Six things we know from the latest FinFisher documents

News & Analysis
Six things we know from the latest FinFisher documents

The publishing of materials from a support server belonging to surveillance-industry giant Gamma International has provided a trove of information for technologists, security researchers and activists. This has given the world a direct insight into a tight-knit industry, which demands secrecy for themselves and their clients, but ultimately assists in the violation human rights of ordinary people without care or reproach.

Now for the first time, there is solid confirmation of Gamma's activities from inside the company's own files, despite their denials, on their clients and support provided to a range of governments.

The Anglo-German company Gamma International is widely known for the intrusion software suite FinFisher, which was spun off into its own German-based company "FinFisher GmbH" sometime in 2013. The 40GB dump of internal documents, brochures, pricelists, logs, and support queries were made available through a Torrent first linked to on a Reddit post by the alleged hacker.

While these documents do provide insight into FinFisher, Privacy International does not support any attempt to compromise the security of any company's network or servers. Greater transparency is needed from this sector, and from Governments on this growing industry to ensure that every businesses obligation to respect human rights is met.

Some documents provide new information; others support and verify previous claims about the company. Privacy International is still reviewing and analysing all the documents, so we expect more information to come out of these documents in the near future.

1. No targeting of Germany

FinFisher's command and control servers have been found in nearly 40 countries around the world. But these new documents reveal that if you want to use FinFisher products, customers can't target devices in Germany, according to a clause contained within what appears to be a generic commercial offer the company provides to all their customers. Article 21 of a commercial offer states:

The BUYER hereby acknowledges that it is a strict term of this supply contract that it will not use the articles supplied in obtaining any data or software from any computer or related devices or impairing or interfering in the operation of any computer where, in either such case, there is significant link (however arising) in relation to such action or on relation to any other relevant circumstances, with Germany and hereby undertakes and warrants to FinFisher that it will not make use of the articles supplied

It is an odd clause to be contained within an offer. FinFisher is designed to work on a target machine regardless of location; a key selling point of FinFisher is offering the ability of its user to monitor a target anywhere in the world.

It is unclear why the buyer is specifically banned from using FinFisher to target devices in Germany, but there are a couple of reasonable possibilities. The first possibility could be that it is a condition of the German government to allow FinFisher to be based in and exported from Germany only if it is not used against German targets. It is also possible that that FinFisher itself is looking to minimize any attention they get in Germany, be it via security agencies or the press. It further could well be a legal precaution related to computer misuse legislation, designed to minimize legal accountability.

Privacy International has written to the German Federal Office for Economic Affairs and Export Control (BAFA) asking for clarification, and to assess whether the German government requires or is aware of such a clause prohibiting the targeting of German devices using German-made surveillance technology exported out of the country.

2. The targeting of activists

The Gamma documents also cast doubt on their own previous claims that the Bahraini Government used a stolen demonstration copy of FinFisher against pro-democracy activists. Excellent work by Bahrain Watch signals that the Bahraini Government had reportedly targeted a range of prominent Bahraini lawyers, human rights workers, and politicians. Zeroing in on specific information related to Bahrain, the group claims to have identified 77 computers of activists targeted by FinFisher.

It was the allegations and technical analysis of 2012 that Gamma's products were used to spy on Bahraini pro-democracy activists that really began to show the truly invasive implications and violations associated with their technology. This new potentially damning evidence comes in the form of the communications revealed between the supposed Bahraini authorities and Gamma's support service - again an element of their comprehensive support package.

Logs show requests for assistance in solving problems occurring in the deployment of the malware, including that some anti-virus programs were detecting their presence, login details were not working, the 'targets' were not appearing, and so on. These documents and the subsequent analysis by Bahrain Watch give credence to long-suspected behaviour of the Bahraini Government when it comes to targeting activists with FinFisher, and calls into question Gamma's previous statements on their relationship with Bahrain. Several of the individuals identified by Bahrain Watch are either now imprisoned or sentenced in absentia, showing the on-the-ground impact and role of surveillance technologies in the hands of repressive regimes.

3. The industry is slick

Once a negligible industry in 2001, within ten years it was estimated the sector was worth approximately $5 billion annually, and growing by 20% every year.

By the end of 2014, ISS World trade fairs (the so-called 'Wiretappers Ball') will have held trade fairs in Washington DC, Prague, Brasilia, Johannesburg, Dubai and Kuala Lumpur, reflecting how the industry has stretched its tentacles to all corners of the world, selling to essentially any and all governments who deem their tools 'necessary'. The Gamma documents show their own attendance at multiple exhibitions, extending beyond ISS World and into specialised security and defence exhibitions, including the "Security and Policing" fair in Farnborough, UK, the "LAAD Defence and Security Expo" in Rio, and "FBI Executives Training" in San Antonio, Texas amongst others.

What is noticeable is not merely the provision of software and hardware, a lot of which was already known to those active in the area, but the sense of the industry becoming 'established' and attempting to operate like any other normal international business.

The latest Gamma brochures and presentations show the slicker side of the company and can be taken as representative of the modern industry, a highly professionalised sector with PR and marketing language directed at law enforcement and government agencies, presenting surveillance products as the comprehensive solution to any tricky problem. Paying attention to 'the little things' are a sign of a well-established and professional sector, and Gamma displays this in one of their trade fair attendance spreadsheets detailing which member of staff was due to send follow-up emails to interested individuals afterwards.

4. They do more than just sell

We've previously shown how surveillance companies do not only sell the products found in these brochures. Beyond developing and marketing, companies like Gamma provide an extensive consulting service, helping install the equipment, get surveillance teams up and running, and lend IT support for any technical problems the software encounters.

The provision of services beyond merely supplying the initial software or hardware is strikingly illuminated by these new documents, showing first-hand evidence at the technical and customer support offered to clients. Specifically, the new documents say that the products are subject to regular updates due to technical advances in the products, "therefore an annual support contract is required to received such upgrades and updates" [FF License Renewal Template 23.01.14]. Similarly, in the leaked pricelist, line entries show charges for post-sales support and update licences for up to 5 years, showing a consistent support mechanism for the client.

The training documents detail the depth of the training given by Gamma employees to their government clients. For example in the FinIntrusion Kit 2.2, clients are trained how to conduct network intrusion, how to search and identify victims, break WEP and WPA encryption, jam wireless networks, and extract usernames and passwords for everyday services like Gmail, Hotmail, and Facebook.

When it comes to training governments on how to use their malware, the Gamma documents show how quickly they can get authorities up and running on how to use the surveillance equipment: a basic intrusion course would take five days, while an extended course would need 10 days.

5. Relationships with other companies

The symbiotic relationships between the leading firms have long suspected, and small elements of this collusion have been revealed previously. Gamma International has been shown to have worked hand-in-glove with two Swiss companies, Dreamlab and Elaman, supplying surveillance equipment to regimes such as Turkmenistan.

These new Gamma documents have confirmed this is an established business partnership, revealing the role of both Swiss-based companies in reselling Gamma's products, and training clients in the field. Other documents have shown that the new FinFisher company and Elaman even have the same address.

The training price-lists show the cooperation between these three distinct companies. If a government purchases a Gamma product from Elaman, they would receive a discount of 25% for software and support, while a discount of 15% is on offer for hardware and training, according to the pricelist.

A slightly less generous discount of 20% and 10% is on offer for other agents and resellers, demonstrating the widespread partnerships throughout the industry. Alongside the training services offered by Gamma, it's noticeable they advertise the capabilities of the trainers from Dreamlab - who clearly come highly recommended for their knowledge of infrastructure as they command five times the salary as a Gamma staff member for in-country training.

Through an examination of the line-by-line price-list, we see a window into the range and cost of services on offer. The breakdown shows wholly customisable services for the client - activation licences for FinSpy Mobile targeting Blackberry, Windows Mobile, iPhone, Symbian and Android; licences for After Sales Support and Updates for up to 3 years; User Manuals; Desktop workstations; specific laptops; as well as a critical evolution in the industry - access to the 'Exploit Portal' of French vulnerability developer, VUPEN.

We've highlighted in the past Gamma's role in pushing 0-day exploits, and VUPEN's role in this market. Ties between VUPEN and Gamma/Finfisher have long been public and friendly, but the pricelist and documents confirm a business relationship between governments, Gamma, and the use of VUPEN's large database of exploits.

In this transaction, VUPEN sell exploits to be used in the FinSpy exploit portal, which then Gamma/FinFisher turn around and sell to their customers. A Frequently Asked Questions document within the Gamma documents shows that the company, when selling exploits, apparently is often asked where the vulnerabilities come from.

"Q: Can we name the supplier?

A: Yes you can mention that we work with VUPEN here."

We can now compare two pricelists from Gamma, the 2011 and new release. In 2011, a FinSpy Relay, Master, and Generation Licence for between one and 10 targets, cost a government €100,000. Yet we see a whopping 20% increase by the end of 2013 with the same service now costing €120,000. The FinSpy PC Activation licence covered Windows, and OSX at a cost of €1,950, but by 2013 this increased to €2,340 and the inclusion of licences for Linux.

6. The technology has evolved

FinFisher, which takes complete control over a target's device once infected, came to international prominence in 2011 when documents uncovered in the aftermath of the Arab Spring showed its use by the Egyptian security services. The same year saw Wikileaks' SpyFiles 2 release showing various documents including training videos for Gamma's products i.e. FinSpy Mobile, FinUSB, and FinFly. Subsequent publications of brochures in SpyFiles 3 and our own Surveillance Industry Index continued to document what the company is selling.

Gamma themselves describe their prospective clients as ranging from intelligence agencies, air force, navy and army groups, Customs departments and Presidential Guards. This sophisticated clientele would demand cutting edge solutions and technology that is consistently evolving and progressing. The Gamma documents show this evolution, through constant communication with their clients of forthcoming enhancements and versions with better capabilities.

The presentations and training documents show the progression of intrusion techniques, pushing past 'traditional passive monitoring' for problems 'that can only be solved by adding IT intrusion solutions'. Gamma themselves highlight the 'global mobility of devices and targets' as a problem that needs to be 'solved', as well as anonymity through the use of hotspots, proxies, and webmail - as well as referencing Tor.

The provision of 'roadmaps' show clients when updates for their purchases will be available, and detail the features of the new versions. For example, these roadmaps reveal new versions and enhancements of their invasive FinSpy Mobile. Version 4.4, released in of Q4 2012, has the ability to collect data through Skype across iOS, Blackberry, Android, and Windows Mobile platforms . An updated Version 4.5, released in Q1 2013, included the ability to target emails, calendars and keylogging of Windows Phones, and an updated ability to collect data through the camera of a Blackberry or iOS phone.

It is important to add that more analysis will be needed to fully piece together and chart the progress of Gamma intrusion software. As we continue to analysis these documents, we will publish more information.