Govt FinFisher spyware exposed after data breach

An Anglo-German company that makes and sells FinFisher spyware to various European, American and Asia-Pacific governments and law enforcement agencies has suffered a big data breach, revealing hundreds of confidential documents.

An anonymous hacker claimed he had compromised Gamma International's network on Reddit and Twitter on Wednesday afternoon, and posted links to a torrent file online containing what is believed to be authentic client records, price lists, source code, the effectiveness of the spyware, support manuals and a list of classes and tutorials.

“Basically it's a European company that sells computer hacking and spying software to governments and police agencies,” read the hacker's post on community website Reddit.

“Two years ago their software was found being widely used by governments in the Middle East, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents.

“Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to 'good' governments, and those authoritarian regimes most [sic] have stolen a copy.”

After reportedly compromising the finsupport.finfinisher.com server, the hacker subsequently established a parody ‘GammaGroupPR' Twitter account to give more details on the torrent. 

One of the leaked spread sheets explained how FinFisher performed when trying to evade detection against the 35 top anti-virus products, while another document - from April - detailed how Gamma's 2014 patches ensured that version 4.51 of FinFisher (also known as FinSpy) would include that its rootkit component would not be detected by Microsoft Security Essentials.

The dump further reveals how the malware can be used to record dual Windows screens at the same time, and how it is better for email spying when the target is using Mozilla's Thunderbird or Apple's Mail.

In addition, supporting documentation indicates that a recording prompt alerts victims to the presence of FinFisher when using Skype on Apple's OS X, and that FinFisher cannot tap Skype users on the 'Metro' version of Windows 8.

Gamma International - which is part of the UK-based Gamma Group - did not confirm the legitimacy of documents at time of publication or if they had been breached.

Information on the Gamma Group spy kit was first leaked to WikiLeaks in October 2011. The spyware has been used mainly in countries in the Middle East in order to spy on dissidents and journalists.

The Economist last month uncovered how governments were using the spyware to target activists, most notably dissidents based in Bahrain, while Citizen Lab research back in 2012 showed how FinFisher surveillance was targeting mobile devices.

FinFisher control nodes have been found in several countries around the world, including Australia. A freedom of information request from the Open Australia Foundation asking the Australian Federal Police if they used FinFisher was turned down last yea

According to the documents, the FinSpy program costs €1.4 million (A$2 million) and a variety of pen testing training services are priced at €27,000 each. Support costs range from €2218 for USB malware support to €331,840 for an additional year support for the product.

The spyware lets users remotely control any PC, copy, delete and modify files, intercept Skype VoIP calls and log keystrokes, and much more, while Gamma International provides zero-day exploits acquired from French company Vupen.

Brian Honan, founder and consultant at BH Consulting, said the breach was a sign that ‘even a security company' could be targeted, and urged other companies to ensure that confidential data is ring fenced and that they are actively monitoring logs and implementing effective incident response.

“I hope the knock-on effects from this data dump will expose which governments, countries, and agencies are using FinFisher to spy on their citizens. I also hope that the AV industry ensures that their products can better detect such spying software," he said.

"Finally, it gives us an insight into the limitations of such spyware and how to better protect our systems from it.”

Honan said many of these governments have already worked out how to compromise the spyware and develop countermeasures.

“The leak may result in a number of governments looking at how this spyware works and how vulnerable their representatives and citizens are to being monitored by it.  For government officials the leak may also reveal what effective counter measures they may put in place should they suspect FinFisher or similar spyware may be used against them.”

Security industry expert Scott MacKenzie, CISO with cyber security solutions provider Logical Step, said the tools appear also to break WEP/WPA encryption and offer network monitoring of SSL sessions, but he expects Gamma to release new patches to address the leak. 

He said there are legitimate reasons for using the spyware, however.

"The Gamma hack is likely to disrupt existing intelligence and law enforcement operations that are monitoring organised crime groups, terrorism and paedophile rings," MacKenzie said.

"Given the current threat landscape, I have to assume the intelligence agencies are using the information to protect the citizens of the country. Given there has not been a major attack on UK soil in nearly a decade, I have to assume that this approach is effective."