WikiLeaks Releases FinFisher Surveillance Spyware to the Masses

Looking to highlight what it says is ongoing government surveillance globally, WikiLeaks has released previously unseen copies of weaponized German surveillance malware. The group claims that the FinFisher malware is being used by intelligence agencies around the world to spy on journalists, political dissidents and others—and that new variants are making their way to market.

The largest customer to date, it added, is Mongolia, “which has been recently selected as new Chair of the Freedom Online Coalition.”

WikiLeaks has been posting on the issue of FinFisher (formerly part of the UK-based Gamma Group International until late 2013) for several years. It is made by a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows, and Linux computers, as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices.

It’s widely implicated in the kind of state-based spying that WikiLeaks is claiming. About a year ago, Citizen Lab and the Canada Center for Global Security Studies published a series of reports on FinFisher, including a description of a Malaysian incident: “We discovered a booby-trapped document that contained a candidate list for the 5 May 2013 Malaysian General Elections.”

It then added, “The booby-trapped document embeds a copy of FinSpy that masquerades as legitimate Mozilla Firefox software...” And not for the first time. “Samples from the FinSpy campaign targeting Bahraini activists last year used an assembly manifest that impersonated Mozilla’s Firefox browser.”

That impersonation actually prompted Mozilla to send a cease and desist letter to Gamma for the unauthorized use of its browser name and characteristics.

But, despite the publicity, the spy kit is only gathering steam, WikiLeaks said—prompting the move to make it available as a free download to, well, everyone.

"FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world,” said Julian Assange, WikiLeaks editor-in-chief, in the latest edition of its Spy Files report. “The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher, including by tracking down its command and control centers."

It added, “In order to challenge the secrecy and the lack of accountability of the surveillance industry, analyzing the internals of this software could allow security and privacy researchers to develop new fingerprints and detection techniques, identify more countries currently using the FinFisher spyware and uncover human rights abuses.”

Why Assange decided to release the actual malware to the entire world, however, instead of to security researchers only is unclear ("[the files] are weaponised malware, so handle carefully,” it helpfully warned), but the group provided some forensic analysis around the bug.

“FinFisher Relay and FinSpy Proxy are the components of the FinFisher suite responsible for collecting the data acquired from the infected victims and delivering it to their controllers,” it explained. “It is commonly deployed by FinFisher's customers in strategic points around the world to route the collected data through an anonymizing chain, in order to disguise the identity of its operators and the real location of the final storage, which is instead operated by the FinSpy Master.”

WikiLeaks also published previously unreleased copies of the FinFisher, FinSpy PC spyware for Windows. This software is designed to be covertly installed on a Windows computer and to silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone.

WikiLeaks said that it conservatively estimates FinFisher's revenue from sales to governments amount to around €50,000,000.

“Together with the previous releases, the SpyFiles collection represents a unique and central resource where to find extensive and exclusive documentation about the global surveillance industry, also indexed and searchable through the WikiLeaks Search,” the company concluded.

What’s Hot on Infosecurity Magazine?