FinFisher has been accused of improperly selling its spyware across the world. Now it’s claiming insolvency as the German government attempts to seize its assets.
Plus a “Postscript” on an equally notorious spyware company, NSO Group: a link to an in-depth account of its rise and the efforts inside Meta and Apple and Big Tech in general to stop it – and why cybersecurity is an “Impossible Dream”
BY:
Salvatore Nicci
Technology Analyst / Reporter
PROJECT COUNSEL MEDIA
19 April 2022 (Berlin, Germany) – We have written about Munich-based FinFisher in previous posts. Its business is to export surveillance software to repressive regimes as well as any police or law enforcement agency that wants it. Its state-of-the-art software is called FinSpy and by using this spyware, police and secret services can pinpoint a person’s exact location, access their passwords, record their telephone conversations and chats and read all their mobile phone and computer data. It also hides really well; even malware and antivirus software may fail to recognize it. It can also capture encrypted data and communications.
We have seen it in operation and it is incredible. Its spyware is believed to be among the best to pilfer data and listen-in on mobile users.
NOTE: as we have previously written, companies like FinFisher (there are many, many others) have been able to export their products worldwide virtually unhindered, despite European export regulations and restrictions. As in all things regarding European regulation, you can drive a truck through the gaps.
What happened was that earlier this month the company shuttered its offices after quietly filing for insolvency this past February. The company has been under criminal investigation by the German government since 2019 over allegations that it illegally sold spyware to the government of Turkey without acquiring the requisite export license. The spyware was allegedly used to monitor the phones of Turkish political activists.
The company’s implosion will likely affect the German government probe into its activities. At the time of the announced insolvency, authorities had been in the process of pursuing authorization to seize assets allegedly “obtained from an illegal act.” Though the investigation is ongoing, the asset seizure will no longer be possible, since the company no longer exists.
Privacy advocates have long said a swift indictment and conviction of the responsible business executives was necessary, but now that is in doubt. And the execs (and software) are surfacing elsewhere in the cyber realm. Miriam Saage-Maaß, a German trained lawyer and Legal Director of the European Center of Constitutional and Human Rights, has noted beyond the German proceedings the EU and its member states must take far more decisive action against the massive abuse of surveillance technology that is so plentiful across Europe. But the EU is just not devoting the resources. A broad alliance of human rights and press freedom organisations has been campaigning for years for a moratorium on these sales, transfer and use of surveillance technology. Yes, the German government has not issued any export licences for surveillance software since 2015. Nevertheless, current versions of the FinSpy surveillance software keeps turning up in countries across the globe. And many acknowledge the appropriate legal framework is just not there to prevent it.
And FinFisher had just boosted its arsenal by adding four-layer obfuscation and advanced anti-analysis measures, as well as the employment of a UEFI bootkit to infect victims. This suggests that the malware’s authors are doing their utmost to ensure this threat slips through the security nets. According to all of our spyware experts who we consult on these matters, it is one of the hardest-to-detect spywares to date.
NOTE: bootkits are malicious code planted in the firmware invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.
Two spyware contacts we spoke with said they had been doing a comprehensive investigation into FinFisher spyware (which took eight months to complete) but then the company “went under the radar”. When it resurfaced the spyware added capabilities to gather all manner of credentials, file listings and deleted files, as well as live streaming or recording data. It could also gain access to Web cams and microphones.
And, unlike previous iterations of the spyware, which contained the Trojan in the infected application at once, new samples were protected by two components, a non-persistent pre-validator and a post-validator. The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Once established that it does not, the post-validator component ensures that the infected victim is the intended one, and only then would the server order the fully-fledged Trojan platform to be deployed.
FinFisher is heavily obfuscated with four complex custom-made obfuscators. The primary function of this obfuscation is to slow down the analysis of the spyware. On top of that, the Trojan also employs unusual ways to gather information. For instance, it uses the developers’ mode in browsers to intercept traffic protected with a HTTPS protocol.
And, as noted by another expert, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect. The fact that the tool is deployed with such precision and is practically impossible to analyse, makes its victims particularly vulnerable, and researchers face a significant hurdle – having to invest an overwhelming amount of resources into untangling each and every sample.
POSTSCRIPT
NSO Group is perhaps the most successful, most notorious, most controversial … and most influential firm in a generation of Israeli startups that have made the country the center of the spyware industry. Commercial spyware has grown into an industry estimated to be worth twelve billion dollars. It is largely unregulated and increasingly controversial.
In recent years, investigations by companies like the Citizen Lab and Forensic Architecture, with their super-sophisticated forensic technology (including highly specialized software to search for spyware designed to operate invisibly) have revealed the presence of Pegasus (the NSO Group’s key spyware) on the phones of politicians, activists, and dissidents under repressive regimes. And in use by hundreds of law enforcement agencies in the United States and across Europe.
Ronan Farrow has been working on a major investigative piece on NSO Group for The New Yorker magazine. It is a long piece but it goes into detail on how the Pegasus spyware easily “arrives” via iMessage or WhatsApp or as S.M.S. messages that seem to come from known contacts. Some require a click on a link, and others operate with no action from the user.
And it made even more recent news when Israel refused Ukraine’s requests for NSO spyware (it denied Estonia, too) fearing a Russian response. A senior U.S. intelligence official noted the technology could have been used to monitor Russia’s military progress in the months leading up to the invasion and provide Kyiv with a better understanding of what was coming. But Israel feared licensing NSO Group to sell Pegasus to Ukraine would be viewed as an act of aggression against Russian intelligence services. Israel has been walking a tight line since the Russian invasion of Ukraine, offering some support to Kyiv without angering Russia, which maintains a substantial military presence in Syria, across Israel’s northern border.
The New Yorker piece is a long article but well worth the read for an education on spyware, and the almost impossible task faced by Apple, Facebook and Big Tech to maintain some level of cybersecurity – and recognising the folly that mobile cybersecurity is achievable.
As I write this the article in freely accessible and not behind The New Yorker pay wall. You can read it by clicking here.
