Mapping FinFisher Users

Citizen Lab continues to do excellent work exposing the world's cyber-weapons arms manufacturers. Its latest report attempts to track users of Gamma International's FinFisher:

This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher's "anonymizing proxies" to unmask the true location of the spyware's master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources. Our results indicate 32 countries where at least one government entity is likely using the spyware suite, and we are further able to identify 10 entities by name. Despite the 2014 FinFisher breach, and subsequent disclosure of sensitive customer data, our scanning has detected more servers in more countries than ever before.

Here's the map of suspected FinFisher users, including some pretty reprehensible governments.

Two news articles.

Posted on October 16, 2015 at 2:33 PM • 16 Comments


rgaffOctober 16, 2015 3:23 PM

Oh god here we go again with the "this is legitimate military activity to break into every citizen's electronics" why isn't it ok for them to break into every citizen's house too, and call it "house weapons arms manufacturers"?

rgaffOctober 16, 2015 8:22 PM

@ BoppingAround

Indeed. Look up "ssl added and removed here :^)" and "I hunt sys admins" too...

So I guess since Bruce supports our own government breaking into its own citizens' electronics (I mean, he supports it by continually using the phrase "cyber-weapons arms" because hey, it's completely understandable behavior when we're AT WAR!) he must also support our government breaking into every citizens' house whenever it pleases too... Oh, you want a warrant? Sure, I wrote one of those once years ago, why would you ever need another?

(Of course he doesn't really believe that, I've just run out of arguments, and it doesn't seem a single soul anywhere in the universe agrees with me... so I resort to sarcasm and making fun)

GodelOctober 16, 2015 9:21 PM

What, no one in the US uses FinFisher products?

Also I'm sure I've read that an Australian state police force was a customer, but possibly not now.

qwerttyOctober 17, 2015 2:58 AM

Would it be foolish to assume most of the countries not shown on the map have enough money and ressources to develop their own spyware, and only use FinFisher for inspiration in their own designs?

aquatic sweatshirtOctober 17, 2015 6:07 AM

@ Godel & qwertty

I suspect it's a case of compartmentalization. We know that Belgium and Spain are capable of producing very sophisticated malware of their own, but whether or not they want their tax collectors or local policemen to be using them and potentially pissing on the parade of their national intelligence agencies, that's another story.

DanOctober 17, 2015 6:26 AM


Only if you're an unhinged paranoid. Most countries can't justify paying exorbitant license fees Gamma Int'l is charging if the return is middling (most countries have low internet and/or mass communication penetration). Those that can afford to buy the licenses but are not listed might have a competing product from another company (e.g. Hacking Team). There may be a few that would invest in home brewed products, but these are either the cheapskates like some banana republics with a few programmers, a little cash, and liters of Jolt; the paranoid who won't trust a third party product like Israel or Russia; or the wealthy like China and the USA.

jonesOctober 17, 2015 10:48 AM

Military strategist Steven Metz discussed some of the implications of this in "Which Army After Next?" published in Parameters, 1997:

A final plausible future security system is one where war is less an extension of politics than of business. Corporations, cartels, and states might use violence and coercion--whether traditional, physically destructive violence or new forms such as cyberviolence or psychological violence--to attain access to resources and markets or deny it to others. Organized violence itself may become a common commodity sold on contract. As states and their militaries prove less capable of meeting the security threats of the future, people, organizations, and businesses might look for other sources of security. More and more of the functions now performed by state militaries thus would be assumed by transnational security or mercenary firms or by the security divisions of transnational corporations.

In a security system where warfare was commercialized, many of the United States' core strategic concepts would be inapplicable. For instance, the US military could no longer count on the qualitative superiority that has served it so well since the end of World War II. Against high-tech mercenaries, corporate militaries, private armies hired by enemy states, or armed criminal cartels, the US military might have to switch to a Soviet-style strategy using numbers and mass to compensate for qualitative inferiority. The United States would also have to rethink its basic understanding of the rules of warfare when faced with issues like the appropriateness of declaring war, forming alliances, or signing treaties with non-state entities.

There will be no technical solution to the security problems created by pervasive networking. Dan Geer is right: the only safe route is to minimize the extent to which you allow these technologies into your life.

Realpolitik would say that under such circumstances, defense becomes irrelevant. What is relevant is either (1) offense or (2) getting out of the line of fire altogether. States that are investing in offense are being entirely rational and are likely to survive. Those of us who are backing out our remaining dependencies on digital goods and services are being entirely rational and are likely to survive. The masses who quickly depend on every new thing are effectively risk seeking, and even if they do not themselves know it, the States which own them know, which explains why every State now does to its own citizens what once States only did to officials in competing regimes.

Get real. You can't have iPhones and privacy. It won't happen.

albertOctober 17, 2015 11:21 AM

A list of "...pretty reprehensible governments...." would be a long one indeed.

Any country that can afford to be reprehensible, will become reprehensible, and in the shortest possible time.
. .. . .. _ _ _

Clive RobinsonOctober 17, 2015 12:01 PM

@ Jones,

The three options as given are,

1, Defence.
2, Offense.
3, Opt Out.

It's not a game of rock-paper-scissors. You don't have the option of "Opt-out" you won't be allowed it by those who perceive you as defenceless. It's a lesson history tells us applies from the bottom to the top, from playground bullies to kings and presidents, the belief is "might is right" and that the meek most certainly will not inherit the earth.

That is "Hawks attack Doves" and if there are no Hawks some Doves will evolve into Hawks.

Thus there is something missing from the given list.

Obviously as a static target to not be attacked two things must be in place, your defence as perceived by a Hawk must be a deterant and an easer to attack source of the same resources must be available.

That is on any given tree the low hanging fruit of the same ripeness get eaten first.

However if you are not a static target then the game is different, this is something companies and terrorists have that states do not. Freedom of movement allows Doves to avoid Hawks and it is one of the most important reasons why mankind has lasted as long as it has. The time of free movement to avoid a belligerent, is for individuals drawing to a close, we are heading back to a world of serfdom where you become "tied to the land" and thus just a vassal to a self appointed overlord. What history tells us about this is not at all pleasant.

Coyne TibbetsOctober 18, 2015 1:53 AM

Interesting list of countries. Seems like logical targets for Five Eyes...maybe FinFisher is a Trojan horse? Perhaps without the knowledge of Gamma International.

MikeAOctober 18, 2015 11:45 AM

Is it not at least possible that some countries not showing up are simply those that bought the upgrade to FinFisherPro?

MeOctober 19, 2015 10:51 AM

Noticed that US, Russia and China aren't on the list.

I assume that is because FinFisher is less effective than what these countries are already doing.

AlineOctober 20, 2015 4:36 PM

For instance, the US military could no longer count on the qualitative superiority that has served it so well since the end of World War II. Against high-tech mercenaries, corporate militaries, private armies hired by enemy states, or armed criminal cartels, the US military might have to switch to a Soviet-style strategy using numbers and mass to compensate for qualitative inferiority.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.