The NSA espionage methods revealed by Snowden seem distant to the Spanish lands, but the Spanish government also has the tools to spy to its citizens.
New technologies have completely changed the way we communicate, something that has not gone unnoticed by governments and state security forces. Before they could tap a phone to find out all their communications, now the instant messenger and the presence of the Internet has made the mission of knowing our communications much more difficult, for better or for worse. And in case this wasn’t enough, applications like WhatsApp or Telegram already encrypt our messages by default, so that nobody in between can read them.
This makes the most unprotected point before an attack is their own devices: when you take control of a computer or a mobile phone and click on it, it does not matter how secure the communication is, you are committed from the beginning. AND the spanish government has the tools to do it, something we already know thanks to the Hacking Team leaks and we remember when we found FinFisher.
What is FinFisher?
FinFisher is a computer surveillance software, a spyware, made to enter the user’s device without raising the user’s suspicions. Once inside the software is capable of follow all user movements with the device, from the conversations you have to your surfing the net. It has both versions for computers, as well as versions made to be introduced in mobile devices, and we know of its existence thanks to leaks from Wikileaks and the Citizen Lab of the University of Toronto.
FinFisher is creation of a company called Gamma Group, which operates in the United Kingdom and Germany through two subsidiary companies. In addition to subsidiaries in those two countries, the company would be controlled by William Louthean Nelson through a shell company in the British Virgin Islands. Gamma Group presents itself as a company specialized in surveillance, and has been marked by Reporters Without Borders as one of the five most dangerous companies on the Internet.
How does it work?
The FinFisher infection method is varied: from fake updates until emails with infected attachments, also taking advantage of security flaws in popular programs or creating malicious web pages. We know for sure that they have entered systems thanks to security flaws in iTunes and infected Word files. Once it reaches the device, it is installed, without raising the suspicions of the affected user, even modifying the main boot record of the hard disk.
Once you are inside the computer, and according to the advertising videos that its creators showed to those interested, you acquire complete control of the device: from seeing what the target has on the screen to tracking your keystrokes on the keyboard. The code has revealed that malware collect passwords, audio from Skype calls, contact lists, screenshots, keystrokes and more. In addition, exhaustive studies of the leaked program have revealed that it has specific code to bypass antivirus detection.
How do we know that it has been working in Spain?
The Citizen Lab at the University of Toronto found that the malware does not communicate directly with the user doing the surveillance, but instead goes through different proxies to mask the signal. However, and due to the operation of the program, we can see how, by finding out our public IP, we get the IP of the FinFisher master server.
These IPs assigned to master servers are located where FinFisher buyers carry out their activities, and knowing that the sale of this software is restricted – in theory – to the government market, we can find out which country is using FinFisher based software when detecting a serveroperating in its national territory. And, from December 2014 to February 2015, a master server has been found in Spain, in a block of IPs belonging to Telefnica.
What other countries have used FinFisher?
In addition to a Spanish server, Citizen Lab has tracked down the FinFisher master servers, and have detected a good number of servers around the world. On some occasions it has even been able to pinpoint the FinFisher user agency, despite hiding its traffic through proxies around the world:
- Angola | Unknown
- Saudi Arabia | Unknown
- Bangladesh | DGFI
- Belgium | Federal Police
- Bosnia and Herzegovina | Unknown
- Egypt | TRD
- Slovenia | Unknown
- Spain | Unknown
- Ethiopia | Unknown
- Gabn | Unknown
- Indonesia | National encryption body and unknown entities
- Italy | Multiple unknown entities
- Jordan | Unknown
- Kazakhstan | Unknown
- Kenya | National Intelligence Service
- Lebanon | Multiple entities
- Macedonia | Unknown
- Malaysia | Unknown
- Mexico | Unknown
- Nigeria | Multiple unknown entities
- Omn | Unknown
- Paraguay | Unknown
- Czech Republic | Unknown
- Romanian | Unknown
- Serbia | BIA
- South Africa | Unknown
- Taiwn | Unknown
- Turkmenistn | Unknown
- Venezuela | Unknown
Are there known cases where FinFisher has acted?
In principle we know several cases in which FinFisher has been used in one way or another:
- After Egyptian protesters stormed the headquarters of the State Investigation Service in 2011, they discovered Gamma International letters confirming that they had been using a trial version for 5 months.
- The Citizen Lab, mentioned above, discovered FinFisher in emails received by Bahrin activists. In 2014 Bahrain Watch claimed that the country’s government has been spying on lawyers, politicians, activists and journalists.
- Documents from the German Interior Ministry to the Parliament’s finance committee revealed that the Federal Surveillance Agency licensed FinFisher in 2012, despite the fact that its legality in Germany is questioned.
- In 2014, an Ethiopian citizen residing in the US denounced the Ethiopian government for using FinFisher to record the activity of users of their computer. Traces on the computer showed how FinFisher had recorded dozens of Skype, to then send them to a server in Ethiopia under government control.
- Mozilla, the head of Firefox, has sent a cease and desist in 2013 to Gamma Group to stop using the Firefox brand; one of the FinFisher input methods is impersonate a legitimate browser version.
The NSA is not the only one that wants data
Here we are not meddling with the legitimate uses that a tool like this may have: for an intelligence service, these tools can make the difference between stopping a tragedy and not even finding out what will happen. The problem comes when these tools are secret and even its users are covered by a thick veil. Who ensures that a government does not abuse these means to spy on its citizens arbitrarily or to remain in power, who is watching the watchers?
All this when we speak of European countries where we suppose that there are democratic guarantees; Countries like Ethiopia and Bahrin have already been accused of using FinFisher to fulfill their interests and stay in power, and on the list of master servers we find dictatorial countries like Saudi Arabia Malaysia. How are these tools being used by countries where strict censorship is exercisedWhere can an opponent of the government lose his life for it?
Cases like the massive NSA record of metadata that Edward Snowden revealed to the world seem far away from us, but as he himself stated in an interview with The Objective, Governments like Spanish are not exempt from practicing these surveillance.