Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation

Citizen Lab

Executive Summary

FinFisher is a sophisticated computer spyware suite, written by Munich-based FinFisher GmbH, and sold exclusively to governments for intelligence and law enforcement purposes.  Although marketed as a tool for fighting crime,1 the spyware has been involved in a number of high-profile surveillance abuses.  Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some of the country’s top law firms, journalists, activists, and opposition political leaders.2  Ethiopian dissidents in exile in the United Kingdom3 and the United States4 have also been infected with FinFisher spyware.

In 2012 and 2013, Citizen Lab researchers and collaborators,5 published several reports analyzing FinFisher spyware, and conducted scanning that identified FinFisher command and control (C&C) servers in a number of countries.  In our previous research, we were not yet able to differentiate between FinFisher anonymizing proxies and master servers, a distinction that we make in this work.

When a government entity purchases FinFisher spyware, they receive a FinSpy Master—a C&C server that is installed on the entity’s premises.6  The entity may then set up anonymizing proxies (also referred to as “proxies” or “FinSpy Relays” in the FinFisher documentation), to obscure the location of their master.  Infected computers communicate with the anonymizing proxy, which is “usually”7 set up on a Virtual Private Server (VPS) provider in a third country.  The proxy then forwards communications between a victim’s computer and the Master server.

We first describe how we scanned the Internet for FinFisher servers and distinguished masters from proxies (Part 1: Fishing for FinFisher).  We then outline our findings regarding 32 governments and 10 specific government entities that we believe are using FinFisher (Part 2: Country Findings).  Finally, we highlight several cases that illuminate connections between different threat actors (Part 3: A Deeper Analysis of Several Cases), before concluding (Conclusion).

Read more: 

Camilla Wood

UK based Legal Aid Lawyer

Leave a Reply

Your email address will not be published. Required fields are marked *