CCC | Stage win: FinFisher is bankrupt

Stage win: FinFisher is bankrupt

2022-03-28 08:45:41, linus

FinFisher, the Munich-based state Trojan exporter, is bankrupt. For over a decade, a wide variety of international groups, including the CCC, have worked toward its end.

A lot has happened since the CCC analyzed the first German state Trojan in 2011. The international community discovered FinFisher FinSpy and NSO Pegasus. Countless analyses, hacks and investigations exposed the internationally active exporters of state-sponsored malware.

A stage win has now been achieved against one of the two companies: The FinFisher business conglomerate is insolvent, and business operations have been completely suspended. The reason for this is the seizure in the context of criminal proceedings due to the circumvention of export controls: FinFisher/FinSpy malware was used against the opposition in Turkey. An export license did not exist.

Export to unjust regimes

The software was also discovered in use in countries such as Bahrain, Bangladesh, Brunei, Ethiopia, Hungary, Malaysia, Mexico, Qatar and the United Arab Emirates. German authorities were of course also customers of the company. Initially, no significant investigative measures followed the criminal complaint filed in July 2019. The German NGO Gesellschaft für Freiheitsrechte therefore asked the CCC to substantiate and extend the evidence provided.

Analysis by the CCC

In late 2019, we published our analysis of 28 versions of the malware (report as PDF ), the samples we analyzed, and the analysis tools which can be used to analyze further versions. We confirmed the findings published by Access Now and presented additional evidence. After presenting these findings at the 36th Chaos Communication Congress, we also explained them in person to the German Customs Investigation Bureau and the Munich public prosecutor's office. In October 2020, raids finally took place at more than 15 business and private addresses.

Asset detention and insolvency

Apparently, the suspicions were further substantiated: the public prosecutor's office wanted to secure the assets potentially obtained from an unlawful act by means of an asset freeze in order to be able to confiscate them if necessary. The group of companies escaped seizure through insolvency. The criminal proceedings, on the other hand, are of course continuing and we can be curious about the outcome.

The fight goes on

"The end of FinFisher is not the end of the state Trojan market," says Thorsten Schröder, who conducted the CCC FinSpy analysis together with Linus Neumann. "The employees who are now laid off will look for new jobs - presumably at competitors, who will probably also take over the customer base."

More important than the company going bankrupt, therefore, is a conclusion to the criminal proceedings. "We all hope that the end of FinFisher is just the beginning and that the competitors will also finally face legal and financial consequences," says Linus Neumann.

Thanks to the international community

State Trojans are distributed and developed by large international corporations. Companies like FinFisher, NSO and Co. are being tackled at all thanks to a small, excellent community of international activists, hackers and researchers:

Victims and targeted individuals discovered the attacks on them and reported them to researchers.
Current and former employees, and other whistleblowers repeatedly provided important information.
Citizen Lab published several important FinFisher reports in recent years and has recently been doing outstanding work on NSO Pegasus.
Access Now laid the groundwork for criminal charges against FinFisher with its analysis.
Amnesty Security Lab not only published on the deployment in Egypt, but also produced outstanding research and tools on NSO Pegasus.
Claudio Guarnieri is hunting state trojans for many years and is also significantly involved in the recent publication on the deployment in Egypt. He is the most active developer of the Mobile Verification Toolkit, which can be used to detect infections on cell phones.
Phineas Fisher hacked Gamma/FinFisher and provided the research community with many attribution clues: Torrent.
ESET, among others, published important research on the analysis and deobfuscation of FinFisher.
Microsoft is also not only fighting this state Trojan, but also publicly shares the findings.
Gesellschaft für Freiheitsrechte, Reporters Without Borders, European Center for Constitutional and Human Rights and netzpolitik.org compiled the criminal complaint.
Andre Meister reports on netzpolitik.org, even though the company is trying to suppress his reporting.

Thanks to the technical expertise of this community, members of this shady industry face problems in gaining social and political acceptance. We would like to take this opportunity to highlight this tireless fight against the digital hydra and thank all researchers for sharing their insights and tools.

We still have a lot of work to do.