Jeremy Kirk (IDG News Service)14 March, 2013
New research suggests a controversial spyware suite called FinFisher is being used to track activists in more countries than previously thought, including Vietnam and Ethiopia.
FinFisher, made by a subsidiary of U.K-based Gamma Group, is a set of remote intrusion and interception tools intended for use by law enforcement and intelligence agencies. But critics say the software is also used by repressive regimes to target activists, and they consider it malicious software.
Despite being known for several years, researchers say FinFisher’s use is widening and that technical modifications are being made to help it evade detection.
The latest research was published Wednesday by the Munk School of Global Affairs, part of the University of Toronto. Researchers there found more command-and-control servers used by FinFisher to control the software and collect captured information.
One sample of FinFisher, which the researchers dubbed FinSpy, appears to have been used to target an opposition group in Ethiopia called Ginbot 7, which was designated as a terrorist group by the country in 2011, wrote Morgan Marquis-Boire, a security researcher and technical advisor at the Munk School and a security engineer at Google.
FinSpy presented itself as an image file of Ginbot 7 in an attempt to get victims to open it, he wrote. It communicates with a command-and-control server, which is still operational, hosted on an IP address belonging to Ethiopia’s state-owned telecommunications company, Ethio Telecom. The sample is similar to one that was sent to Bahraini activists in 2012.
“The existence of a FinSpy sample that contains Ethiopia-specific imagery and that communicates with a still-active command and control server in Ethiopia strongly suggests that the Ethiopian Government is using FinSpy,” Marquis-Boire wrote.
A FinFisher product for Android mobile devices was also analyzed that communicated with a command-and-control server in Vietnam.
The software, called FinSpy Mobile for Android, sends a person’s text messages to a Vietnamese phone number, Marquis-Boire wrote. The FinFisher suite of products includes similar software designed for iOS, Android, Windows Mobile and BlackBerry, including functions such as the ability to send GPS coordinates and snoop on conversations near where a phone is used.
“Both the command and control server IP and the phone number used for text-message exfiltration are in Vietnam, which indicates a domestic campaign,” Marquis-Boire wrote. “This apparent FinSpy deployment in Vietnam is troubling in the context of recent threats against online free expression and activism.”
A scan of the Internet also found 30 new command-and-control servers used to control FinFisher products in some 19 countries. Seven of the countries had not been known to host FinFisher servers before; they are Canada, Bangladesh, India, Malaysia, Serbia, Vietnam and Mexico. The report notes that those countries may not be involved in the actual surveillance, but networks located in those countries are being used to store information.
The Munk School has been monitoring FinFisher command-and-control servers since last year, but found in October that their methods for identifying those servers, called “fingerprinting,” were no longer working, indicating FinFisher had been modified.
“We believe that Gamma either independently changed the FinSpy protocol or was able to determine key elements of our fingerprint, although it has never been publicly revealed,” Marquis-Boire wrote.
Gamma Group and the subsidiary that makes the software, Gamma International, did not immediately respond to an email seeking comment.
Marquis-Boire wrote that the proliferation of FinFisher points to a larger issue with software and tools that are intended for legal surveillance but are abused by countries with poor human rights records. “This is indicative of a global trend towards the acquisition of offensive cyber capabilities by non-democratic regimes from commercial Western companies,” he wrote.
On Tuesday, Reporters Without Borders named Gamma International as one of five companies whose products are believed to be used for spying on journalists and dissidents. It called on countries to implement stronger export controls around surveillance tools.