A new report from Citizen Lab, a Canadian research center, shows surveillance software sold by FinFisher, a “governmental IT intrusion” company owned by the UK-registered Gamma International, is now active in 36 countries. That’s up from the 25 countries reported two months ago.
Gamma’s product, which it sells exclusively to governments, infects computers and mobile phones through devious means. These include posing as Mozilla Firefox and the (frankly quite elegant) ruse of using a “right-to-left override,” which is typically used to render writing in Arabic but can work in any language. This helps it foil users trained to look out for suspicious file extensions by hiding, say, an “.exe,” and making the file appear to be an image with a .jpg extension instead.
Once the file has been installed on a machine, the “command-and-control server,” which does exactly what it sounds like it would, can be used to monitor the infected computer.
In the past, intelligence agencies have used the program to infiltrate “internet cafes in critical areas in order to monitor them for suspicious activity, especially Skype communication” and to target members of organized crime groups, according to a FinFisher brochure released by Wikileaks.
The product may also have been used in the past by repressive nations hoping to monitor dissidents. In his new book, Eric Schmidt mentions “a raid on the Egyptian state security building after the country’s 2011 revolution [which] produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime.” Gamma denied that it had supplied the regime with its program, which its agents were hawking for a piddling $560,000.
Gamma is far from the only such company. Governmental surveillance is a thriving market—worth about $5 billion annually, according to the Wall Street Journal. Firms such as the German Trovicor and Vupen, from France, also deal in “government grade exploits.”
The business is necessarily discreet, but it’s still legitimate. The use of such software is legal in many countries. None of which makes a presentation called “Governmental IT Intrusion: Applied Hacking Techniques Used by Governments” any less creepy.