March 25, 2023

Bits Blog: Researchers Find 25 Countries Using Surveillance Software

Bill Marczak, left, and Morgan Marquis-Boire have been studying government use of surveillance software.Thor Swift for The New York Times Bill Marczak, left, and Morgan Marquis-Boire have been studying government use of surveillance software.

Last May, two security researchers volunteered to look at a few suspicious e-mails sent to some Bahraini activists. Almost one year later, the two have uncovered evidence that some 25 governments, many with questionable records on human rights, may be using off-the-shelf surveillance software to spy on their own citizens.

Morgan Marquis-Boire, a security researcher at Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found that the e-mails contained surveillance software that could grab images off computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The word “FinSpy” appeared in the spyware code. FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.

Now, one year later, Mr. Marquis-Boire and Mr. Marczak have found evidence that FinSpy is being run off servers in 25 countries, including Ethiopia and Serbia, without oversight.

Until Mr. Marquis-Boire and Mr. Marczak stumbled upon FinSpy last May, security researchers had tried, unsuccessfully, for a year to track it down. FinSpy gained notoriety in March 2011 after protesters raided Egypt’s state security headquarters and discovered a document that appeared to be a proposal by the Gamma Group to sell FinSpy to the government of President Hosni Mubarak .

Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”

But evidence suggests the software is being sold to governments where the potential for abuse is high. “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,” Mr. Marquis-Boire said. “Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.”

As of last year, Mr. Marquis-Boire and Mr. Marczak, with other researchers at Rapid7, CrowdStrike and others, had found command-and-control servers running the spyware in just over a dozen countries. They have since scanned the entire Internet for FinSpy.

The Munk School is publishing their updated findings on Wednesday. The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.

In Ethiopia, FinSpy was disguised in e-mails that were specifically aimed at political dissidents. The e-mails lured targets to click on pictures of members of Ginbot 7, an Ethiopian opposition group. When they clicked on the pictures, FinSpy downloaded to their machines and their computers began communicating with a local server in Ethiopia.

“This continues the theme of FinSpy deployments with strong indications of politically motivated targeting,” the researchers wrote in their report.

A Turkmenistan server running the software belonged to a range of I.P. addresses specifically assigned to the ministry of communications. Turkmenistan is the first clear-cut case of a government running the spyware off its own computer system. Human Rights Watch has called Turkmenistan one of the world’s “most repressive countries” and warned that dissidents faced “constant threat of government reprisal.”

In Vietnam, the researchers found evidence that FinSpy was running on Android-powered phones. They found one Android phone infected with FinSpy that was sending text messages back to a Vietnamese telephone number. That finding was particularly troubling, researchers say, given recent clampdowns by the nation’s government. Last year, Vietnam introduced censorship laws that prohibit bloggers from speaking out against the country’s ruling Communist party. According to Human Rights Watch, at least 40 people had since been convicted and sentenced to prison terms. Many are now serving terms ranging from three to 13 years.

The sale of surveillance technology is still largely unregulated, but Mr. Marquis-Boire and Mr. Marczak’s findings have prompted greater scrutiny. Responding to their findings last fall, Germany’s foreign minister Guido Westerwelle called for an Europe-­wide ban on the export of surveillance technology to repressive regimes. And last month, Privacy International and other groups filed complaints with the Organization for Economic Cooperation and Development against Gamma Group and Trovicor GmbH, a German company that also sells surveillance software.

“I don’t think you can put technology back in the bottle,” said Mr. Marquis-Boire. “I understand why police would want to use this type of technology, but I’m just not for commercial companies selling them to nondemocratic regimes with questionable human rights records.”

Article source:

Bits Blog: Company Denies Role in Recently Uncovered Spyware

6:35 p.m. | Updated Adding discovery of latest sample of the spyware at end.

An executive at Gamma Group, a British company that sells surveillance technologies, denied on Wednesday that a spyware program running on servers in 11 countries is part of his company’s product line.

Gamma Group makes FinFisher, spyware that, according to the company’s promotional materials, can be “used to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”

Martin J. Muench, a managing director at the company, said in an e-mail that the company only sells its products to governments for the express purpose of monitoring criminals. “The most frequent fields of use are against pedophiles, terrorists, organized crime, kidnapping and human trafficking,” he said.

But recent findings by security researchers suggest it is being used more broadly. Researchers believe they found FinFisher spyware in e-mails sent to three Bahraini activists — one in the United States, one in London and one in Bahrain — none of whom have criminal backgrounds. And they found that the spyware was communicating with a server in Bahrain. It was capable of grabbing images of users’ computer screens, recording their Skype chats, remotely turning on their cameras and microphones and logging their keystrokes. The word “FinSpy” — the name of part of the FinFisher product — appeared in the spyware’s code.

In an e-mail, Mr. Muench said he could not disclose Gamma Group’s client list or confirm whether his company had sold its spyware products to Bahrain. He said he thought the server the researchers found was most likely a proxy server, which redirects traffic to mask its true origins.

“The server that was found in Bahrain is very likely a custom-built software that was simply used as a proxy to forward traffic between two or more systems. It is not a product from the FinFisher product line, “ Mr. Muench wrote.

But researchers question this explanation. “The timing suggests that the Bahrain server was not a proxy,” said Bill Marczak, a computer science graduate student at the University of California, Berkeley, who has been looking into the malware.

Proxy servers typically take longer to respond to commands because they have to forward traffic elsewhere. Researchers compared the response time of the Bahrain server to nonproxy servers and found no difference in their response times.

Mr. Muench also disputed additional findings by researchers at Rapid7, a security research firm, which found evidence that FinFisher spyware was being run off 11 additional servers in 10 countries, including on EC2, a popular Amazon cloud service, in the United States.

As of Wednesday afternoon, the spyware was still being dispersed from an I.P. address hosted on Amazon’s service. Researchers tested its response time and believe it is a proxy server. Amazon has not responded to a request for further information about the owner of the I.P. address and why it continues to send out spyware.

Rapid7’s researchers were able to find the Amazon I.P. address and the 10 others because they shared a unique trait with the Bahrain server. They found that when they sent unexpected data to that server, it responded with an unusual message: “Hallo Steffi.” They then scanned the Internet to uncover other I.P. addresses that responded with the same message and found others in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, the United Arab Emirates and the United States.

“FinFisher servers would not respond in such a way and would not be able to be fingerprinted with such a technique,” Mr. Muench wrote in his e-mail. He added, “None of our server components send out strings like ‘Hallo Steffi.’”

“The core FinSpy servers are protected with firewalls which only allow incoming connections from the setup proxies, and therefore a global scan by third parties would not reveal any real FinSpy servers,” Mr. Muench said.

Mr. Muench added that Gamma Group was still investigating the malware samples found last week, but suggested that the company’s code may have been modified by someone else.

“We cannot confirm whether this is the actual FinFisher product as it does not match any of our released versions,” Mr. Muench said. “Any comment on how third parties may or may not have acted would be pure speculation on my part.”

As security researchers analyze the spyware, new samples continue to pop up. Late Wednesday, Morgan Marquis-Boire, the security researcher who first connected the Bahraini samples to FinSpy, said he had uncovered a new spyware sample running on a server in Britain. He said that the sample shared the same structure and functions as the spyware that was aimed at the Bahraini activists, and that he believed the spyware to be FinSpy.

Article source: