Brit Firm Implicated In Bahrain Activist Cyber Spy Attacks

Andover-based Gamma International has again been implicated in selling spying kit to a Middle Eastern government, as researchers found spy malware sent to activists in Bahrain was linked to the firm’s software.

Bahraini pro-democracy activists were sent emails containing pieces of malware in April and May, which were then sent on to Bloomberg News. The files were passed to the University of Toronto Munk School of Global Affairs’ Citizen Lab for analysis. That group believes the attached Trojans were versions of FinSpy, software produced by Gamma.

It has been reported that the company sold its FinFisher kit, which includes FinSpy, to repressive regimes, including the now-fallen Hosni Mubarak government of Egypt.

“The malware samples were connected to a server IP address owned by Batelco, the principal telecoms company of Bahrain,” Citizen Lab said. “If this is not the case, we invite Gamma International to explain.”

At the time of publication, Gamma had not responded to a request for comment.

Sneaky stuff

To back up its claims that the software belonged to Gamma, the researchers created a signature for the Bahraini malware, which they passed on to another researcher. That researcher then identified a sample that shared similar characteristics with the Bahrani Trojan, and that sample was connecting to a domain belonging to a representative of Gamma.

The Bahrain attempts used a methodology typical of targeted attacks,which are traditionally the domain of cyber criminals. The emails attempted to dupe the recipients by purportedly offering information on human rights abuses in Bahrain. The apparent sender was a ‘Melissa Chan’, who is a real correspondent for Aljazeera English.

If the recipients clicked on the attached documents, which appeared to be image files, they would download an executable, run the malware, and open their machines up to remote access and “comprehensive data harvesting and exfiltration capabilities”.

Citizen Lab ran the malware in a virtual machine and analysed the code, in which they found references to FinSpy. This may be the first time Gamma’s software has been seen in the wild.

The malware was found using sophisticated techniques to hide itself, including different code injects for each anti-virus solution to avoid detection. Data released by Wikileaks has previously suggested Gamma, in promoting the FinSpy tool to potential buyers, claimed it could bypass 40 regularly tested antivirus systems.

Stolen data was hidden away on encrypted files on the victim’s machine, before being sent out to the Trojan’s operators. The encryption was not perfect, however, as it failed to hide all information, meaning that when the researchers did a simple search for “FinSpy”, they found “.n.S.p.y”. Partially encrypted records were easily decrypted to reveal pieces of plain text, perhaps indicating Gamma could do a better job of covering its tracks.

“We conducted forensic examination of the files created in this directory and identified a wide range of data collected. Files in this directory were found to be screenshots, keylogger data, audio from Skype calls, passwords and more,” Citizen Lab said.

Earlier this week, Privacy International said it was planning to take the UK government to court for allowing egregious surveillance technology to be exported to repressive foreign regimes. It pointed to reports that Gamma was selling FinSpy in Egypt before Mubarak’s fall.

Privacy International wants the government to update the list of products that need scrutiny before being exported to include surveillance technology such as Gamma’s kit.

The group said the Bahrain case was “yet another example of the British surveillance industry failing spectacularly to regulate itself in an ethical way”.

“In light of today’s news, we will be writing a follow-up letter to BIS stressing the urgent need for government action on this issue,” added PI’s Emma Draper, in a blog post.

Like Internet anonymity? Try our Anonymous quiz!