Top gov't spyware company hacked; Gamma's FinFisher leaked

The maker of secretive FinFisher spyware -- sold exclusively to governments and police agencies -- has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more.
Written by Violet Blue, Contributor

The company that makes and sells the world's most elusive cyber weapon, FinFisher spyware, has been hacked and a 40G file has been dumped on the internet.

The slick and highly secret surveillance software can remotely control any computer it infects, copy files, intercept Skype calls, log keystrokes -- and now we know it can do much, much more.

Gamma PR 01

A hacker has announced on Reddit and Twitter that they'd hacked Anglo-German company Gamma International UK Ltd., makers of FinFisher spyware sold exclusively to governments and police agencies.

The file was linked both on Reddit and "@GammaGroupPR" -- a parody Twitter account by the hacker taking credit for the breach. The Twitter account is still doling out tidbits from the massive theft.

The Reddit post Gamma International Leaked in self.Anarchism said,

Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents.

Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most [sic] have stolen a copy.

...a couple days ago [when] I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.

The stolen FinFisher spoils were first leaked as a torrent file on Dropbox and have since been shared across the internet, meaning that controlling the information leak is now impossible.

FinFisher's notoriety of late has come from its use in the government targeting of activists, notably linked to the monitoring of high profile dissidents in Bahrain.

According to initial reports, the enormous file contains client lists, price lists, source code, details about the effectiveness of Finfisher malware, user and support documentation, a list of classes/tutorials, and much more.

One spreadsheet in the dump explains that FinFisher performed well against 35 top antivirus products, showing how the sophisticated malware efficiently defeats detection.

The documents also reveal usage statistics by country. 

Gamma PR 03

The hacker posted to @GammaGrouPR:

Gamma PR 02
Gamma 2009
Gamma 2010
Gamma 2014

A release notes doc covers Gamma's April 2014 patches to ensure its rootkit avoids Microsoft Security Essentials. It also explains that the malware records dual screen Windows setups, and reports better email spying with Mozilla Thunderbird and Apple Mail.

Gamma does note that FinFisher is detected by OSX Skype (a recording prompt appears), and the same is for Windows 8 Metro -- though the spyware goes well undetected by the desktop client.

The files also contain lists of apps the spyware utilizes, and things it can't use -- many still to be determined. There is a fake Adobe Flash Player updater, and a Firefox plugin for RealPlayer.

One of the files contains extensive (though still undetermined) documentation for WhatsApp. 

Reporting on just such spyware last month, The Economist noted,

Currently it is legal for governments to buy the spyware—the sale and export of surveillance tools is virtually unregulated by international law.

Spyware providers say they sell their products to governments for “lawful purposes”.

But activists allege that their governments violate national laws in their often politically motivated use of such software. They argue that companies should be held accountable for selling spyware to repressive governments.

The Register reported:

price list, which appeared to be a customers' record, revealed the FinSpy program cost 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each.

The document did not contain a date but it did show prices for malware targeting the recent iOS version 7 platform.

Links have appeared on Twitter to the GitHub repository for Finfisher docs, although it's being noted that due to Gamma's operational security practices, the unencerypted source code is fairly useless.

Gamma isn't in the business of creating zero-days because they are more of an "ecosystem" spyware company, but apparently they do sell it to their clients.

On the list of zero-day companies from which Gamma appears to purchase its exploits is the controversial French company, VUPEN.

Gamma PR 04

The documents are going to give those fighting against Gamma, and trying to circumvent Finfisher spyware, an advantage that was previously unimaginable.

The docs will be of interest particularly to researchers at CitizenLab, who have been working to understand and reveal FinFisher (and its component Finspy) for the past few years. 

CitizenLab released its first fill report on Gamma and FinFisher in a July 2012 post, From Bahrain With Love: FinFisher's Spy Kit Exposed?

Bloomberg detailed the efforts to unmask the spyware in Cyber Attacks on Activists Traced to FinFisher Spyware of Gamma, saying:

For the past year, human rights advocates and virus hunters have scrutinized FinFisher, seeking to uncover potential abuses. They got a glimpse of its reach when a FinFisher sales pitch to Egyptian state security was uncovered after that country's February 2011 revolution.

Until then, researchers had only suspected the malware's existence. Mikko Hypponen, chief research officer at Helsinki-based security company F-Secure, told Bloomberg at the time, "We know it exists, but we've never seen it -- you can imagine a rare diamond."

It's safe to say that we're going to be finding out a lot more in the weeks to come about this previously well-kept spying secret.

Editorial standards