Government spyware exposed after massive data breach

News by Doug Drinkwater

Gamma International Ltd - an Anglo-German company that makes and sells FinFisher spyware to various European, American and Asia Pacific governments and law enforcement agencies - has been bit by a big data breach, revealing hundreds of confidential documents.

An anonymous hacker claimed that he had compromised the company's network on Reddit and Twitter on Wednesday afternoon, and first posted links to a torrent file on Dropbox (it was later removed, but they can be found here instead), containing what is believed to be authentic client records, price lists, source code, the effectiveness of the spyware, support manuals and a list of classes and tutorials.

“Basically it's a European company that sells computer hacking and spying software to governments and police agencies,” read the hacker's post on community website Reddit.

“Two years ago their software was found being widely used by governments in the Middle East, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents.

“Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most [sic] have stolen a copy.”

After reportedly compromising the server, the hacker subsequently established a parody ‘GammaGroupPR' Twitter account to give more details on the torrent. He even added some humour too, saying that the firm was now selling the spyware to the general public as it had “run out of governments to sell to.”

One of the leaked spread sheets explained how FinFisher performed when tried to evade detection against the 35 top anti-virus (AV) products, while another document - from April - detailed how Gamma's 2014 patches ensured that version 4.51 of FinFisher (also known as FinSpy)  would include that its rootkit component would not be detected by Microsoft Security Essentials.

The dump further reveals how the malware can be used to record dual Windows screens at the same, and how it is better for email spying when the target is using Mozilla's Thunderbird or Apple's Mail. In addition, supporting documentation indicates that a recording prompt alerts victims to the presence of FinFisher when using Skype on Apple's OS X, and that FinFisher cannot tap Skype users on the 'Metro' version of Windows 8.

Gamma International - which is part of the UK-based Gamma Group - did not confirm the legitimacy of documents at time of publication or if they had been breached.

Information on the Gamma Group spy kit was first leaked to WikiLeaks in October 2011. The spyware has been used mainly is countries in the Middle East in order to spy on dissidents and journalists. 

The Economist last month uncovered how governments were using the spyware to target activists, most notably dissidents based in Bahrain, while Citizen Lab research back in 2012 showed how FinFisher surveillance was targeting mobile devices too. Researchers from the firm have also been investigating the 'untraceable' Remote Control System spyware, sold by Italy-based Hacking Team, in recent times.

According to the documents, the FinSpy program costs €1.4 million (£1.1 million) and a variety of pen testing training services are priced at €27,000 (£21,400) each. Support costs range from €2218 (£1,760) for USB malware support to €331,840 (£263,170) for an additional year support for the product.

The spyware lets users remotely control any PC, copy, delete and modify files, intercept Skype VoIP calls and log keystrokes, and much more, while Gamma International provides zero-day exploits acquired from French company Vupen.

Brian Honan, founder and consultant at BH Consulting, told that the breach was a sign that ‘even a security company' could be targeted, and urged other companies to ensure that confidential data is ring fenced and that they are actively monitoring logs and implementing effective incident response.

“I hope the knock-on effects from this data dump will expose which governments, countries, and agencies are using FinFisher to spy on their citizens. I also hope that the AV industry ensures that their products can better detect such spying software. Finally, it gives us an insight into the limitations of such spyware and how to better protect our systems from it.”

Honan added that many of these governments have already worked out how to compromise the spyware, and see them develop countermeasures.

“The leak may result in a number of governments looking at how this spyware works and how vulnerable their representatives and citizens are to being monitored by it.  For government officials the leak may also reveal what effective counter measures they may put in place should they suspect FinFisher or similar spyware may be used against them.”

Security industry expert Scott MacKenzie, CISO with cyber security solutions provider Logical Step, added in an email exchange with SC that the tools appear also to break WEP/WPA encryption and offer network monitoring of SSL sessions, but he expects Gamma to release new patches to address the leak. 

He adds that there are legitimate reasons for using the spyware, however.

"The Gamma hack is likely to disrupt existing intelligence and law enforcement operations that are monitoring organised crime groups, terrorism and paedophile rings," said MacKenzie.

"Given the current threat landscape, I have to assume the intelligence agencies are using the information to protect the citizens of the country. Given there has not been a major attack on UK soil in nearly a decade, I have to assume that this approach is effective."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews