At least 77 computers hacked between 2010 and 2012
New evidence has emerged suggesting that the Bahraini government infected the computers of some of the country’s most prominent lawyers, activists and politicians with the malicious FinFisher spy software (also known as FinSpy). The infections would have enabled the government to steal passwords and files, and spy through an infected computer's webcam and microphone. The list of 77 computers infected by Bahraini authorities was part of a massive leak of data this week, purportedly hacked from the servers of the UK-German surveillance software company Gamma International -- the makers of FinFisher.
The new data seems to directly contradict earlier claims by Gamma that it does not do business with Bahrain and that its software is used primarily to target criminals and terrorists. Bahrain Watch said the information added to the growing body of evidence suggesting that Gamma may have have violated UK export laws on surveillance technology, and called on Her Majesty’s Revenue and Customs (HMRC) to renew criminal investigations into the company in light of the new evidence.
The leaked data shows that Gamma’s support staff were communicating with a customer in Bahrain from 2010 to 2012, and had sold the customer licenses to spy on at least 30 computers simultaneously (see Figure 9). Given that Gamma has repeatedly stated that it “only supplies the FinFisher product range to government organisations and law enforcement agencies”, the Bahraini customer must have been a government body.
Prominent among the list of apparent targets that Bahrain Watch was able to identify were:
Bahrain Watch examined the list of 77 computers infected with FinFisher, and attempted to identify their intended human targets based on the associated usernames and IP addresses. In some cases we directly contacted suspected targets to verify the information. Below are details of some of those individuals:
It appears that up to a dozen high-profile defence lawyers were infected with FinFisher during the period covered in the list.
Mohammed Altajer is a prominent human rights lawyer who regularly defends the cases of political and human rights activists. Altajer told Bahrain Watch that on 24 January 2011, prior to the start of February 2011 uprising, a CD appeared in his office along with a threat demanding that he stop his human rights work. When Altajer inserted the CD into his computer he found that it contained a private video of him and his wife, apparently recorded from a hidden camera in his beach house. The CD later disappeared from his office.
Altajer ignored the threats, and continued his human rights work. He was arrested in April 2011, and the videotape was ultimately leaked in May 2012. Altajer’s computer, named ALTAGER-PC, appears in the list of targets and was infected on the same day that he received the CD attempting to blackmail him. This leads Bahrain Watch to believe that the spyware was on the CD, and that Bahrain government was directly behind the blackmail and intimidation campaign against Altajer.
When Altajer was arrested in April 2011, the lawfirm of Hassan Radhi & Associates took over some of Altajer’s cases. Nine computers in the firm were infected on 30 April 2011, in an operation called “Sp-S.HR2.30411.” The targeted lawyers appear to include two partners: Mohsin Al-Alawi, and Fatima AlAli, a legal advisor, Al Sayed Jaffer Mohammed, lawyers Mahmood Aloraibi and Hanan Taqi, and at least five other computers that were part of the same operation and shared the same IP address.
We also suspect that a computer named JALILA-PC which was infected in operation “Sp-law1-16411” on 16 April 2011 may have been owned by lawyer and democratic activist Jalila Alsayed based on the operation and computer names. Alsayed worked closely with Altajer on several high-profile cases defending protesters and activists.
Hassan Mushaima, one of the Bahrain 13 group of imprisoned opposition leaders, and the head of the now-banned ‘Haq Movement’, was infected on 14 November 2010 in an attack on his computer named HASANMUSHAIM. He is currently serving life in prison. An individual with the username Nader was also infected in the same operation.
In an operation a week earlier on 8 November 2010, a computer named EBRAHIM-SONYPC was infected. We suspect that this computer belonged to Ebrahim Sharif, another prominent opposition leader who heads the liberal Waad party, based on the fact that he was using a Sony Vaio computer at the time. He is currently serving a 5 year prison sentence.
Bahrain Independent Commission of Inquiry (BICI) investigators were present in Bahrain from 4 July to 23 November of 2011. In this period, the Government conducted several FinFisher operations, apparently resulting in the infection of Al Wefaq -- the country’s largest opposition party. One operation on 14 September was called “Sp-14911-WFQ,” and infected a computer named ALWEFAQ-1E731B6.
Two months later, a computer named HADIMOSAWI-PC was infected. We believe that this computer is owned by Sayed Hadi Almosawi, the head of Al Wefaq’s Liberties and Human Rights Department. During this period, Al Wefaq was preparing its BICI submission on human rights violations. In the same operation, a computer with the username halmahfoodh was infected, which we believe was operated by Hussain Al-Mahfoodh, the son of Shaikh Mohammed Ali Al-Mahfoodh who heads the opposition Amal Society. The Government dissolved Amal Society in June 2012, a year after arresting most of its leaders.
Several British/Bahraini activists were spied on whilst in the United Kingdom. These include columnist and opposition activist, Saeed Shehabi of the Bahrain Freedom Movement, who was apparently infected on 6 September 2011. The Abrar Islamic Foundation, of which he is a trustee, was infected on January 17, 2011, and June 20, 2011. Other UK activists infected include photographer Moosa Abdali, and activist Qassim Al Hashemi.
On 6 September 2011, a computer with the username fars and a London IP address was infected in an operation called “Sp-060911-FNews”, which seems to have been targeting Iran’s semi-official Fars News Agency.
The list of infections was found in a logfile attached to a customer support message sent to Gamma in February 2012 by the customer in Bahrain. (See Figure 6) The list contained the names of 77 infected computers, along with their usernames, IP addresses, times of infection and operating systems. The attacks in the list covered a period between November 2010 and February 2012 and targeted computers of users not only in Bahrain, but also in the United Kingdom and seven other countries.
In an earlier message dated November 2011, the Bahraini customer stated that they had purchased 30 “target licences”, for the spyware, which would allow simultaneous monitoring of 30 computers (see Figure 9). In another message sent in February 2012 the Bahraini client complains that anti-virus software detected the spyware, when deployed on a website. (See Figure 4 for screenshot).
“This latest revelation provides strong evidence that not only has Gamma been misleading in its claim of not supplying the Bahraini government, but it did so possessing evidence that its software was being used primarily to target political dissidents, lawyers and journalists,” said Bahrain Watch’s Bill Marczak.
“We call on governments in Europe to ensure they introduce adequate regulation and enforcement mechanisms to end the export of surveillance technology to repressive states.”
In 2012, the University of Toronto’s Citizen Lab identified the first copies of FinFisher in emails sent to Bahrain Watch member Ala’a Shehabi and two other Bahraini activists based in Washington DC and London. In February 2013, Bahrain Watch along with four other international human rights groups filed a complaint against Gamma with the Organisation for Economic Co-operation and Development (OECD) for breaching its guidelines on human rights by exporting its software to the Bahraini government. Separately, human rights groupPrivacy International urged the UK’s customs department to investigate Gamma for the potentially illegal export of spyware to Bahrain, and earlier this year the UK’s High Court slammed the government for hiding details on the matter.
Gamma International has always denied selling spyware to Bahrain, claiming that the Kingdom could have been using a stolen demo version of the software. Similarly, the Bahraini government has also issued denials on multiple occasions of targeting activists with spyware. In July 2012, a Government spokesperson told Bloomberg that Bahrain has no policy of targeting political activists with spyware. Dismayed by Bloomberg’s reporting, another government official, Fahad Albinali responded, "Although I am sure this may be a titillating story for your readers, your credibility is at stake. Bloomberg is a respected and reputable news agency, but these laurels appear to be diminishing as an enticing headline appears to preside over the facts."
This was followed in May 2013 by a rejoinder from the government’s Information Affairs Authority to an article in the Guardian stating that “it is unjustifiable to use the Government as a scapegoat for any violation a citizen may encounter.”In July 2013, Bahrain Watch released a report showing how Bahraini authorities used fake Twitter accounts to track down and arrest at least eleven anonymous Twitter users for allegedly posting tweets insulting King Hamad. In 2011, Bloomberg had reported that German company Trovicor GmbH was selling spy gear to Bahraini authorities which may have lead to the arrest and torture of political activists.
Below are some examples of messages apparently sent by Gamma’s Bahraini client to its customer support service found in the new Gamma data leak.
Date: 2011-10-02 09:38:56 Subject: FIN USB NOT INFECTING WE HAVE PROBLEM WITH OUR FIN USB SYSTEM IS NOT WORKING WITH ALL VERSIONS
Date: 2012-02-28 07:40:00 Subject: MAC Trojan Mac trojan that is created with finspy it is not working, attached is the massege box that comes when we are trying to infect the MAC book
Date: 2011-02-19 10:16:59 Subject: Removed infaction
1-We have a Problem with some targets that it been deleted by it self with out remove the infection from the target it goes to archive by it self. 2-For infection with MBR : we infect a test PC from our side and we format the PC normally after when we chick it it loses it infection when we told from your people that MBR infection that survive from the formatting
Date: 2012-02-20 06:33:20 Subject: Trojen detected by AntiVirus
When using FinFly Web V2.0 Static Module the antivirus detects the trojen and it can be seen clearly by a popup.
Please find the attached screen shot of what is dispalyed on the screen.
When Using iFrame module:
1- some webistes doesnt open in Background e.g. Youtube, Facebook, twitter. 2- the trojen popup comes behind the Youtube video in the self created website and in some websites the trojen does not appear at all. Kinldy reveiw and revert back on this issues.
Date: 2011-11-02 07:44:08 Subject: USB Infection Generation ERROR
referring to our discussion with Mr. Holger, here we can explain more our issue related to the USB infection:
when we select to do a direct USB infection, we have tick options to be selected as following:
1- Master Boot record of HD 2- Vista Windows 7 user mood infection 3- Active hidding on target.
we do tick all the options above, to secure all the chances not to lose the target. we reach to know that once we select the first option ,which is very important to us, we get immediately an error with a title: Generation infection faild.
Please note that if i disable the first option, the ganeration can be easily done. but we totally need the first option to be active while the generation. so please kindly let us know the solution as this is a priority.
we had informed Mr. Holger about it. and he got a copy of the error. and i am attaching-uplaoding- the same picture of the error for your kind information
Date: 2012-02-21 06:38:46 Subject: Finspy Master Login Error
Since yesterday we are facing problem to login. We get the the following error
error is connection to the master terminated unexpectedly. you will need to reconnect inorder to continue
We are copying all the Finspy Master the system logs for your reference. Kinldy look into this issue ASAP so that we can resume our work
Date: 2011-10-20 07:30:57 Subject: Losing targets
After infecting a targets the targets works for few days only than he never comes online and we have to infect him agin, we notice that he is useing the same comuter and same IP address. Plese contact us as soon as possible
Date: 2011-12-08 15:29:09 Subject: Critical issues in the system
Dears,Please note that we are facing a critical issue in the system, where we are not benefiting any more from this system. Please see below problems:we have more than 2 targets where they are physically connected online, but we are not getting any record accordingly. To be more in details: the target license is showing effectively downloading the full activity log, but it fails to transfer it or send it to the Master.even though, when we switch ON the mic of any target, we reach to know that he is active and talking BUT, no record has been transferred to us like before. I hope I am clear in the above points. Please remember with me the previous issue which occurred with the full system because of the last update sent to us, then the rectify of the issue which was sent to us by your technical team. We started experiencing the above issues specially after this incident. Please investigate urgently and let us know the solution. As we are in a big lose of data now Other problem is we are geting some time errors
Date: 2011-11-02 07:22:23 Subject: referring to Tracking ID AAFC76C1
referring to the last Tracking ID: AAFC76C1, we are explaining here more about the same issue in which to make the picture more clear:
since we have 30 target licenses, we are now using them all in which we have already 30 targets. we would like to inform you that once i infect any target PC, and once i got a confirmation in the system as the target is ONLINE, that means we caught the fish. But, unfortunately, that if the target went OFFLINE, he will stay OFFLINE in the system, even if he uses his PC or Laptop. even we have a confirmation that the target uses his PC, but unfortunately that the system didnt show the second and next use of his PC.
therefore, we request kindly, to find a solution as below:
1- modify the system to clearly show that the target had been disabled or not any more infected. 2- we 100 percent aware that we didnt enable self removal. 3- we 100 percent aware that the infection has not been removed by the agent 4- we have a confirmation that the targets which we lose are not formatting their PC every day. 5- we believe the only possible option is the antivirus on the target PC is always detecting the infection and simply the target is deleting the infection. so, accordingly, i believe that we took this system since it easily infect with out the knowledge of any antivirus. and since technology is developing, we still cooperate to inform you if the anti virus is detecting the infection. please let us know what to do in this case, as this issue keeps going on and we are losing targets daily with out our knowledge. and we are sure that we didnt do the removal. and we cant stay bugging and infecting the target every time since it is very sensitive. and we dont want the target to reach to know that someone is infecting his PC or spying on him.