Top gov't spyware company hacked; Gamma's FinFisher leaked

Top gov't spyware company hacked; Gamma's FinFisher leaked

Summary: The maker of secretive FinFisher spyware -- sold exclusively to governments and police agencies -- has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more.

SHARE:
TOPICS: Security, Malware
19

The company that makes and sells the world's most elusive cyber weapon, FinFisher spyware, has been hacked and a 40G file has been dumped on the internet.

The slick and highly secret surveillance software can remotely control any computer it infects, copy files, intercept Skype calls, log keystrokes -- and now we know it can do much, much more.

Gamma PR 01

A hacker has announced on Reddit and Twitter that they'd hacked Anglo-German company Gamma International UK Ltd., makers of FinFisher spyware sold exclusively to governments and police agencies.

The file was linked both on Reddit and "@GammaGroupPR" -- a parody Twitter account by the hacker taking credit for the breach. The Twitter account is still doling out tidbits from the massive theft.

The Reddit post Gamma International Leaked in self.Anarchism said,

Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents.

Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most [sic] have stolen a copy.

...a couple days ago [when] I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.

The stolen FinFisher spoils were first leaked as a torrent file on Dropbox and have since been shared across the internet, meaning that controlling the information leak is now impossible.

FinFisher's notoriety of late has come from its use in the government targeting of activists, notably linked to the monitoring of high profile dissidents in Bahrain.

According to initial reports, the enormous file contains client lists, price lists, source code, details about the effectiveness of Finfisher malware, user and support documentation, a list of classes/tutorials, and much more.

One spreadsheet in the dump explains that FinFisher performed well against 35 top antivirus products, showing how the sophisticated malware efficiently defeats detection.

The documents also reveal usage statistics by country. 

Gamma PR 03

The hacker posted to @GammaGrouPR:

Gamma PR 02
Gamma 2009
Gamma 2010
Gamma 2014

A release notes doc covers Gamma's April 2014 patches to ensure its rootkit avoids Microsoft Security Essentials. It also explains that the malware records dual screen Windows setups, and reports better email spying with Mozilla Thunderbird and Apple Mail.

Gamma does note that FinFisher is detected by OSX Skype (a recording prompt appears), and the same is for Windows 8 Metro -- though the spyware goes well undetected by the desktop client.

The files also contain lists of apps the spyware utilizes, and things it can't use -- many still to be determined. There is a fake Adobe Flash Player updater, and a Firefox plugin for RealPlayer.

One of the files contains extensive (though still undetermined) documentation for WhatsApp. 

Reporting on just such spyware last month, The Economist noted,

Currently it is legal for governments to buy the spyware—the sale and export of surveillance tools is virtually unregulated by international law.

Spyware providers say they sell their products to governments for “lawful purposes”.

But activists allege that their governments violate national laws in their often politically motivated use of such software. They argue that companies should be held accountable for selling spyware to repressive governments.

The Register reported:

price list, which appeared to be a customers' record, revealed the FinSpy program cost 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each.

The document did not contain a date but it did show prices for malware targeting the recent iOS version 7 platform.

Links have appeared on Twitter to the GitHub repository for Finfisher docs, although it's being noted that due to Gamma's operational security practices, the unencerypted source code is fairly useless.

Gamma isn't in the business of creating zero-days because they are more of an "ecosystem" spyware company, but apparently they do sell it to their clients.

On the list of zero-day companies from which Gamma appears to purchase its exploits is the controversial French company, VUPEN.

Gamma PR 04

The documents are going to give those fighting against Gamma, and trying to circumvent Finfisher spyware, an advantage that was previously unimaginable.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

The docs will be of interest particularly to researchers at CitizenLab, who have been working to understand and reveal FinFisher (and its component Finspy) for the past few years. 

CitizenLab released its first fill report on Gamma and FinFisher in a July 2012 post, From Bahrain With Love: FinFisher's Spy Kit Exposed?

Bloomberg detailed the efforts to unmask the spyware in Cyber Attacks on Activists Traced to FinFisher Spyware of Gamma, saying:

For the past year, human rights advocates and virus hunters have scrutinized FinFisher, seeking to uncover potential abuses. They got a glimpse of its reach when a FinFisher sales pitch to Egyptian state security was uncovered after that country's February 2011 revolution.

Until then, researchers had only suspected the malware's existence. Mikko Hypponen, chief research officer at Helsinki-based security company F-Secure, told Bloomberg at the time, "We know it exists, but we've never seen it -- you can imagine a rare diamond."

It's safe to say that we're going to be finding out a lot more in the weeks to come about this previously well-kept spying secret.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Top gov't spyware company hacked; Gamma's FinFisher leaked

    "en.wikipedia.org/wiki/Security_through_obscurity"
    all softwares are hackable, however hardened/well-engineered they were. and the open-source community's way of having many eyes checking and counter-checking their source codes mitigate many of the vulnerabilities that otherwise would have slipped detection. and though not a panacea for all software ills, at least they are doing the right thing. hope this incident will serve as a reminder to those who believe that their systems are secured ...
    kc63092@...
    • @kc63092

      You stated, "[A]nd the open-source community's way of having many eyes checking and counter-checking their source codes mitigate many of the vulnerabilities that otherwise would have slipped detection."

      If Hearthbleed tought us anything, it should be that in fact there are NOT many eyes checking and counter-checking source code. Open-source software has always had a kind of implicit trust among the people who us it. That being, If someone is willing to write source code and publish it somewhere, everyone can look it over and make improvements/fixes where necessary. Because that's the way open source works, we all assume there is "someone" out there doing just that. Hence the implicit trust.

      But we all only assume that. It is rarely (if ever) done in practice. Going back to Heartbleed, even the small team of developers of the libsec and libssl libraries admitted they didn't peer-review the source code. If it compiled and tested successful against a handful of tests, it was published.

      I can read and write the C programming language, but I never take the time to study every single line of code of the open-source software I download and run. Why? Because I implicitly trust that the code I'm running was checked and couter-checked by many eyeballs.
      malchore
    • Is this an ad?

      I see a link here for selling the software
      SmilingGuy
  • Justified unwanted necessity

    You stupids, without those Gamma like companies there is another 9/11 around the corner.
    eaglestar
    • Bwahahahahahahaaaaaaa!

      Who writes your material? It's hilarious! But if I were you, I'd keep my day job.
      thetwonkey
    • So you think "the end justifies the means"...

      So you think "the end justifies the means"...

      What will happen when that government decides to spy ON YOU.
      ssamayoagt
      • ON ME

        Probably they are doing it right now.
        eaglestar
    • so install it on all your machines

      And we'll all be safe
      LarsDennert
    • Arrrgh

      "Those Who Sacrifice Liberty For Security Deserve Neither"
      MCTronix
      • Yeah, liberty

        Hey BJ, tell this to families who lost their members because of that liberty.
        eaglestar
        • CIA netbot

          or just ignorant?
          lord koos
    • This software isn't necessary

      The government program Abel Danger identified at least two of the hijackers long in advance of 911 and they ignored the evidence. They don't need FinFisher to prevent such attacks.
      Astringent
      • Not FinFisher

        I wrote Gamma like companies, not that FinFisher SW is needed.
        eaglestar
  • So VUPEN sells zero days to FinFisher who resells them to possible terrorist harboring governments? Great, just great.
    MongooseProXC
  • Antisemitism is the mark of unstable minds

    The fact that the hackers are anti-Israel tells me all I need to know about them.
    Froggey1
    • You're confused...

      Being anti-Israel doesn't mean being antisemitic. Two very different things. You speak like a victim. You need to get over it!
      Eleutherios
  • and in todays news

    if its not one thing, its another, whether it be the news on television trying to get you worried about one thing or another and also on the net with vulnerabilities to privacy etc…which we should all be concerned, but sometimes its in your face 24/7.
    leam14
  • I must say....

    ....The dirty hackers got hacked.......Haha haha haha!
    If they wish to play with international politics and decide who is good or bad and sell accordingly, then they WILL grow some enemies who don't agree with them. Today it would seem that if somebody disagrees with a government that person is treated like a criminal. The few feel that the many should not question them.....why is this so?
    Tonydid
  • Excel data-set is online, with spending per country, per product etc

    FinFisher Spending Review https://twitter.com/isgroupsrl/status/511885936280764416
    ascii-ush