New report: FinFisher changes tactics to hook critics
It’s been over five years since Citizen Lab first exposed the use of FinFisher surveillance malware to target Bahraini activists. Despite the explosion of security investigations that followed, the use of FinFisher spyware against dissidents has not stopped. In the face of negative attention, public embarrassment, export controls violations, and even legal challenges, the German company is continuing to facilitate the repression of nonviolent activists and political opponents in authoritarian countries such as Turkey. The only difference is that FinFisher has taken steps to ensure these attacks are harder to identify and trace back to the company.
This report provides up-to-date details on how FinFisher’s technology is currently being used against critics and evading scrutiny by security researchers, drawing from two years of observation by technologists at Access Now’s Digital Security Helpline – a 24-7, free of charge resource for civil society across the globe – and external partners. The findings have significant human rights, security, and policy implications.
Some of the first rumours of FinFisher’s involvement in supplying tools to authoritarian governments originated from its sales to Middle Eastern governments during the “Arab Spring”. Repeatedly, the company has deepened its connection to countries which dramatically escalate the repression of dissent in their territories, including governments at the brink of collapse. While FinFisher and its apologists continue to claim that it provides value-neutral technologies for targeted surveillance to stop terrorism and preserve national security, the evidence points to its repeated, flagrant use to indiscriminately target political opponents. As we show in this report, that includes targeting the main opposition party in Turkey during a protest, using tactics that increase the subtlety, scale, and aggression of the attacks. In Turkey and elsewhere, these are attacks on fundamental rights, civil society, and democracy.
Our documentation of FinFisher malware attacks reveals that the software is being used as part of “social engineering” campaigns designed to compromise mobile devices. After use of the company’s malware to crush dissent was first revealed, many researchers have analysed multiple samples to document its capabilities. In several cases, researchers have scanned the internet for its known communications infrastructure. However, the pace of such disclosures has slowed over time. To our knowledge, no publication has documented the use of FinFisher’s mobile malware systems since the company was breached by the hacktivist Phineas Fisher in August 2014.
Two years ago, researchers could more easily map the company’s customers. In the malware samples described in this report, we show the company is now placing more emphasis on obfuscation and non-attribution of its operational infrastructure. Our analysis of uses of FinFisher’s “FinSpy” for mobile devices exposes the attacks in Turkey, but also helped us to identify other copies of the malware that indicate broader current use. There is evidence of its use in concurrent efforts to undermine civil society outside Turkey, including the compromise of individuals in Indonesia, Ukraine, and Venezuela.
Our aim in publishing this report is to add to the body of evidence demonstrating the use of FinFisher spyware against civil society, and to show that more needs to be done to ward off these attacks and ensure that technology firms like FinFisher do not continue to facilitate and profit from human rights abuse.
We have shared our findings with FinFisher, and requested information from the company regarding any business it may have with clients in Turkey, and any relevant human rights policies, due diligence processes, or remedial mechanisms in place to prevent and mitigate potential harm from its products and services. We will publish our correspondence to the company and any response received alongside this report.