[kictanet] FinFisher, how the government contacted a Germany company to spy on its citizens

Mwendwa Kivuva Kivuva at transworldafrica.com
Fri Oct 16 20:59:18 EAT 2015


Whose communication is safe? It seems nobody if the research below by
CitizenLab is to go by. If you are a person of interest, the government
reads everything you read and write.

Where is the threat if government uses hacking to safeguard it's citizens?
Here is a short answer; "research and revelations about Hacking Team’s
Remote Control System (RCS), a competitor product, have also made it clear
that some government customers used these tools to target their political
opponents, rather than security threats to their citizens."

This is how the government is spying on you.

https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/

This post describes the results of Internet scanning we recently conducted
to identify the users of FinFisher, a sophisticated and user-friendly
spyware suite sold exclusively to governments.  We devise a method for
querying FinFisher’s “anonymizing proxies” to unmask the true location of
the spyware’s master servers.  Since the master servers are installed on
the premises of FinFisher customers, tracing the servers allows us to
identify which governments are likely using FinFisher.  In some cases, we
can trace the servers to specific entities inside a government by
correlating our scan results with publicly available sources.  Our results
indicate 32 countries where at least one government entity is likely using
the spyware suite, and we are further able to identify 10 entities by
name.  Despite the 2014 FinFisher breach, and subsequent disclosure of
sensitive customer data, our scanning has detected more servers in more
countries than ever before.

*Executive Summary*

FinFisher is a sophisticated computer spyware suite, written by
Munich-based FinFisher GmbH, and sold exclusively to governments for
intelligence and law enforcement purposes.  Although marketed as a tool for
fighting crime,1
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#1>
the
spyware has been involved in a number of high-profile surveillance abuses.
Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some
of the country’s top law firms, journalists, activists, and opposition
political leaders.2
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#2>
Ethiopian
dissidents in exile in the United Kingdom3
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#3>
and
the United States4
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#4>
have
also been infected with FinFisher spyware.

In 2012 and 2013, Citizen Lab researchers and collaborators,5
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#5>published
several reports analyzing FinFisher spyware, and conducted scanning that
identified FinFisher command and control (C&C) servers in a number of
countries.  In our previous research, we were not yet able to differentiate
between FinFisher *anonymizing proxies *and *master* servers, a distinction
that we make in this work.

When a government entity purchases FinFisher spyware, they receive a *FinSpy
Master*—a C&C server that is installed on the entity’s premises.6
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#6>
 The
entity may then set up *anonymizing proxies* (also referred to as “*proxies*”
or “*FinSpy Relays*” in the FinFisher documentation), to obscure the
location of their master.  Infected computers communicate with the
anonymizing proxy, which is “usually”7
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#7>
set
up on a Virtual Private Server (VPS) provider in a third country.  The
proxy then forwards communications between a victim’s computer and the
Master server.

We first describe how we scanned the Internet for FinFisher servers and
distinguished masters from proxies (*Part 1: Fishing for FinFisher*).  We
then outline our findings regarding 32 governments and 10 specific
government entities that we believe are using FinFisher (*Part 2: Country
Findings*).  Finally, we highlight several cases that illuminate
connections between different threat actors (*Part 3: A Deeper Analysis of
Several Cases*), before concluding (*Conclusion*).

*Kenya*

*National Intelligence Service*

We found a FinFisher server in a range of IP addresses registered to a
Kenyan user named “National Security Intelligence.”  Kenya’s National
Intelligence Service (NIS) was formerly known as the National Security
Intelligence Service (NSIS).

Kenya’s NSIS replaced the former Directorate of Security Intelligence
(DSI), commonly known as the “Special Branch”.52
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#52>The
NIS is known as one of Kenya’s security institutions with the biggest
budgetary allocation—along with the Kenya National Defence Forces and the
National Police Service—and considered to be among the country’s critical
security organs in the new constitution.53
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#53>
In
2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism
Police Unit and other Kenyan intelligence agencies, as being implicated in
abuses including torture, disappearances, and extrajudicial killings.54
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#54>

The powers of the NIS were expanded significantly in December 2014 when the
Parliament of Kenya rushed to pass the controversial Security Laws
(Amendment) Bill.55
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#55>
The
amendments came following a series of deadly terrorist attacks by the
militant group al-Shabab, including the 2013 killing of 67 people at the
Westgate shopping mall in Nairobi.56
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#56>This
bill expanded the powers of the NIS to monitor communications without a
warrant, as well as expanding their powers to search and seize private
property.57
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#57>
Article
62 of the amended bill authorized NIS agents to “do anything necessary to
preserve national security” and to detain individuals on simply the
suspicion of engaging in acts which pose a threat to national security.58
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#58>
Section
66 of the bill amended the National Intelligence Services Act, permitting
the Director General of the NIS to monitor communications or “obtain any
information, material, record, document or thing” in order to protect
national security, without court oversight, leading rights organization
Article 19 to argue that the amendment “effectively [gives]*carte blanche* to
the Director-General to order mass surveillance of online communications”.59
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#59>
While
a court ruling in February 2015 struck down some provisions of the
amendment, the provisions enhancing the powers of the NIS remained.60
<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#60>

More here:
https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20151016/7b55abdc/attachment.htm>


More information about the KICTANet mailing list