Spy Files: New WikiLeaks docs expose secretive, unruly surveillance industry
A trove of documents, outlining the activities of dozens of companies operating in the ever-expanding electronic snooping industry, were made available by the pro-transparency group on Wednesday.
‘Lawful interception’, mass monitoring, network recording,
signals and communication intelligence, and tactical interception
devices were among the services and products provided by a litany
of Western based firms, as outlined in hundreds of pages of
documents covering trade brochures, internal memos, and invoices.
"WikiLeaks' Spy Files #3 is part of our ongoing commitment to
shining a light on the secretive mass surveillance industry. This
publication doubles the WikiLeaks Spy Files database,” the
accompanying press release cites Julian Assange. “The
WikiLeaks Spy Files form a valuable resource for journalists and
citizens alike, detailing and explaining how secretive state
intelligence agencies are merging with the corporate world in
their bid to harvest all human electronic communication."
One 2011 document showed how companies such as UK-based Gamma Group, German-based Desoma and Swiss-based Dreamlab are working in concert to “create Telecommunications Intelligence Systems for different telecommunications networks to fulfill the customers’ needs” regarding “massive data interception and retention.”
In March, Gamma International, which is a subsidiary of Gamma group, made Reporters Without Borders 'Corporate Enemies of the Internet' list for 2013, which singled out five “digital mercenaries” who sell their surveillance technology to authoritarian regimes.
The firm’s FinFisher Suite (which includes Trojans to infect PCs, mobile phones, other consumer electronics and servers, as well as technical consulting), is considered to be one of the most sophisticated in the world. During the search of an Egyptian intelligence agency office in 2011, human rights activists found a contract proposal from Gamma International to sell FinFisher to Egypt.
Bill Marczak, a computer science doctoral candidate at the University of California, helped investigate the use of FinFisher spyware against activists and journalists in Bahrain in 2012, as well as in other states.
“We don’t have any sort of contracts, so that we could see financial dealings between companies and these governments. The only indications that we have as to where the spyware has been used are based on the research. In cases that we’ve seen the spyware has been targeted against activists and journalists in a particular country. We’ve been scanning the internet looking for this technology. So we found, as I said, spywares in Bahrain. We saw it being targeted against Bahraini journalists and activists last year. We’ve also found servers for the spyware in a number of other countries, such as Turkmenistan, Qatar, Ethiopia,” Marczak told RT.
RT was the only Russian broadcaster that collaborated with WikiLeaks in this investigation, which also brought into the spotlight other companies including Cobham, Amees, Digital Barriers, ETL group, UTIMACO, Telesoft Technologies and Trovicor.
Trovicor, incidentally, also features among Reporters Without
Borders “digital mercenaries.” The firm, whose monitoring
centers are capable of intercepting phone calls, text messages,
voice over IP calls (like Skype) and Internet traffic, has also
been accused by of helping Bahrain imprison and torture activists
While a smoking gun in the form of government contracts or invoices was not forthcoming, internal documents discovered by WikiLeaks do confirm that the firm’s dealings with autocratic states.
In a December 2010 correspondence between Nicolas Mayencourt, the CEO of Dreamlab Technologies AG, and Thomas Fischer from Gamma Group’s Germany-based branch Gamma International GmbH, a “quotation concerning the Monitoring system for iproxy (infection proxy)-project” is provided for an unspecified end customer in Oman.
One concern involved keeping the client [Oman] aware of any changes made to the proxy [intermediary] server infected with their software for the sake of culling information from select targets.
“During the integration tests in Oman in September 2010 the end customer figured out that not all of the components of the iproxy infrastructure are under their full control. It is, for example possible that changes of the Oman-network may occur without their knowledge. Thus, it might occur that ISPs [Internet service providers] may modify some of the current configuration. Therefore, the question arose whether it is possible to identify such a modification in the network setup by monitoring the whole iproxy infrastructure.
From this point of view, a request for an efficient and user-friendly monitoring of the iproxy infrastructure including all components of the systems was derived. This requirement is discussed and a proposal for solution is described in this offer.”
The infection process as was conducted on-site in Oman in 2010 can be conducted in two different variants, as described in a separate document, ‘System Manual Project O’, prepared for the Gulf client.
The first is described as a binary infection, whereby binaries (non-text computer files) are infected after being downloaded by the configured target.
“In order to do this, the software analyzes the data streams on the NDPs [network data processors] at both of the Internet exchanges (IX). As soon as a matching type of binary is downloaded, the infection mechanism is initiated, then it attaches loader and payload (trojan) to the binary.”
The second method is described as update infection, which “works by sending counterfeit server responses to predefined applications (for example iTunes, Winamp, OpenOffice and SimpleLite), when they are searching for updates.”
Data can be captured both through traditional public switch telephone networks (PSTN), mobile providers and internet protocol suites across a range of devices.
The user’s information, including his or her IP address, user name, [cell] phone number, the date time and identity of the person being communicated with, and the method or protocol (mail, WWW, Skype, chat, voice, fax, and SMS) are all up for grabs.
Upon being captured, the data is stored in a ‘Data Warehouse’ and “retrieved on command.”
Quotations for the project, enumerated in Swiss francs (CHF), are broken down in multiple categories:
Monitoring and alarming 83,355.00
Services provided by Dreamlab 34,400.00
Annual solution maintenance 24,000.00
Redundant monitoring implementation 57,955.00
Services provided by Dreamlab for redundancy 5,760.00
Annual solution maintenance for redundant system 12,000.00
Note: 1 CHF = 1.06720 USD
Although such software does have legitimate applications for law
enforcement, it can easily be used to stifle civil society, as
Marczak argues was the case in Bahrain.
Apart from journalists and activists, he noted that in the Malaysia and Ethiopia, members of the political opposition were apparently being targeted as well. One piece of FinFisher spyware discovered, for example, contained details relating to the upcoming Malaysian elections.
“You couldn’t say exactly who was targeted against, but the
use of election-related content suggests politically motivated
targeting. We also found a sample of this spyware that appeared
to be targeted at activists in Ethiopia. The spyware contained a
picture of Ethiopian opposition leaders that was displayed when
the user opened it. By opening the picture the user copied the
spyware,” he said.