The notorious FinFisher spyware is rising in popularity with government agencies across the world and 32 countries have been identified as users.
FinFisher is a sophisticated spyware suite sold exclusively to government agencies and police forces. The user-friendly software is able to remotely control any computer it infects, copy files, intercept Skype calls and log keystrokes, among other functions.
Developed by Munich-based FinFisher Gamma Group, the software is touted as a way to "help government law enforcement and intelligence agencies identify, locate and convict serious criminals."
However, a data breach which took place in August last year placed scrutiny on the secretive firm's business practices and clients. Stolen files placed on the web suggested FinFisher was being used for activities beyond tracking criminals -- such as spying upon high-profile Bahraini activists. It is believed that dissidents, law firms, journalists and political opposition in Bahrain and from Ethiopia have also been monitored through FinFisher.
Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, is well-known for research into global security and human rights issues. In a fresh investigation tracking users of the spyware suite, Citizen Lab said 32 countries contain at least one government entity who is "likely" using FinFisher.
"Despite the 2014 FinFisher breach, and subsequent disclosure of sensitive customer data, our scanning has detected more servers in more countries than ever before," Citizen Lab commented.
The Citizen Lab team devised a way to unravel and query FinFisher proxies to track the true location of the spyware's master servers despite the use of decoy website pages and redirections.
As master servers are installed on the premises of FinFisher clients, the team were able to pinpoint the locations of users -- and therefore which countries and agencies were likely to be using the software.
In addition, in some cases, Citizen Lab was able to unmask individual agencies by matching scan results with public sources, including emails from FinFisher's competitor Hacking Team which was hacked earlier this year.
There are 33 likely government users of FinFishers which were traced in 32 countries, based on the presence of a FinFisher master server in the country.
A total of 10 entities have been named as alleged users of FinFisher. These agencies are the Directorate General of Forces Intelligence (DGFI) from Bangladesh, the Egyptian Technology Research Department (TRD), two groups from Indonesia including the National Encryption Body (Lembaga Sandi Negara), multiple agencies in Italy and the Kenyan National Intelligence Service (NIS).
The Lebanese General Directorate of General Security and Internal Security Forces (ISF), Mongolia's Special State Security Department (SSSD), the Moroccan Conseil Superieur De La Defense Nationale (CSDN) -- as well as other unnamed agencies -- Serbia's Security Information Agency (BIA) and multiple groups from Nigeria are also believed to be FinFisher clients.
Italy was of particular interest to Citizen Lab. One IP address tracked was once linked to rival Hacking Team, but now matches the fingerprint for FinFisher, suggesting that following the disastrous cyberattack and massive data dump throwing all of Hacking Team's corporate secrets into the public realm -- as well as a rapid patching of Hacking Team exploits by vendors -- the agency may have switched allegiance.
Citizen Lab was able to unmask previously unknown countries utilizing FinFisher, suggesting that despite the 2014 security breach, surveillance software is rising in popularity. These countries are Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela.
"In presenting our scan results, we do not wish to disrupt or interfere with legitimately sanctioned investigations or other activities. Instead, we hope to ensure that citizens have the opportunity to hold their governments transparent and accountable," Citizen Lab says.
"Intrusion software presents a challenge for accountability in any country, and the oversight authorities in under-resourced countries facing domestic or international security threats may be particularly ill-equipped in expertise and political clout, to identify or act on signs of misuse."
The Wassenaar Arrangement, which now includes cybersecurity weapons within weapon export controls, has been amended to include software such as FinFisher. However, it remains to be seen whether this will lead to greater transparency concerning spyware tools -- or greater secrecy.