Surveillance Companies in the MENA Region
Lench IT Solutions, also known as Gamma Group, is an English-German company that works through its UK branch under the name Gamma International, and through its Munich branch under the name Gamma International GmbH. The company, which was established in 1990, is known for its spyware FinFisher also known as FinSpy. It sells its software exclusively to governments. The company promotes that its software is dedicated to fighting crime, but in fact it was used in many cases for spying on journalists, activists and opposition figures in many countries that purchased it. The company’s name started to draw attention in 2011 when documents retrieved after breaking into the offices of the Egyptian State Security Agency (SS) revealed that the Egyptian government has imported the FinFisher software through MCS Holdings, which is a local Egyptian company that works as an agent of Gamma Group. One of the documents included an offer from the UK branch dated June 2010, for selling FinSpy to the Egyptian security for 287,000 Euro. Other documents revealed that the SS had a free trial of the software through which it was able to hack into personal emails and Skype accounts and take control of the PCs of potential targets. The documents also revealed that the software can be used for recording audio and video call, and movements through the hacked PC’s audio and video, in addition to hacking into other PCs on the same network. The company’s name appeared once again in 2012 when an investigation by the Citizen Lab revealed that the Bahraini government used the software to target activists and dissenters by sending emails with malware attachments. Another report of the same organization in October 2015 revealed suspicions that 33 governments use FinSpy including Egypt, Lebanon, Morocco, Oman, and Saudi Arabia.
In 2016 the Egyptian Civil Society was under electronic phishing attacks that targeted tens of activists and human rights defenders. The attacks, which were perpetrated by Nile Phish, targeted 7 Egyptian NGOs working in the human rights field. Citizen Lab investigated the issue by analyzing 92 messages sent from Nile Phish to organizations’ workers in addition to journalists, lawyers, and activists. The messages depended on social engineering to tempt the receivers to enter their passwords. The attack was renewed once again in 2019. This time, Nile Phis depended on a phishing technique that abuses OAuth service to reach personal accounts. According to Amnesty’s investigation of this attack, which targeted hundreds of people, the attack was likely supported by governmental entities. Although both investigations couldn’t verify the identity of those behind Nile Phish, a later report by Amnesty revealed that the Nile Phish group used FinSpy, as while analyzing the tools and techniques used by the groups, Amnesty team found a malware site that clicking anywhere on its page installs a copy of Flash Player that includes FinSpy.
In March 2022, Access Now announced that FinFisher suspended its operation and filed for bankruptcy.
Country of Origin
Works with governments
Software and Equipment
FinFisher, also known as FinSpy
Type of Attack
Zero Day Attack, One Day Exploits
Microsoft Office, Internet Explorer, Adobe Acrobat Reader, Skype
Targeting specific users
iOS, Android, Windows
Bahrain, Egypt, Jordan, Lebanon, Morocco, Nigeria, Oman, Saudi Arabia, UAE
Technical Specifications of Software and Equipment
FinFisher is an advanced spyware produced by FinFisher GmbH and it sells it exclusively to governments. When purchasing the software, the government receives a FinSpy Master-C&C server. Sometimes the governmental entities create anonymizing proxies to hide the location of the main server. When a PC is infected with the software, it communicates with the anonymizing proxy which is usually set up on a Virtual Private Server in another country. The proxy then sends the communications made on the hacked PC to the master server. The personal computer of the targeted person is hacked by sending an email with malware attachments, when clicking and downloading them the multi-featured trojan software is installed on the PC. This software provides the hacking entity with quick remote access to the personal PC of the victim in addition to the ability to collect and extract data from the PC. Among the data collected by the software are audio files and Skype chat messages, in addition to the files sent through the application, contacts list, passwords, and screenshots. The software can also record all communications conducted through email and chat applications, remotely control the camera and the microphone of the PC, determine the country where the targeted person lives, and extract files from the PC. The software can as well bypass some of the antivirus systems.