Bahraini Activists Hacked by Their Government Go After UK Spyware Maker


Mohammad "Moosa" Abd-Ali Ali is now a photographer and cameraman working in the U.K.

Mohammad “Moosa” Abd-Ali Ali is now a photographer and cameraman working in the UK. courtesy Moosa



Mohammad “Moosa” Abd-Ali Ali sensed something was wrong when he looked down at the Facebook history on his phone. It was in 2011, during the time of the Arab Spring, and the app showed that he’d exchanged a series of messages with a friend. The messages asked his friend where she was, what the location and time of a planned meeting with a group of their friends was, and who would be at the meeting.


Ali never sent those messages, though his friend did not know this. Quickly, he sent her an email letting her know he wasn’t the correspondent, but as soon as he got to a computer to log into his Facebook account, the phantom messages sent to his friend were gone.


Ali had been a human rights activist in Bahrain, where he was arrested multiple times—first when he was 14 years old. After being tortured in detention, he was granted asylum by Great Britain in 2006 and has continued his activism there.


Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.


“These companies are making blood money…selling pernicious technology that has extraordinary capabilities to states they know are repressive, human-rights-abusing states.”


Today UK privacy and civil liberties group Privacy International sent a criminal complaint against Gamma to the National Cyber Crime Unit of the National Crime Agency. The complaint alleges that Gamma was criminally complicit in helping the Bahrain government spy on Ali and at least two other Bahrainian pro-democracy activists, Jaafar Al Hasabi and Saeed Al-Shehabi, who have been living in asylum in Great Britain after being imprisoned and tortured in Bahrain.


“For too long companies like [Gamma] have been able to shield themselves behind a state like Bahrain and throw their hands up in the air and say ‘It wasn’t us, it was Bahrain that perpetrated these abuses,’” says Adriana Edmeades, legal officer for Privacy International. “But these companies are making blood money off the fact that they are selling pernicious technology that has extraordinary capabilities to states they know are repressive, human-rights-abusing states. They can’t put that kind of technological capacity in the hands of these states and then … act surprised when states like Bahrain then go after individuals like Moosa, Saeed, and Jaafar and perpetrate the kind of extraterritorial repression that they’re doing here in the UK.”


The group is seeking a formal investigation into Gamma International’s role in facilitating the surveillance. They allege that Gamma sold the spyware to the Bahraini government and provided ongoing technical support with knowledge that the government was using the tool to spy on dissidents in England.


The evidence? Internal logs and documents leaked to WikiLeaks and published two months ago, which show discussions between Bahraini officials and tech support workers for Gamma International over problems officials were having with the software. They complained they were “losing targets daily” as a result of glitches with the spy tool and provided Gamma with a list of 13 computers they were targeting, all of which were based in the UK. Although the names of the victims were not directly identified, their IP addresses, user names, and unique computer names were all on the target list shared with Gamma.


According to Privacy International, the hacking involved unlawful interception of communications under the UK’s Regulation of Investigatory Powers Act 2000, or RIPA, and that Gamma was not only aware of the surveillance but actively assisted it. By selling and assisting Bahraini authorities in their surveillance, the complaint asserts, Gamma is liable as an accessory under the Accessories and Abettors Act 1861 and is also guilty of encouraging and assisting the unlawful activity, a crime under the Serious Crime Act 2007.


“Without the technical support that Gamma provides,” the complaint notes, “it is clear that purchasers of their technology, such as the Bahraini authorities, would not be able to use it effectively, and that customers rely on establishing a close working relationship with Gamma technicians and advisers to resolve technical issues and enhance their surveillance capabilities. That the Bahraini authorities were comfortable disclosing vast amounts of data regarding their surveillance operations to Gamma speaks to the closeness of the working relationship between Gamma and its client, Bahrain.”


In the course of seeking tech support, Bahraini authorities provided Gamma with information about 13 computers they were targeting that were based in the UK.


It’s not the first complaint of this type filed in the UK. Last February, Privacy International and legal partners filed another criminal complaint against Gamma over the targeting of Tadesse Kersmo, an Ethiopian refugee whose computer had been infected with the FinFisher spyware. Eight months later, UK authorities have still not responded to that complaint.


The only evidence that Kersmo had been hacked were traces of the FinFisher tool on his computer. In the case of the three Bahraini activists, however, the surveillance log and other documents leaked from Gamma International provide more extensive evidence of the surveillance by the Bahraini government and their coordination with Gamma to conduct the spying.


“That data is quite extraordinary,” says Edmeades. “It includes the name of the surveillance operation that [they] were being targeted under. It includes their computer names. This is a significant amount of material which demonstrates that the Bahrainis were going after Moosa, Jaafar, Saeed, and others.”


The program they used, FinFisher, hides itself on a system and gives operators full remote control of the system, allowing them to steal documents and email, monitor web surfing and chat sessions. It can also monitor Skype conversations in real-time or turn on the camera to take pictures of the people and environment around the computer or enable the microphone to record conversations. The spy tool also allows operators to identify the geographical location of infected targets; the operator control panel in fact displays a flag next to each target’s name to indicate the location of their computers. Customers who buy FinFisher receive extensive training, including techniques for effectively profiling targets.


Although Gamma doesn’t identify its customers, researchers at the CitizenLab, based at the University of Toronto’s Munk School of Global Affairs, have located command and control servers, set up to communicate with FinFisher, in 35 countries, among them Bahrain, Ethiopia, Turkmenistan, and Malaysia.


The spying on Bahraini activists in London was uncovered in 2012, when Citizen Lab revealed that a number of Bahraini pro-democracy activists in London had received malicious emails designed to install spyware on their machines. CitizenLab researchers determined that the malware used appeared to be FinSpy, a FinFisher component. In response to the news, Gamma denied that it had sold FinFisher to Bahrain. But in August of this year, the documents provided to WikiLeaks appeared to bely that assertion.


The Wikileaks evidence seems to indicate that Bahraini authorities were using FinFisher as early as 2010, as well as throughout the Arab Spring and Bahraini Uprisings in 2011, into 2012.


The three activists identified in the complaint against Gamma had operating systems and computers with unique names that showed up in the logs leaked to WikiLeaks, making it possible to identify them as the victims. Al Hasabi had helped his colleague, Al Shehabi, set up his computer and the WikiLeaks documents show that his name showed up in the name of the operating system on his friend’s computer. Their names also showed up in the network identifier of their machines.


Although Privacy International’s Edmeades acknowledges that it’s possible the logs and documents were fabricated, she says “it seems highly unlikely that someone would have gone to the trouble of fabricating that kind of information. It’s not just a whole lot of data that doesn’t correlate. It does in fact correlate with their computers.”


If human rights groups can make a link between the data the government collected through the spying and torture, they may be able to go after Bahraini authorities as well.


The documents show that Ali’s computer was infected for the first time June 2011, when he was already living in asylum in the UK.


2011 was also the year Al Hasabi had two computers infected, in January and June. Al Hasabi lives in London with his wife and five children, after fleeing Bahrain in 1995. He left after he was imprisoned and tortured for three days. Al Hasabi and others were targeted in part over a newsletter they produced that was critical of the Bahraini regime and its human rights violations. During a visit back to Bahrain in 2010 to see his mother, Al Hasabi was arrested and detained again, this time for six months, during which he was severely tortured. He was only released after political pressure was placed on the Bahraini regime during the Arab Spring. Authorities told him at during his last imprisonment that they had been watching him in the UK for five years. He had no idea how the surveillance was conducted until FinFisher was found on his computer.


Al Shehabi’s computer was also infected in June 2011. He helped establish the Bahrain Freedom Movement in the 1980s and helped found an opposition party in Bahrain in 2001. He has been living in the UK, but was tried and sentenced to life in prison in Bahrain in absentia.


Although Privacy International hasn’t ruled out the possibility of going after Bahraini officials for targeting activists on UK soil, there are difficulties seeking this route, due to sovereign immunity rules. Edmeades says that if human rights groups can make a link between data collected through FinFisher and the torture of activists, it may be easier to go after Bahraini authorities as well. In the meantime, their focus is on Gamma.


The fact that Bahraini authorities sought technical assistance in relation to targets in the UK “demonstrated to Gamma’s officers that the interception, in England, of targets’ communications was likely (let alone ‘possibly’) occurring,” the group notes in its complaint. “Accordingly, Gamma knew that there was a real possibility that the tools it had consciously provided to the Bahraini authorities were being used for unlawful interception within the UK.”



No comments:

Post a Comment