Gamma International is a sub-company of a Hampshire,U.K.-based firm Gamma Group that was revealed to have been involved in providing surveillance capabilities to the Mubarak regime during the 2011 Egyptian revolts. In November, 2011, De Spiegel and the Wall Street Journal reported on methods the company uses to install surveillance software. In July 2012, the first confirmed reports of FinFisher use (against Bahrani activists) was confirmed.
Egyptian anti-regime activists found a startling document last month during a raid inside the headquarters of the country’s state security service: A British company offered to sell a program that security experts say could infect dissidents’ computers and gain access to their email and other communications.
The discovery highlights the emerging market of Western companies that sell software to security services from the Middle East to China to spy on the kinds of social media activists who recently toppled regimes in Egypt and Tunisia.
Amid the scattered papers, interrogation devices and random furniture found during the raid, the activists uncovered a proposed contract dated June 29 from the British company Gamma International that promised to provide access to Gmail, Skype, Hotmail and Yahoo conversations and exchanges on computers targeted by the Interior Ministry of ousted President Hosni Mubarak.
Additional media reports:
- 'Report: UK Firm Offered Custom Malware to Egyptian Security Services' from ThreatPost
- 'Report: U.K. firm offered IT intrusion tools to Egyptian government' from TechHerald
- 'British firm offered spying software to Egyptian regime – documents' from Guardian.UK
The software in question is called FinFisher.. The company's own description of FinFisher includes the following characterization:
The Remote Monitoring and Infection Solutions are used to access target systems giving full access to stored information with the ability to take control of the target systems functions to the point of capturing encrypted data and communications. In combination with enhanced remote infection methods, the Government Agency will have the capability to remotely infect target systems.
This document, which was obtained from Interior Ministry offices, would seem to be a proposal by the company pursuant to the selling of the software in question; pricing and delivery information is found at the end.
Excerpt from a translation of the Interior Ministry report:
The Central Administration for Information TechnologyUltimately confidential
- We received lately an offer from the Modern Communication Systems company MCS on behalf of GAMMA, the international German company, specialized in developing software and electronic security systems that serve the hacking of email accounts, as shown on their last product (FINFISHER program which is being used by a lot of State Security investigations worldwide) and they added a “free” trial version (Which is a laptop with the software already installed on) to try and determine its technical ability to hack e-mail accounts.
- Based over our trials of the software indicated we came to the following conclusions:
- It is a high level security system that posses a lot of technical abilities over the other software in this field, which have the features of (hacking e-mail accounts of Hotmail, Gmail and Yahoo, the ability to update Trojan files over the computers of the targeted elements, the usage of their computers and the usage of their electronic fingerprints in correspondence, the full control of the hacked elements computers) Not to mention its success in breaking through personal accounts on Skype network, which is considered the most secure method of communication used by members of the elements of the harmful activity because it is encrypted.
- Hacking the targeted element using the software mentioned is like planting a comprehensive spying system in the location where the targeted computer exists:
- The recording of voice and video calls on the internet
- The recording of his conversations, movements and its surroundings (Video and audio) in the room where the hacked computer is located (that’s in case the computer contains a camera and microphone like most laptops)
- The ability to hack all the computers connected to the same Local Area Network, without the necessity to target each computer alone)
- The company mentioned above gave us a full price offer which includes the software mentioned above, training 4 officers from those who are working at the technology intrusion department as well as offering technical support from the company for 3 whole years giving and the total amount offered was 388,604 Euros.
- Proposal dated: 1st January 2011
Within the document Johnny Debs is listed as the marketing manager for Gamma Group and is most likely to be the contact with whom the Egyptian Mubarak regime's representatives would have been discussing the acquisition of software with.
A reported contact number for the Gamma Group is +44 1264 332411.
- Johnny Debs (above)
- Martin J. Muench
- Gamma International GmbH’s managing director based in Munich 
- Entry on BuggedPlanet WIKI
- 'Company representative' in BBC media report.
- Presenter of 'Workshop K': 'FinFisher - A different approach to monitoring encrypted communication' at Data Expert Digital Experience 2011 in the Netherlands.
- In November 2012 Muench was interviewed by US based Bloomberg for their article 'MJM as Personified Evil Says Spyware Saves Lives Not Kills Them'.
Gamma International Denial
From a report by the BBC:
- 'Hampshire-based Gamma International UK denies actually supplying the program, which infects computers with a virus that bugs online voice calls and email.
- The foreign secretary says he will "critically" examine export controls.
- William Hague, who speaks for the government on computer security issues, said: "Any export of goods that could be used for internal repression is something we would want to stop."'
Additional media reports:
- 'UK firm denies supplying spyware to Mubarak's secret police' from Register.UK
- 'UK malware used against Bahraini activists' from DW.de
In November, 2011, the Wall Street Journal reported on details of the company's products which can use iTunes, and other popular sites and software, to install surveillance programs. The information came from Gamma International's own promotional material which form part of '200-plus marketing documents' which 'were obtained from attendees of a secretive surveillance conference' and have formed the basis of the newspaper's 'Surveillance Catalog'.
The Wall Street Journal writes:
- 'Perhaps the most extensive marketing materials came from Gamma’s FinFisher brand, which says it works by “sending fake software updates for popular software,” from Apple, Adobe and others. The FinFisher documentation included brochures in several languages, as well as videos touting the tools.
- Gamma’s FinFisher documents claim its tools can infect files that are being downloaded. In particular, the FinFly ISP video says it can send a “fake iTunes update” to the computer government agents want to infect. The FinFly ISP video file viewed by the Journal was unable to be reproduced for the original “Surveillance Catalog,” but the Journal was able to obtain several screenshots Monday.
- An Apple spokeswoman was quoted in Saturday’s story as saying the company works “to find and fix any issues that could compromise [users'] systems.” Apple last week introduced a security update to iTunes that could stop an attack similar to the type FinFisher claimed to be using, namely offering bogus software updates that install its spyware. “The security and privacy of our users is extremely important,” the Apple spokeswoman said.
- The FinFisher documents also say that its tool can allow a website to pretend that software such as Adobe’s Flash is missing and will prompt the user to download the software. Adobe declined to comment.'
De Spiegel reports that Gamma International attended the 'Cyberwarfare Europe' conference in Berlin in September, 2011. De Spiegel attempted to speak to the company but '...Gamma representatives, however, were only interested in sharing information about their service with potential customers. ... The managing director, from Munich, told SPIEGEL the company had no interest in any reporting on its products.' That wariness extended to ensuring that '... that journalists left the room when their managing director gave a presentation.'
According to De Spigel, which reviewed Gamma Internationals promotional material, they offer '... a whole palette of possibilities for infiltrating and installing spy software on target computers.
- 'The simplest way noted is if the "agent" has physical access to the targeted person's computer. In such instances, it is sufficient to stick a USB stick ("FinFly USB") into the computer. But what can one do when that isn't possible? The company also offers solutions for those instances -- even for mobile devices. The animated promotion video for "FinSpy Mobile," for example, states: "The Target is using a Blackberry phone for his communication." It then sends a message to the target in a format that looks like an update for the phone. "The Target receives a fake update message from FinSpy Mobile," the video states. "The Target accepts the Blackberry Update." And, finally, "The Target System is now infected with FinSpy software. … The Headquarter has full access to the Target Phone."
- The firm's promotion material also suggests that in an infection through "FinFly ISP," the recipient receives a "fake iTunes update." If the update is clicked on and downloaded, "headquarters" will have full access to the targeted computer -- at least according to the company's promotional materials.'
FinFisher & Bahrain
On July 25, 2012, Bloomberg News foreshadowed a report which analysed 'five different e-mails' they obtained from 'Bahraini activists' which appeared to have been 'targeted by the malware' FinFisher :
- 'It’s one of the world’s best-known and elusive cyber weapons: FinFisher, a spyware sold by U.K.- based Gamma Group, which can secretly take remote control of a computer, copying files, intercepting Skype calls and logging every keystroke.
- “We know it exists, but we’ve never seen it -- you can imagine a rare diamond,” says Mikko Hypponen, chief research officer at Helsinki-based data security company F-Secure Oyj. (FSC1V) He posted the Egypt documents online last year and said if a copy of the software itself were found, he’d write anti-virus protection against it.
- Now he may get his wish.
- Researchers believe they’ve identified copies of FinFisher, based on an examination of malicious software e-mailed to Bahraini activists...'
The report From Bahrain With Love: FinFisher’s Spy Kit Exposed? by the University of Toronto's 'CitizenLab' is an 'analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that were sent to Bahraini pro-democracy activists in April and May' of 2012. Their purpose was 'identification and classification of the malware to better understand the actors behind the attacks and the risk to victims' and to achieve this they 'undertook several different approaches during the investigation' including:
- 'directly examining the samples through static and dynamic analysis'
- infecting 'a virtual machine (VM) with the malware', and
- monitoring the infected VM's:
- running operating system
In summary: 'This analysis suggests the use of “Finspy”, part of the commercial intrusion kit, Finfisher, distributed by Gamma International.'
The CitizenLab report goes on to examine how the FinFisher malware:
- 'was delivered to potential victims using e-mails with malicious attachments'
- 'infects the target machine'
- 'is designed to resist analysis and evade identification'
- 'collects and encrypts data from the infected machine'
- and its 'communications behavior'.
They conclude by stating that they have shared 'samples from email attachments' with 'selected individuals within the security community' and 'strongly urge antivirus companies and security researchers to continue where we have left off'. CitizenLab also provides a more general warning for activists and internet users:
- 'Be wary of opening unsolicited attachments received via email, skype or any other communications mechanism. If you believe that you are being targeted it pays to be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.'
Among those to receive the emails used for analysis by CitizenLab were 'a naturalized U.S. citizen, a London-based human rights activist, and a British-born economist in Bahrain'. The US citizen, 34 year old Husain Abdulla is a director of Americans for Democracy and Human Rights in Bahrain. Abulla 'received the spyware on his Blackberry while in Washington for meetings at a congressional office building, and is considering taking legal action'.
In other reports UK based lobby group Privacy International 'has commissioned lawyers to write to the UK Secretary of State for Business Innovation and Skills, Vince Cable, stating that human rights defenders, political dissidents and other vulnerable groups are being targeted by increasingly sophisticated state surveillance - much of it supplied by British companies' including Gamma International.
On July 27, 2012, Bloomberg reported that Munich based Gamma International managing director Martin J. Muench denied the company had sold the FinFisher malware to Bahrain and that the company was investigating whether the product in the CitizenLab study was a 'demonstration copy of the product stolen from Gamma and used without permission'.. Muench, who corresponded with Bloomberg via email, said:
- 'As you know we don’t normally discuss our clients but given this unique situation it’s only fair to say that Gamma has never sold their products to Bahrain... it is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere...'
To back up his claims Muench added that the argued 'modification' resulted in 'no message [being] sent to our server when the demo product was used against a real target'. He went further to suggest that 'the demonstration version may have been stolen using a flash drive' while conceding 'I have no evidence to support this'.
On the same day, the Committee To Project Journalists (CPJ) expanded on CitzenLabs' initial general warning to internet users highlighting the case of Al-Jazeera's Melissa Chan. Chan was not a recipient of the malware loaded email sent to activists but 'the message was crafted to appear to be from [her]. The attackers were using Chan's reputation as a journalist to trick their victims into opening the document.'
CPJ suggests 'Use a phone call or instant messaging to confirm a message before opening any attachment... A live phone call is harder to fake' while concluding, more ominously, 'Security services faking messages from real journalists in order to spy on activists is a grave danger to press freedom.'