FinFisher government spy software secrets revealed by hackers

Finfisher 170A company called Gamma International has suffered a serious security breach, resulting in hackers posting its confidential data on the web for anyone to download.

You might think–there’s nothing so unusual in that. Organizations get hacked all the time.

What makes things different on this occasion, however, is the particularly type of work that Gamma International does: it develops commercial network intrusion malware for the purposes of surveillance, and sells it to governments around the world.

And, it has been claimed, authoritarian regimes in Bahrain, Egypt, Turkmenistan and Oman are amongst those who are using Gamma’s controversial FinFisher spyware.

Sign up to our free newsletter.
Security news, advice, and tips.

In 2013, Citizen Lab published a report claiming that 36 countries around the world were hosting FinFisher Command & Control Servers.

The list of countries, which contains some who have a poor record for human rights and democracy, was: Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.

In April 2013, Gamma International’s antics raised the ire of Mozilla, developers of Firefox, after it was discovered that FinFisher had been deliberately disguised as the popular browser in an attempt to trick users into installing the malicious code.

Mozilla said in a public blog post that it had sent Gamma a cease and desist letter “demanding that these illegal practices stop immediately.”

Mozilla said that it had seen evidence that the Firefox disguise had been used by FinFisher in a spyware attack in Bahrain aimed at pro-democracy activists during Malaysia’s General Elections, and in a promotional demo produced by Gamma International.

So, campaigners sat up and listened when a hacker announced on Reddit this week that they had stolen 40GB worth of secret documents from Gamma International’s servers:

“It’s a European company that sells computer hacking and spying software to governments and police agencies. Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents. Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to ‘good’ governments, and those authoritarian regimes most have stolen a copy.”

“And that’s the end of the story until a couple days ago when I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.”

The hacker then created a parody Twitter account (@GammaGroupPR) to highlight some of their findings, and–naturally enough–the attention of the media was easily drawn.

As a result, the secrets of FinFisher (also known as “FinSpy”) are being revealed–pulling back the curtain on the mysterious malware that is used by governments and intelligence agencies across the globe to silently infect and remotely control computers, log keystrokes and snoop on video calls.

Amongst the leaked documents published on the net are what appear to be authentic client records, manuals and brochures, price lists, source code and details of shady companies that have sold Gamma International exploits and zero-day vulnerabilities to sell on to others.

Security researchers and privacy campaigners will no doubt enjoy sifting through the code and stolen information, perhaps turning a blind eye to the criminal act which saw the documents become public.

I wouldn’t be shocked to see more revelations about FinFisher and its developer spilling out in the coming days. But one thing I suspect you may not hear is any word from the company which made the software.

At the time of writing, there is no mention of the security breach on Gamma International’s website, and it hasn’t made any public comment. Perhaps that shouldn’t be any surprise. After all, it is a company that likes to play its cards close to its chest…

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.