Introduction

On August 3rd, a hacker was able to obtain 40 GB of data from Gamma Group. Gamma Group is the producer of the notorious FinFisher malware that allows attackers to take over a target’s computer, allowing the attacker access to the entire system, including turning on the webcam and microphone to spy on more than just the files present.

Gamma Group has sold this software to various regimes around the world, evidence of which is abundant, yet have always denied doing so. The data obtained from the hack again proves that they are in business with regimes, one of which is Bahrain and the focus of this article.

We have looked extensively at certain log files submitted for support. These logfiles, contained in A169FE42.rar, seem to come from a FinSpy Master server used to control surveillance targets. The prominence of Bahraini IP addresses, user names and system names relate-able to Bahraini activists, lawyers and business men seems to indicate the installation was operated by the Bahraini government. They are dated Mon Feb 20 2012.

 

What’s in a name?

Initial parsing of the logfiles resulted in a list of usernames and system names, some of which were more obvious than others. For example, for usernames such as ‘Saeed Shehabi’ or system names like ‘HASANMUSHAIM’ the likely surveillance targets would be Saeed Shehabi and Hasan Mushaima, well-known Bahraini activists. After finding these and other, similar results, the Internet Protection Lab reached out to its contacts working in Bahrain to get their thoughts on the uncovered names.

Bahrain Watch, an independent research and advocacy organization that seeks to promote effective, transparent and accountable governance in Bahrain, had simultaneously been conducting research of their own. Their findings match ours and due to their organization’s connections in Bahrain were able to verify and identify specific people much quicker than we could.

Prominent among the list of apparent targets that Bahrain Watch was able to identify were:

  • Hasan Mushaima, an opposition leader currently serving a life sentence in Bahrain, regarded as a prisoner of conscience by Amnesty International
  • Mohammed Altajer, a leading human rights lawyer who was himself arrested for over 3 months in the crackdown following the 2011 uprising
  • Hadi Almosawi, head of Al Wefaq’s human rights department, and a former parliamentarian.
  • Saeed Shehabi, a London-based columnist and political activist who heads the Bahrain Freedom Movement, and was sentenced in absentia to life imprisonment in June 2011 by a military court.

Instead of re-publishing our similar results, we link to their extensive reporting which can be found here and move on to findings not yet reported.

 

Financial Espionage

Besides the more well-known activists, lawyers and human rights defenders we also noticed a system called ‘ROMELTABAJA’. Although it is hard to draw definitive conclusions from system names alone, we feel that this system might indicate Romel Tabaja, Deputy CEO of Trust Re, a closed joint stock company registered in the Kingdom of Bahrain with a paid up capital of US$ 140,000,000.

By digging deeper into the IP addresses that were found in the logs, we could see target connections had been made from Cyprus, one of which came from firewall.nestco.org. The website belongs to Nest Investments (Holdings) Ltd. From their website:

Nest Investments (Holdings) Limited is the ultimate shareholding company of all the business assets of the Group. This includes substantial or majority shareholding interests in excess of $1.2 billion in many Direct Insurance, Re-insurance, Licensed Operations such as World Trade Center, Property Development, Asset Management, and Building Materials Manufacture in 23 countries in North America, Europe, Africa, the Middle East / Gulf Region, the Far East and Australia.

Among their group companies? Trust Re in Bahrain, of which Romel Tabaja is the deputy CEO. This seems to indicate that Bahrain is not solely using FinFisher to spy on activists and human rights defenders but also on those who do business within their country. We have tried to contact Mr Tabaja regarding our findings but without response.

 

Addresses

The log files contain 2489 unique IP addresses that the FinSpy master server tries to map to a geographical location when it initializes. We assume these IP addresses have been previously recorded by the system when infected machines ‘phoned home’ to the FinSpy master server. We’ve processed these geo location lookups and aggregated the unique ip addresses per country, which results in the following map:


By clicking on a specific country you can see the total amount of unique IP addresses for that country present in the logfiles.

Please note: the countries on the map are countries from which connections have been made to this specific FinFisher master server we believe to belong to Bahrain, it does not mean that these countries have purchased or operate FinFisher themselves (nor does it mean they haven’t).

Below is a list of countries and the total number of unique IP addresses per country. By clicking on the country, you can view the list of IP addresses from that country and their host name if available. We’ve provided these lists so that those who fear they have been a target or fear they are currently a target can see if IP addresses they use or used are present in these lists.

Finding your IP address in this list does not necessarily mean you have been infected: the data is from 2012 and a lot of the IP addresses are assigned dynamically. If you or your office have a static IP address that hasn’t changed since February 2012 and its in this list, we’d love to hear from you.

Bahrain – 1485
United Kingdom – 340
Morocco – 155
Iran, Islamic Republic of – 110
Thailand – 99
Belgium – 69
Anonymous Proxy – 61
Russian Federation – 43
Kuwait – 18
Germany – 15
United States – 15
Qatar – 14
Switzerland – 12
Lebanon – 10
Italy – 8
Egypt – 8
Saudi Arabia – 6
Iraq – 6
Cyprus – 6
Yemen – 2
Tunisia – 2
United Arab Emirates – 2
Lithuania – 1
Netherlands – 1
Sweden – 1