Researchers of the university of torontos citizen lab have analyzed what appears to be a version of the finspy trojan for mobile platforms. The citizen lab report contains no information about whether any devices have been infected or whether individuals have been targeted. The use of such expensive tools against mansoor shows the lengths that governments are willing to go to target activists. The citizen lab report describes two cyberespionage campaigns that eset detailed in reports published in september and december 2017. Citizen labs finfisher research has informed and inspired responses from. According to the university of torontos citizen lab, turkish isps have been diverting download requests for legitimate software such as avast, ccleaner, vlc, opera and 7zip to infected versions of the software containing government spyware such as finfisher and strongpity. Citizen lab surveillance research on hacking team and finfisher highlighted in articles on motherboard, the varsity, and the new york times. In august 2012, citizen lab researchers scanned ip addresses and fingerprinted for finspy s. Finfisher in mexico in march 20, the citizen lab,2 an interdisciplinary research centre at the university of toronto, published an investigation about a spyware programme called finfisher. Download pdf morgan marquisboire and seth hardy, syrian activists targeted with blackshades spy software, citizen lab research report no. Finfisher offers a strategic widescale interception and monitoring solution that is device independent. The citizen lab is an interdisciplinary laboratory based at the munk school of global affairs at the university of toronto, canada.
The following article by citizen lab lists the united states as operating finfisher technology. University of torontobased research group citizen lab released a report last year identifying two finfisher command and control servers on the network of the pakistan telecommunications company ptcl, the countrys leading internet service provider. Finfisher, also known as finspy, is surveillance software marketed by lench it solutions plc. An expansive and ongoing computer espionage campaign spread across egypt, turkey and syria has been powered by technology developed by a canadianamerican networking company, sandvine, and an infamous spyware maker known as gammagroup or lench it solutions, security researchers say. Previous citizen lab research found that in 2011 he was targeted with finfisher spyware, and in 2012 with hacking team spyware. To monitor a target, a government operator of pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zeroday exploits. Finfisher, spyware which has been used to spy on dissidents in nations overseas, also can infect mobile devices, according to a new report. Finfisher, also known as finspy, is surveillance software marketed by lench it solutions plc, which markets the spyware through law enforcement channels finfisher can be covertly installed on targets computers by exploiting security lapses in the update procedures of nonsuspect software. In 2012, citizen lab, a thinktank operating out of the munk school of global affairs at the university of toronto, came across evidence suggesting that gamma international, a multinational. Finfisher surveillance malware to target bahraini activists. Gamma group finfisher governmental it intrusion and. In january 20, citizen lab researchers found installations of blue coat systems packetshaper device on netblocks associated with ipnx isp and cobranet. According to citizen lab, some governments are using sandvine network gear installed at internet service providers to deliver spyware and cryptocurrency miners.
Its been over five years since citizen lab first exposed the use of. Claudio guarnieri international journalism festival. Turkish isp swapped downloads of popular software with. In addition to describing how theyve seen finspy infect the computers of political. Israelbased cyber warfare vendor nso group produces and sells a mobile phone spyware suite called pegasus. Time for greater transparency in surveillance national. Citizen lab, a digital research unit at the university of toronto, says that servers running notorious finfisher software have been found in eleven new countries over the past year, bringing the total number of states where servers have been detected to 36. While it can be expected that finfisher often uses similar tactics to infiltrate a system, its method of entry may vary and precaution should always be taken to avoid spyware. In addition to describing how theyve seen finspy infect the computers of. The citizen labs research reveals that finfisher remote monitoring solutions were found in india, which, according to gamma groups brochures, include the following.
The report said evidence for the ethiopian governments use of finfisher was particularly strong, explaining that citizen lab had found an example of the spyware which spread through a boobytrapped email purporting to carry images of ethiopian opposition figures. About a year ago, citizen lab and the canada center for global security studies published a series of reports on finfisher, including a description of a malaysian incident. Flaw in adobe flash player used to install finfisher spyware. Citizen lab on role of gamma internationals finfisher technology in many. The analysis suggests that the malware used is finspy, part of the commercial intrusion kit, finfisher, distributed by the united. Its one of the worlds bestknown and elusive cyber weapons.
Governmentoperated spyware on the rise around the world. Finspy was downloaded on the plaintiffs computer when he opened an email with a microsoft. The citizen lab is an interdisciplinary laboratory based at the munk school of global affairs at. Finfisher excellence in cyber investigation governmental it intrusion and remote monitoring solutions. Agent license the agent license controls how many finspy agents can login to the finspy master in parallel. Message received by citizen lab senior research fellow bill marczak.
The team was able to obtain the urls and encryption keys for various versions of these two programs and downloaded the keyword blacklists daily. Finfisher surveillance malware spreads to smart phones. The citizen lab conducts groundbreaking research on the global proliferation of targeted surveillance software and toolkits, including finfisher, hacking team and nso group. Internet provider redirects users in turkey to spyware. Finfisher in india and the myth of harmless metadata the. Several malicious emails we found were sent to multiple receipients, according to their headers. Morgan marquisboire, bill marzcak and claudio guarnieri this post describes our work analyzing several samples which appear to be mobile variants of the finfisher toolkit. Detekt tool finds the hacking teams secret surveillance malware on pc if youve ever wondered if the government has you under surveillance via your pc, then you need to run the new and free.
Researchers at the citizen lab, based at the university. Nearly 32 countries are suspected to be using finspy spyware as per the year 2015 report from university of torontos citizen lab. A new report from citizen lab, a canadian research center, shows surveillance software sold by finfisher, a governmental it intrusion company owned. When anyone using a target ip address on turk telekoms network attempted to download software from a handful of legitimate vendors. The presentations were anonymously posted online and are reportedly from 2011 discussions between gamma and the german state criminal police offices landeskriminalamts. Points of analysis are taken from citizen labs report from bahrain.
Any available documentation about when and how finfisher is used documentation about any oversight of the use of finfisher. Researchers find germanmade spyware across globe news. The finfisher spyware, produced by the ukbased gamma group, has been for years as elusive as it was notorious. Finfisher mobile spyware tracking political activists. We found 39 additional email addresses of targets using this method. Scope, scale, and context of pegasus as identified in this report. In the wake of the citizen labs report, muench at gamma group told bloomberg via email that the firm was investigating whether the spyware used by. Isps inside turkey and egypt spread finfisher spyware in massive.
But this recent leak gives us a more complete and conclusive picture. Citizen lab senior research fellow bill marczak spoke to abc australia regarding the proxy server for the remote intrusion software finfisher found in sydney, australia. Governments rely on sandvine network gear to deliver. Researchers link mobile spyware cases with finfisher toolkit. Citizen lab senior research fellow bill marczak spoke to abc australia regarding the proxy server for the remote intrusion software finfisher found in sydney. Detekt tool finds the hacking teams secret surveillance. According to a new report by citizen lab, turkeys telecom network was using sandvine packetlogic devices to redirect hundreds of targeted users journalists, lawyers, and human rights defenders to malicious versions of legitimate programs bundled with finfisher and strongpity spyware, when they tried to download them from official sources. Citizen lab published research showing how finspy variants, from the gamma groups finfisher surveillance toolkit, target smartphones including windows mobile, apples iphone and ipad tablets.
Research on hacking team and finfisher highlighted in motherboard. The commercialization of digital spying, in which researchers identified finfisher servers on a network operated by suburban. Citizen lab, spoofing the european parliament, citizen lab research report no. The following presentations from the gamma group describe the companys finfisher and 3ggsm tactical interception and target location surveillance products. Despite the disclosure of sensitive customer data in that hack, 89 and the potential customer concerns this might cause, our latest scans have detected finfisher servers in more countries than any. This post describes the results of internet scanning we recently conducted to identify the users of finfisher. It is worth noting that finfisher, which is also called finspy, is notorious surveillance software that is commonly used by law enforcement agencies and governments across the globe.
Citizen lab the research and development lab at the munk school of global affairs, university of toronto, that has focused a lot of its work on the legal surveillance software finfisher. The citizen lab announces the publication of a detailed post analyzing several pieces of malware targeting bahraini dissidents, shared with us by bloomberg news. Last week, morgan marquisboire and bill marczak from the citizen lab published a fascinating glance at realworld mobile espionage tool created by gamma international under its finfisher product line. Researchers at human rights research group citizen lab have discovered that netizens in turkey, egypt and syria who attempted to download legitimate windows applications from official vendor websites i. The use of the comic sans font is due to the attackers font selection. The citizen lab research brief august 2012 the smartphone who loved me. In this report we provided the first update on citizen lab s previous finfisher scanning work since a widely discussed 2014 hack of finfisher.
Isps may be helping hackers to infect you with finfisher. Since protesters found finfisher company records in an abandoned egyptian state security building last year, security researchers and activists around the world have been eager to get their hands on a copy of the tools in the finfisher suite, especially the component called finspy. Finfisher spyware masqueraded as an executable file named threema. Isps caught injecting cryptocurrency miners and spyware in. New research by human rights advocacy organization citizen lab. Cyber attacks on activists traced to finfisher spyware of. Finfisher is an electronic surveillance tool used to remotely monitor suspects phones. We discovered a boobytrapped document that contained a candidate list for the 5 may 20 malaysian general elections. The report covers the mobile component of finfisher dubbed finspy mobile which supports ios, android, windows, blackberry, and symbian phones. The company has been criticized by human rights organizations for selling these capabilities to. The citizen lab has also uncovered finfisher s presence in indonesia. New research by human rights advocacy organization citizen lab shows how.
In 2014, an america citizen sued the ethiopian government for installing and using finspy to. The analysis suggests that the malware used is finspy, part of the commercial intrusion kit, finfisher, distributed by the united kingdombased company, gamma international. Such a file could be used to target privacyconcerned users, as the legitimate threema application provides secure instant messaging with endtoend encryption, the researchers say. Mapping finfishers continuing proliferation citizen lab. The citizen lab recently released new findings about a variant of finfisher surveillance software designed for use on smartphones. After expiry, the finspy system will still be fully functional but no longer able to retrieve the newest versions and bugfixes from the finspy update server. Founded and directed by professor ronald deibert, the citizen lab studies information controlssuch as network surveillance and content filteringthat impact the openness and security of the internet and that. Sophisticated, persistent mobile attack against highvalue. Finfisher is a suite of remote intrusion and surveillance software developed by munich based gamma international gmbh and marketed and sold exclusively to law enforcement. Contribute to finfisherfinflyweb development by creating an account on github. But deibert said the discovery of finfisher spyware on public control servers across five continents suggests strongly that personal devices of prodemocracy activists are being compromised. In this report citizen lab security researcher morgan marquisboire and bill marczak provide analysis of several pieces of malware targeting bahraini dissidents, shared with us by bloomberg news. In april 20, citizen lab released for their eyes only.