencies. Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents. Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to ‘good’ governments, and those authoritarian regimes most have stolen a copy.”
 
“And that’s the end of the story until a couple days ago when I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.”

The hacker then created a parody Twitter account (@GammaGroupPR) to highlight some of their findings, and–naturally enough–the attention of the media was easily drawn.

As a result, the secrets of FinFisher (also known as “FinSpy”) are being revealed–pulling back the curtain on the mysterious malware that is used by governments and intelligence agencies across the globe to silently infect and remotely control computers, log keystrokes and snoop on video calls.

Amongst the leaked documents published on the net are what appear to be authentic client records, manuals and brochures, price lists, source code and details of shady companies that have sold Gamma International exploits and zero-day vulnerabilities to sell on to others.

Security researchers and privacy campaigners will no doubt enjoy sifting through the code and stolen information, perhaps turning a blind eye to the criminal act which saw the documents become public.

I wouldn’t be shocked to see more revelations about FinFisher and its developer spilling out in the coming days. But one thing I suspect you may not hear is any word from the company which made the software.

At the time of writing, there is no mention of the security breach on Gamma International’s website, and it hasn’t made any public comment. Perhaps that shouldn’t be any surprise. After all, it is a company that likes to play its cards close to its chest…

 

RELATED ARTICLES:

RESOURCES:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Categories: IT Security and Data Protection, ,

Tags: , , , ,


1 Comment

Leave a Reply

Graham Cluley

Graham Cluley has contributed 9 posts to The State of Security.

View all posts by Graham Cluley >