Further evidence of western technology being used by Arab regimes to spy on activists. FinFisher, the makers of the spyware, were identified by Owni & WikiLeaks last year as part of the global surveillance arms trade.
A 5 ans, j'ai gagné un poste TV. A 15, je voulais faire du ciné. A 17, je lançais un fanzine, underground. A 20, une revue, expérimentale. A 25, un journal gratuit, sur les "arts de l'écran". A 28, je découvrais le Net.
In spring of this year a Bahraini exile in London, a British economist in Bahrain and a naturalised American living in Alabama, all received the same short email, apparently sent by an Al-Jazeera journalist.
The email mentioned a report written by Zainab al-Khawaja, a human rights activist in Bahrain, about the torture of imprisoned fellow activist Nabeel Rajab, followed by this statement.
Please check the attached detailed report along with torture images.
A few days later the trio received more emails. Some made reference to the arrest of opposition figures in Bahrain, and others to the agenda of the king of Bahrain. Every email was accompanied by a compressed file attachment, raising suspicions that they might contain computer viruses.
The emails were forwarded to Vernon Silver, a Bloomberg journalist who has been closely following instances of western surveillance technology being used by Arab dictatorships. Silver had the emails analysed by two researchers associated with the Citizen Lab, a Canadian research laboratory that specialises in studying political surveillance technology.
Morgan Marquis-Boire, a computer security engineer working at Google, is an expert (pdf) in the type of spyware that was used by Libyan and Syrian thugs to hack cyber-dissidents’ computers. Bill Marczak, a doctoral student in computer science at Berkeley, is a member of Bahrain Watch, a group which promotes transparency in Bahrain. Bahrain Watch documents the protesters and civilians killed by Bahraini authorities, the weapons (buckshot, grenades and tear gas) purchased from western companies, and the western public relations firms employed by the regime at handsome rates.
The two researchers discovered a particularly sophisticated piece of spyware, employing “myriad techniques designed to evade detection and frustrate analysis“. By analysing the spyware’s coding, the researchers uncovered mentions of FinSpy, the British company Gamma International, and the names of several of its directors.
According to this contract proposal found in March 2011 in an Egyptian security service building after the fall of the Mubarak regime, the FinSpy spyware retails at about €300,000. It’s one of the flagship products in the range of “offensive cyber-war” tools marketed by FinFisher, a subsidiary of Gamma, which specialises in surveillance and telecommunications interception systems. Owni reported on this product range last year; we even put together this video montage of promotional clips explaining how the software operates.
As part of the SpyFiles operation, WikiLeaks and Privacy International revealed that FinFisher was one of five digital surveillance arms dealers, specialising in ‘trojans’. This type of spyware presents itself as a legitimate file, before infecting a computer in order to remotely activate microphones and cameras, to record every keyboard stroke (including of course passwords) or Skype conversations, instant messages, emails etc.. Then, in an encrypted and undetectable manner, the spyware sends back the intercepted data via servers located in various countries abroad.
Another computer security researcher has subsequently managed to identify the servers used to control FinSpy, and thus spy on computers in Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the Czech Republic, the USA, Australia and Dubai.
In a second post, published in late August, CitizenLab revealed that they had identified two more servers: one in Bahrain, the other controlled by the Ministry of Telecommunications in Turkmenistan, considered one of the most repressive regimes in the world.
The two researchers also detail how FinSpy Mobile operates. The system allows the user to infect iPhones and Android, Symbian, Blackberry and Windows mobile phones, in order to spy on SMS, emails and telecommunications, extract contacts and other data, geolocate the phone, and even remotely activate the phone without the user being aware of the slightest manipulation.
Interviewed by Bloomberg, Martin J. Muench, the 31-year-old designer of FinFisher, denied having sold his trojan software to Bahrain, but acknowledged there may be a “demo version” of the spyware that was stolen from Gamma International.
Speaking to The New York Times he denied any involvement, explaining that his products were only intended to fight criminals, starting with paedophiles.
The most frequent fields of use are against pedophiles, terrorists, organised crime, kidnapping and human trafficking.
In a statement released less than an hour after the publication of the second Citizen Lab post, Martin J. Muench explained that one of Gamma’s servers had been hacked, and demo versions of FinSpy had been stolen. In the process, many of the servers used by FinFisher to allow them to track back the siphoned data had disappeared.
As our investigation into Amesys, the French arms dealer who created a system for widescale monitoring of the Internet for the Gaddafi regime in Libya, has shown, the export of spyware and telecommunications interception and surveillance systems is not regulated. No law therefore precludes a western arms dealer from trading with a dictatorship or a country that is known to use these tools to spy on political opponents and human rights activists.
To protect oneself against these types of trojans, Citizen Lab advises that spyware can only be installed if the hacker has physical access to the machine (computer or phone), or if the target voluntarily opens an attachment or application. The spyware is usually carefully presented to appear to be from a trustworthy person or institution. The researchers also recommend regularly update operating systems and software – starting with anti-virus software, Office, Acrobat, Java and Flash suites, making sure that the updates originate from legitimate and trustworthy sources – but also to install screensavers protected by password (to prevent an intruder trying to take advantage of a pee break to hack your system), and finally, if possible, to use strong passwords and encryption software.