Report: U.K. firm offered IT intrusion tools to Egyptian government

Last month, activists stormed the offices of the Egyptian State Security Investigations Service (Mabahith Amn al-Dawla). Inside, they discovered a proposal offering SSIS access to IT intrusion tools used for surveillance. Given recent events in Egypt, and a free trial of the proposed software, there is little doubt what the SSIS used it for.

A risky vertical market:

As noted by Eli Lake of The Washington Times, the uncovered proposal from Gamma International - for what is pitched as an IT Intrusion system named FinFisher - is just another example of how Western companies who deal in surveillance and intelligence are expanding to other markets. In this case, the proposal made it to the security arm of Egypt's Ministry of Interior, a market with some questionable history.

Egypt’s SSIS has had “excellent and strong” relations with the FBI, as noted by remarks made by agency head, Hassan Abdul Rahman, during a meeting in 2007 with the now former FBI Deputy Director, John Pistole. These relations were a “great benefit” given the value derived from training opportunities at the FBI Academy in Quantico, VA. In addition to training, the FBI wanted to share other resources with the SISS, including fingerprint data and DNA.  [Source]

During the meeting, the two directors talked about the Egyptian Muslim Brotherhood, political activists classified as terrorists by the Egyptian government, before the topic turned to freedom of expression, with a special focus on the Internet. At one point, Rahaman remarked that the “Internet is a dangerous place.”

Referencing the challenges posed by the Web, he said, “…a young Egyptian can become radicalized without even leaving his home - he just surfs various Jihadi websites.”

While the diplomatic talk centered on terrorism, both within Egypt and abroad, the undertone was how the Internet is being used to spread ideas. This is something the SSIS clearly did not want to happen. Controlling and denying access to information online is justified in the case of terrorism, but the problem is that the methods used to curb terror were also used to target activists and other civilians.

Over the years, the SSIS has been linked to torture, by both international watchdogs and citizens alike, as well as several other human rights violations. The Committee to Protect Journalists ranks Egypt as one of the ten worst countries in which to be a blogger, and reports that the authorities monitor internet traffic to gather information on potential targets for legal action.

“In one high-profile case in June, Alexandria-based blogger Khaled Said was beaten to death in public by security forces after he posted a video recording of police sharing the spoils of a drug bust. Widespread riots over the killing seemed to have no deterrent effect, as at least one other civilian, Ahmed Shabaan, was found beaten to death in October after being detained in the same police precinct as Khaled Said.” [Source]

According to the U.S. State Department’s 2010 Human Rights Report, Egypt, “…required Internet cafes to gather personal information of Internet users, including names, e-mail addresses, and telephone numbers. During the year police harassed, detained, and allegedly abused certain bloggers and Internet activists.” [Source]

In both examples, the actions taken would have come from the SSIS, as they controlled the Investigative Bureau, the Security Court, and Security Prosecution, arms of the Egyptian government. It has been reported in several media outlets that many of the people who took part in the protests earlier this year were viewed as terrorists or traitors by the government.

All things considered, Gamma International’s offering of a streamlined intrusion system would have been seen as a golden egg to the SSIS. But what exactly did they offer?

IT Intrusion:

It was Gamma International, via a proxy listed as Modern Communication Systems (MCS), who pitched the use of FinFisher software SSIS. Gamma says on their website that FinFisher is sold only to government intelligence services and law enforcement. According to marketing information, Gamma’s FinFisher portfolio offers:

-          The Remote Monitoring and Infection Solutions are used to access target systems giving full access to stored information with the ability to take control of the target systems functions to the point of capturing encrypted data and communications. In combination with enhanced remote infection methods, the Government Agency will have the capability to remotely infect target systems.

-          The IT Intrusion Training Program includes courses on both, products supplied as well as practical IT Intrusion methods and techniques. This program transfers years of knowledge and experience to end users, thus maximizing their capabilities in this field.

[Note: MCS is not MCS Holdings. They are two separate companies.]

According to an outline of a 2010 presentation by Gamma’s Marketing Manager, Johnny Debs, the “need for IT intrusion within the intelligence community spawned the FinFisher portfolio. FinFisher combines offensive IT Intrusion methods of different applications and areas into one comprehensive portfolio covering all major fields of operation.”

His presentation would cover “hacking technologies” as well as “Trojan Horse Technologies” and “Hacking Training”, presumably using FinFisher as the main tool while covering these topics. [Source]

In addition to FinFisher, Gamma International offers a wide range of services including GSM, GPRS, and UMTS monitoring, passive telephone monitoring, SMS interception, speech identifying tools, and RF monitoring. [Source]

Live Testing:

Based on translations of the documents recovered from what was left of the SSIS offices, the Egyptian government tested FinFisher for at least three weeks, but no longer than five months. The free trial was thanks to MCS, who offered a laptop preloaded with the needed software in order to move the deal along. After the trial ended, an internal memo reported positive results. [Source] [Details on the SSIS raid]

“The five month free trial showed the following [results]: The system has a high-level penetration of any type of email (Hotmail, Google, Yahoo). It’s also successful in penetration of Skype,” the memo explains.

“It also has the option of leaving a Trojan Horse, which enables recording of voice and video chats; recording the movement of the target by using his computer and even recording him if the computer has a camera; full control of the target computer and the ability to copy anything on his computer.”

Based on the documents, the total charge for the full FinFisher package, consisting of FinSpy Remote Intrusion, FinFly Remote Infection, licenses, training, and hardware, as well as additional support, equaled £E 3,382,998.81 EGP ($568,570.46 USD / €387,204.51 EUR)

Peter Lloyd, an attorney for Gamma International, told The Washington Times that Gamma complies, “in all its dealings with all applicable U.K. laws and regulations…Gamma did not supply to Egypt, but in any event it would not be appropriate for Gamma to make public details of its transactions with any customer.”

This is completely true, as the usage of FinFisher by the SSIS appears to be allowed under U.K. law. While researching, we found nothing that would suggest it is illegal for a U.K.-based firm to sell products to the Egyptian government. Still, it’s clear that the SSIS didn’t purchase FinFisher. Instead, they leveraged the free trial, as evident in the internal notes on the testing.

During this time, there were countless reports from Egypt of protesters who were intimidated, arrested, beaten, and killed for their roles in what is now called the Egyptian Revolution. These protestors were in the streets as well as online, making them easy targets for the SSIS.

“A word of caution… Just because this recent disclosure is all about FinFisher’s use in Egypt, it doesn’t mean that non-Egyptian individuals or businesses aren’t being similarly monitored. If you’ve been traveling to Egypt over the last few months or using your laptop in the region, you may have been targeted and subsequently infected...,” Gunter Ollmann, the VP Research at Damballa noted in a blog post on FinFisher.

The idea that Egypt was testing and using this sort of technology shouldn’t surprise anyone. It is another example of how technical innovations can be abused by a government. Clearly, this problem isn’t just confined to Egypt.

The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) abused their security technology when they injected JavaScript into the login pages of Gmail, Yahoo, and Facebook, in order to capture the usernames and passwords of protestors. Many blog and Facebook posts covering the Tunisian protests were inexplicably removed and arrests made, as a result. [Story]

Here in the U.S., three data intelligence firms were busted attempting to pitch plans, which would have amounted to a criminal abuse of authority by the U.S. government and a serious violation of law by firms in the private sector. [Story]

As the Egyptian Revolution gained momentum earlier this year, one of the largest demands was the abolishment of the SSIS entirely. Those demands were met in March, when the Ministry of Interior dissolved the agency. Still, there are some complaints from the public, as members of the old SSIS are taking positions in other parts of the government.

For now, the head of the SSIS, as well as his immediate successor, are reported to have been arrested on suspicion of ordering demonstrators killed. Earlier this month, an Egyptian court ruled that funds and property are to be turned over to the government, as it dissolved the former ruling National Democratic Party (NDP).

As reported by Al Jazeera, the NDP stood accused of corruption.

“The move to dissolve NDP was the latest concession by Egypt's military rulers to demands of the protest movement, coming days after Mubarak and his sons were put under detention for investigation on allegations of corruption and involvement in the killing of protesters,” the new agency reported.

Like this article? Please share on Facebook and give The Tech Herald a Like too!