Spyware targets dissidents

Morgan Marquis-Boire works as a Google engineer and Bill Marczak is earning a Ph.D. in computer science. But this summer, the two men have been moonlighting as detectives, chasing an elusive surveillance tool from Bahrain across five continents.

What they found was the widespread use of sophisticated, off-the-shelf computer espionage software by governments with questionable records on human rights. While the software is supposedly sold for use only in criminal investigations, the two came across evidence that it was being used to target political dissidents.

The software proved to be the stuff of a spy film: It can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customised for all major mobile phones.

The software has been identified as FinSpy, one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes.

The market for such technologies has grown to $5 billion a year from “nothing 10 years ago,” said Jerry Lucas, president of TeleStrategies, the company behind ISS World, an annual surveillance show where law enforcement agents view the latest computer spyware.

FinSpy is made by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.

“This is dual-use equipment,” said Eva Galperin, of the Electronic Frontier Foundation, an Internet civil liberties group. “If you sell it to a country that obeys the rule of law, they may use it for law enforcement. If you sell it to a country where the rule of law is not so strong, it will be used to monitor journalists and dissidents.”

Until Marquis-Boire and Marczak stumbled upon FinSpy last May, security researchers had tried, unsuccessfully, for a year to track it down. FinSpy gained notoriety in March 2011 after protesters raided Egypt’s state security headquarters and discovered a document that appeared to be a proposal by the Gamma Group to sell FinSpy to the government of President Hosni Mubarak for $353,000.

In May, Marquis-Boire, 32, of San Francisco, and Marczak, 24, of Berkeley, Calif., volunteered to analyse some suspicious emails sent to three Bahraini activists. They discovered all the emails contained spyware that reported back to the same command-and-control server in Bahrain.

Since publishing their findings, Marquis-Boire and Marczak started receiving malware samples from other security researchers and from activist groups that suspected they may have been targets. In several cases, the two found that the samples reported back to websites run by the Gamma Group. But other samples appeared to be actively snooping for foreign governments.

A second set of researchers from Rapid7, of Boston, scoured the Internet for links to the software and discovered it running in 10 more countries. Indeed, the spyware was running off EC2, an Amazon.com cloud storage service.

Marquis-Boire said a Turkmenistan server running the software belonged to a range of IP addresses specifically assigned to the ministry of communications. It is the first clear-cut case of a government running the spyware off its own computer system.
Marquis-Boire said that as he traced spyware from Bahrain to 14 other countries – many of them “places with tight centralised control” – he was growing increasingly worried about the people on the other end.

Four months in, he sounds like a man who wants to take a break, but knows he cannot just yet: “I can’t wait for the day when I can sleep in and watch movies and go to the pub instead of analysing malware and pondering the state of the global cyber surveillance industry.”