In the summer of 2014, an anti-surveillance "digilante" only known as PhineasFisher hacked into the servers of the controversial company Gamma International, makers of the FinFisher government spyware, and exposed some of its secrets to the world.
The breach revealed the company's customer list as well as details of its products. For some, this was going to seriously damage the company. But a year later, FinFisher is alive and well as a now-separate company. In fact, it has more customers than previously reported, according to a new investigation by Citizen Lab, a digital watchdog at the University of Toronto's Munk School of Global Affairs.
FinFisher sells surveillance technologies to government agencies that allow them to break into a target's computer or phone, and monitor all his or her activities, logging phone calls, emails, or messages.
"They've got a healthy batch of clients."
As of today, at least 32 countries are active customers of FinFisher, according to researchers at Citizen Lab, who were able to identify several FinFisher servers all over the world, despite the fact that the company boasts of employing proxies that are "practically impossible to trace." To find all these servers, the researchers scanned the whole internet six times between the end of December 2014 and this past September.
"It appears they've got a healthy batch of clients," Marczak told Motherboard.
Some of those customers are in countries that have questionable human rights records, such as Kazakhstan, Bangladesh, Ethiopia, or Venezuela. In the past, FinFisher customers, including Bahrain and Ethiopia, were caught using the spyware against human rights activists or opposition groups.
"There is growing global demand for 'targeted intrusion in a box' capabilities," Citizen Lab researchers wrote in the report, which was published on Thursday. "Despite extensive, and often critical, publicity, products like FinFisher are purchased and deployed by countries all over the world. As the customer list grows, so should concern over the abuse potential of this technology."
FinFisher did not respond to Motherboard's request for comment.
The group of researchers, led by Bill Marczak, were able to figure out whose countries the servers belonged to thanks to some clever tricks, and some help from an unexpected source: the data dumped as part of breach of FinFisher's competitor, the Italian company Hacking Team.
While reviewing some of the files belonging to the Italian surveillance contractor, which were also published online by PhineasFisher, Marczak noticed a specific IP address.
"Uhm, that IP address is really, really, familiar," Marczak recalled thinking at the time.
As it turned out, Marczak and his colleagues at the Citizen Lab had found that IP address while scanning the internet looking for FinFisher servers, but just didn't know to whom it belonged. This gave him the idea that, perhaps, there would be more clues among the Hacking Team data, given that the two companies, despite being competitors, share some of the same customers.
Some victims that were spied by their country's government's using FinFisher software. (Video: Justice Forum)
And, indeed, there were. For example, a former Hacking Team employee, while performing a demo for an Indonesian military agency, sent an email using an IP address that belongs to the same range as some alleged FinFisher servers. Given that the email was sent after the scheduled demo, the researchers inferred that it was sent from the military agencies' premises.
In other cases, the researchers had to try more imaginative tricks to figure out who the IP addresses belonged to. When put into a web browser, many FinFisher proxy servers' IP addresses redirect to Google.com as a decoy page in an attempt to hide their real function.
"I was just kind of sitting around, playing around, trying things," Marczak told Motherboard over the phone. "I tried a 'what is my ip address' query and I was like 'wow, it's giving me an IP address that's not the same as the one in my address bar!'"
The researchers believe these IP addresses belongs to FinFisher master servers, or, in other words, the surveillance boxes directly operated by the company's customers.
Some FinFisher servers used Yahoo.com as a decoy, and the "What's my IP" trick doesn't work for them. But the researchers were able to figure out the city and country of FinFisher servers thanks to the weather widget displayed on Yahoo's landing page. That's how, for example, they discovered that a proxy with a Lithuanian IP address was actually located in Caracas, Venezuela.
The researchers collected a total of 135 IP addresses that they believe belong to FinFisher boxes, but were not able to trace them all back to a specific country. So "there's definitely more customers," Marczak said.
The researchers are not worried about revealing how they found them because, as he put it, this is "always a cat and mouse [game]."
"As a researcher you always have to balance the potential for future visibility with the impact you can have now by publishing findings," he added.
That's why the researchers are publishing most of the IP addresses they've been able to find: to give more information about FinFisher to other people that need it, including other researchers, journalists, and officials working in policy and advocacy. The researchers, however, are not revealing the IP addresses of servers that were not firewalled, and thus vulnerable to attacks, which could interfere with legitimate investigations.
"We do not wish to disrupt or interfere with legitimately sanctioned investigations or other activities," the researchers wrote in the report, "but to ensure that citizens have the opportunity to hold their governments transparent and accountable."