[This report was originally published by Bahrain Watch on 13 March 2013.]
TOP BAHRAINI COMPANY INFECTED WITH GOVERNMENT SPYWARE SOLD BY UK FIRM IN APPARENT POLITICALLY MOTIVATED TARGETING
Company Declines to be Identified, Citing Potential Reprisals
[Manama] During the course of recent investigations, Bahrain Watch determined that a computer inside a top Bahraini company was infected with spyware operated by Bahrain’s government. The spyware, known as FinSpy, is sold exclusively to government law enforcement and intelligence agencies by UK firm Gamma International. The company believed that it would suffer reprisals if we identified it as a victim by name, or mentioned its line of business.
The infection was detected using a tool developed by Bahrain Watch to search for FinSpy. Bahrain Watch conducted a limited distribution of the tool inside Bahrain. The tool identified FinSpy samples on the computer.
The infection at the company predates a campaign against Bahraini activists in April and May of 2012. The company was found to be infected with a version of FinSpy that identified itself as FinSpy v4.00. The campaign against activists used a version of FinSpy that identified itself as FinSpy v4.01. Both versions communicated with the same server inside Bahrain. Unfortunately, Bahrain Watch is unable to release the FinSpy v4.00 sample or hash, as these would likely identify the company. The use of two different FinSpy versions calls into question Gamma’s claim that Bahrain is using a “stolen demonstration copy” of FinSpy, and instead suggests that Bahrain is receiving updated spyware from Gamma. It also calls into question Bahrain’s recent claim that it did not purchase any spyware from Gamma International.
The infected computer inside the company contained information that could be used to observe or manipulate the company’s day-to-day operations. Bahrain Watch shared relevant data about the infection with Citizen Lab, who conducted an analysis. The analysis could not establish whether any of this information was stolen from the computer. The infected computer was running a fully functional and up-to-date version of a top-10 commercial anti-virus product, which was incapable of detecting the infection.
The method of infection could also not be established. Activists targeted in April and May of 2012 received e-mails with attachments that contained FinSpy. However, the user of the infected computer inside the company did not recall receiving any suspicious e-mails. The user checked all of his or her online accounts, and did not find any suspicious links or e-mails around the date that the spyware was prepared for targeting. It is possible that an agent with physical or remote access to the computer installed FinSpy. Bahrain Watch understands that FinSpy can also be installed via an exploit injected into internet traffic using another Gamma product known as FinFly.
Bahrain Watch believes that there was no legal justification for the targeting of this company. “The infection of this company is consistent with a pattern of politically-motivated targeting, rather than legitimate criminal investigations,” said Bahrain Watch member Bill Marczak. “That the company is not even willing to identify itself as a victim speaks volumes about Bahrain’s political climate,” he added.
Bahrain Watch emphasizes that the Government is still using FinSpy, and advises netizens to be cautious. Ongoing state sponsored spying in Bahrain target entities and associates thereof that are perceived to express political opinions. These cyber attacks are not exclusive to pro-democracy activists — pro-government entities are targeted as well.
If you believe you have been targeted in an electronic attack by the Government of Bahrain, or any other GCC government, please contact bill@bahrainwatch.org. Scans conducted last month indicated that Bahrain and Qatar were actively using FinSpy. A server was detected on Batelco IP 77.69.181.162, and on an IP in Qatar, 78.100.57.165, part of a range of sixteen addresses registered to “QTel – Government Relations.” The range also contains the website http://qhotels.gov.qa/. A FinSpy server was also previously found in the UAE.
Contact: bill@bahrainwatch.org
Twitter: @bhwatch