Top gov't spyware company hacked; Gamma's FinFisher leaked
The maker of secretive FinFisher spyware -- sold exclusively to governments and police agencies -- has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more.
Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents.
Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most [sic] have stolen a copy.
...a couple days ago [when] I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.
The stolen FinFisher spoils were first leaked as a torrent file on Dropbox and have since been shared across the internet, meaning that controlling the information leak is now impossible.
According to initial reports, the enormous file contains client lists, price lists, source code, details about the effectiveness of Finfisher malware, user and support documentation, a list of classes/tutorials, and much more.
One spreadsheet in the dump explains that FinFisher performed well against 35 top antivirus products, showing how the sophisticated malware efficiently defeats detection.
The documents also reveal usage statistics by country.
The hacker posted to @GammaGrouPR:
A release notes doc covers Gamma's April 2014 patches to ensure its rootkit avoids Microsoft Security Essentials. It also explains that the malware records dual screen Windows setups, and reports better email spying with Mozilla Thunderbird and Apple Mail.
Gamma does note that FinFisher is detected by OSX Skype (a recording prompt appears), and the same is for Windows 8 Metro -- though the spyware goes well undetected by the desktop client.
The files also contain lists of apps the spyware utilizes, and things it can't use -- many still to be determined. There is a fake Adobe Flash Player updater, and a Firefox plugin for RealPlayer.
One of the files contains extensive (though still undetermined) documentation for WhatsApp.
Currently it is legal for governments to buy the spyware—the sale and export of surveillance tools is virtually unregulated by international law.
Spyware providers say they sell their products to governments for “lawful purposes”.
But activists allege that their governments violate national laws in their often politically motivated use of such software. They argue that companies should be held accountable for selling spyware to repressive governments.
A price list, which appeared to be a customers' record, revealed the FinSpy program cost 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each.
The document did not contain a date but it did show prices for malware targeting the recent iOS version 7 platform.
Links have appeared on Twitter to the GitHub repository for Finfisher docs, although it's being noted that due to Gamma's operational security practices, the unencerypted source code is fairly useless.
Gamma isn't in the business of creating zero-days because they are more of an "ecosystem" spyware company, but apparently they do sell it to their clients.
On the list of zero-day companies from which Gamma appears to purchase its exploits is the controversial French company, VUPEN.
The documents are going to give those fighting against Gamma, and trying to circumvent Finfisher spyware, an advantage that was previously unimaginable.
For the past year, human rights advocates and virus hunters have scrutinized FinFisher, seeking to uncover potential abuses. They got a glimpse of its reach when a FinFisher sales pitch to Egyptian state security was uncovered after that country's February 2011 revolution.
Until then, researchers had only suspected the malware's existence. Mikko Hypponen, chief research officer at Helsinki-based security company F-Secure, told Bloomberg at the time, "We know it exists, but we've never seen it -- you can imagine a rare diamond."
It's safe to say that we're going to be finding out a lot more in the weeks to come about this previously well-kept spying secret.