Software created by the controversial U.K. based Gamma Group International was used to spy on computers that appear to be located in the United States, the U.K., Germany, Russia, Iran and Bahrain, according to a leaked trove of documents analyzed by ProPublica.
It’s not clear whether the surveillance was conducted by governments or private entities. Customer email addresses in the collection appeared to belong to a German surveillance company, an independent consultant in Dubai, the Bosnian and Hungarian Intelligence services, a Dutch law enforcement officer and the Qatari government.
The leaked files — which were posted online by hackers — are the latest in a series of revelations about how state actors including repressive regimes have used Gamma’s software to spy on dissidents, journalists and activist groups.
The documents, leaked last Saturday, could not be readily verified, but experts told ProPublica they believed them to be genuine. “I think it’s highly unlikely that it’s a fake,” said Morgan Marquis-Bore, a security researcher who while at The Citizen Lab at the University of Toronto had analyzed Gamma Group’s software and who authored an article about the leak on Thursday.
The documents confirm many details that have already been reported about Gamma, such as that its tools were used to spy on Bahraini activists. Some documents in the trove contain metadata tied to e-mail addresses of several Gamma employees. Bill Marczak, another Gamma Group expert at the Citizen Lab, said that several dates in the documents correspond to publicly known events — such as the day that a particular Bahraini activist was hacked.
Gamma has not commented publicly on the authenticity of the documents. A phone number listed on a Gamma Group website was disconnected. Gamma Group did not respond to email requests for comment.
The leaked files contain more 40 gigabytes of confidential technical material including software code, internal memos, strategy reports and user guides on how to use Gamma Group software suite called FinFisher. FinFisher enables customers to monitor secure web traffic, Skype calls, webcams, and personal files. It is installed as malware on targets’ computers and cell phones.
A price list included in the trove lists a license of the software at almost $4 million.
The documents reveal that Gamma uses technology from a French company called Vupen Security that sells so-called computer ‘exploits.’
Exploits include techniques called “zero days,” for “popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader, and many more.”Zero days are exploits that have not yet been detected by the software maker and therefore are not blocked.
Vupen has said publicly that it only sells its exploits to governments, but Gamma may have no such scruples. “Gamma is an independent company that is not bound to any country, governmental organisation, etc.,” says one file in the Gamma Group’s material. At least one Gamma customer listed in the materials is a private security company.
Vupen didn’t respond to a request for comment.
Many of Gamma’s product brochures have previously been published by the Wall Street Journal and Wikileaks, but the latest trove shows how the products are getting more sophisticated.
In one document, engineers at Gamma tested a product called FinSpy, which inserts malware onto a user’s machine, and found that it could not be blocked by most antivirus software.
Documents also reveal that Gamma had been working to bypass encryption tools including a mobile phone encryption app, Silent Circle, and were able to bypass the protection given by hard-drive encryption products TrueCrypt and Microsoft’s Bitlocker.
Mike Janke the CEO of Silent Circle said in an email “We have serious doubts about if they were going to be successful” in circumventing the phone software, and that they were working on bulletproofing their app.
Microsoft did not respond to a request for comment.
The documents also describe a “country-wide” surveillance product called FinFly ISP which promises customers the ability to intercept internet traffic and masquerade as ordinary websites in order to install malware on a target’s computer.
The most recent date-stamp found in the documents is August 2nd, which coincides with the first tweet by a parody Twitter account, @GammaGroupPR, which first announced the hack, and may be run by the hacker or hackers responsible for the leak.
On Reddit, a user called PhineasFisher claimed responsibility for the leak. “Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents,” the user wrote. The name on the @GammaGroupPR Twitter account is also “Phineas Fisher.”
GammaGroup, the surveillance company whose documents were released, is no stranger to the spotlight. The security firm F-Secure first reported the purchase of FinFisher software by the Egyptian State Security agency in 2011. In 2012, Bloomberg News and The Citizen Lab showed how the company’s malware was used to target activists in Bahrain.
In 2013, the software company Mozilla sent a cease-and-desist letter to the company after a report by The Citizen Lab showed that a spyware-infected version of the Firefox browser manufactured by Gamma was being used to spy on Malaysian activists.
Senior reporter Julia Angwin and Jonathan Stray, special to ProPublica, contributed to this report.
Help us Prepare for Trump’s Day One
Trump is busy getting ready for Day One of his presidency – but so is Truthout.
Trump has made it no secret that he is planning a demolition-style attack on both specific communities and democracy as a whole, beginning on his first day in office. With over 25 executive orders and directives queued up for January 20, he’s promised to “launch the largest deportation program in American history,” roll back anti-discrimination protections for transgender students, and implement a “drill, drill, drill” approach to ramp up oil and gas extraction.
Organizations like Truthout are also being threatened by legislation like HR 9495, the “nonprofit killer bill” that would allow the Treasury Secretary to declare any nonprofit a “terrorist-supporting organization” and strip its tax-exempt status without due process. Progressive media like Truthout that has courageously focused on reporting on Israel’s genocide in Gaza are in the bill’s crosshairs.
As journalists, we have a responsibility to look at hard realities and communicate them to you. We hope that you, like us, can use this information to prepare for what’s to come.
And if you feel uncertain about what to do in the face of a second Trump administration, we invite you to be an indispensable part of Truthout’s preparations.
In addition to covering the widespread onslaught of draconian policy, we’re shoring up our resources for what might come next for progressive media: bad-faith lawsuits from far-right ghouls, legislation that seeks to strip us of our ability to receive tax-deductible donations, and further throttling of our reach on social media platforms owned by Trump’s sycophants.
We’re preparing right now for Trump’s Day One: building a brave coalition of movement media; reaching out to the activists, academics, and thinkers we trust to shine a light on the inner workings of authoritarianism; and planning to use journalism as a tool to equip movements to protect the people, lands, and principles most vulnerable to Trump’s destruction.
We urgently need your help to prepare. As you know, our December fundraiser is our most important of the year and will determine the scale of work we’ll be able to do in 2025. We’ve set two goals: to raise $115,000 in one-time donations and to add 1365 new monthly donors by midnight on December 31.
Today, we’re asking all of our readers to start a monthly donation or make a one-time donation – as a commitment to stand with us on day one of Trump’s presidency, and every day after that, as we produce journalism that combats authoritarianism, censorship, injustice, and misinformation. You’re an essential part of our future – please join the movement by making a tax-deductible donation today.
If you have the means to make a substantial gift, please dig deep during this critical time!
With gratitude and resolve,
Maya, Negin, Saima, and Ziggy