Spy Files: New WikiLeaks docs expose secretive, unruly surveillance industry

Eugen Leitl eugen@leitl.org
Thu Sep 5 06:16:35 PDT 2013


http://rt.com/news/wikileaks-spy-files-release-402/

Spy Files: New WikiLeaks docs expose secretive, unruly surveillance industry

Published time: September 04, 2013 16:06 

Edited time: September 05, 2013 10:00 Get short URL

Screenshot from a leaked documentScreenshot from a leaked document

Tags

Central Asia, Information Technology, Intelligence, Internet, Middle East,
WikiLeaks

The growing surveillance industry complex is providing governments with
increasingly sophisticated spying software to track and control their
citizens, the latest documents obtained by the pro-transparency group,
WikiLeaks reveal.

A trove of documents, outlining the activities of dozens of companies
operating in the ever-expanding electronic snooping industry, were made
available by the pro-transparency group on Wednesday.

‘Lawful interception’, mass monitoring, network recording, signals and
communication intelligence, and tactical interception devices were among the
services and products provided by a litany of Western based firms, as
outlined in hundreds of pages of documents covering trade brochures, internal
memos, and invoices. 

"WikiLeaks' Spy Files #3 is part of our ongoing commitment to shining a light
on the secretive mass surveillance industry. This publication doubles the
WikiLeaks Spy Files database,” the accompanying press release cites Julian
Assange. “The WikiLeaks Spy Files form a valuable resource for journalists
and citizens alike, detailing and explaining how secretive state intelligence
agencies are merging with the corporate world in their bid to harvest all
human electronic communication." 

One 2011 document showed how companies such as UK-based Gamma Group,
German-based Desoma and Swiss-based Dreamlab are working in concert to
“create Telecommunications Intelligence Systems for different
telecommunications networks to fulfill the customers’ needs” regarding
“massive data interception and retention.”

In March, Gamma International, which is a subsidiary of Gamma group, made
Reporters Without Borders 'Corporate Enemies of the Internet' list for 2013,
which singled out five “digital mercenaries” who sell their surveillance
technology to authoritarian regimes.

The firm’s FinFisher Suite (which includes Trojans to infect PCs, mobile
phones, other consumer electronics and servers, as well as technical
consulting), is considered to be one of the most sophisticated in the world.
During the search of an Egyptian intelligence agency office in 2011, human
rights activists found a contract proposal from Gamma International to sell
FinFisher to Egypt.

Bill Marczak, a computer science doctoral candidate at the University of
California, helped investigate the use of FinFisher spyware against activists
and journalists in Bahrain in 2012, as well as in other states.

“We don’t have any sort of contracts, so that we could see financial dealings
between companies and these governments. The only indications that we have as
to where the spyware has been used are based on the research. In cases that
we’ve seen the spyware has been targeted against activists and journalists in
a particular country. We’ve been scanning the internet looking for this
technology. So we found, as I said, spywares in Bahrain. We saw it being
targeted against Bahraini journalists and activists last year. We’ve also
found servers for the spyware in a number of other countries, such as
Turkmenistan, Qatar, Ethiopia,” Marczak told RT.

RT was the only Russian broadcaster that collaborated with WikiLeaks in this
investigation, which also brought into the spotlight other companies
including Cobham, Amees, Digital Barriers, ETL group, UTIMACO, Telesoft
Technologies and Trovicor.

Trovicor, incidentally, also features among Reporters Without Borders
“digital mercenaries.” The firm, whose monitoring centers are capable of
intercepting phone calls, text messages, voice over IP calls (like Skype) and
Internet traffic, has also been accused by of helping Bahrain imprison and
torture activists and journalists.   

Screenshot from a leaked documentScreenshot from a leaked document

While a smoking gun in the form of government contracts or invoices was not
forthcoming, internal documents discovered by WikiLeaks do confirm that the
firm’s dealings with autocratic states.

In a December 2010 correspondence between Nicolas Mayencourt, the CEO of
Dreamlab Technologies AG, and Thomas Fischer from Gamma Group’s Germany-based
branch Gamma International GmbH, a “quotation concerning the Monitoring
system for iproxy (infection proxy)-project” is provided for an unspecified
end customer in Oman.

One concern involved keeping the client [Oman] aware of any changes made to
the proxy [intermediary] server infected with their software for the sake of
culling information from select targets.

“During the integration tests in Oman in September 2010 the end customer
figured out that not all of the components of the iproxy infrastructure are
under their  full control. It is, for example possible that changes of the
Oman-network may occur without their knowledge. Thus, it might occur that
ISPs [Internet service providers] may modify some of the current
configuration. Therefore, the question arose whether it is possible to
identify such a modification in the network setup by monitoring the whole
iproxy infrastructure.

>From this point of view, a request for an efficient and user-friendly
monitoring of the iproxy infrastructure including all components of the
systems was derived. This requirement is discussed and a proposal for
solution is described in this offer.”

The infection process as was conducted on-site in Oman in 2010 can be
conducted in two different variants, as described in a separate document,
‘System Manual Project O’, prepared for the Gulf client.

The first is described as a binary infection, whereby binaries (non-text
computer files) are infected after being downloaded by the configured target.

“In order to do this, the software analyzes the data streams on the NDPs
[network data processors] at both of the Internet exchanges (IX). As soon as
a matching type of binary is downloaded, the infection mechanism is
initiated, then it attaches loader and payload (trojan) to the binary.”

Screenshot from a leaked documentScreenshot from a leaked document

The second method is described as update infection, which “works by sending
counterfeit server responses to predefined applications (for example iTunes,
Winamp, OpenOffice and SimpleLite), when they are searching for updates.”

Data can be captured both through traditional public switch telephone
networks (PSTN), mobile providers and internet protocol suites across a range
of devices.

The user’s information, including his or her IP address, user name, [cell]
phone number, the date time and identity of the person being communicated
with, and the method or protocol (mail, WWW, Skype, chat, voice, fax, and
SMS) are all up for grabs.

Upon being captured, the data is stored in a ‘Data Warehouse’ and “retrieved
on command.”

Quotations for the project, enumerated in Swiss francs (CHF), are broken down
in multiple categories:

Monitoring and alarming 83,355.00 

Services provided by Dreamlab 34,400.00 

Training 5,400.00 

Annual solution maintenance 24,000.00 

Redundant monitoring implementation 57,955.00 

Services provided by Dreamlab for redundancy 5,760.00 

Annual solution maintenance for redundant system 12,000.00 

Note: 1 CHF = 1.06720 USD

Although such software does have legitimate applications for law enforcement,
it can easily be used to stifle civil society, as Marczak argues was the case
in Bahrain. 

Apart from journalists and activists, he noted that in the Malaysia and
Ethiopia, members of the political opposition were apparently being targeted
as well. One piece of FinFisher spyware discovered, for example, contained
details relating to the upcoming Malaysian elections.

“You couldn’t say exactly who was targeted against, but the use of
election-related content suggests politically motivated targeting. We also
found a sample of this spyware that appeared to be targeted at activists in
Ethiopia. The spyware contained a picture of Ethiopian opposition leaders
that was displayed when the user opened it. By opening the picture the user
copied the spyware,” he said. 



More information about the cypherpunks mailing list