Connect with us

Hi, what are you looking for?



Growing Number of Governments Using FinFisher Spyware: Report

New research suggests that the number of governments using the controversial FinFisher spyware suite has increased.

New research suggests that the number of governments using the controversial FinFisher spyware suite has increased.

FinFisher is a lawful interception solution developed by Germany-based FinFisher GmbH and sold exclusively to governments. Researchers have been monitoring the use of FinFisher over the past years and found it in many countries, including ones that have a poor human rights and civil liberties record, such as Bahrain and Ethiopia.

Researchers at Citizen Lab, an interdisciplinary laboratory based at the Munk Centre for International Studies at the University of Toronto in Canada, have identified new ways to determine the physical location of FinFisher servers.

According to experts, FinFisher customers are provided a master server (FinSpy Master) and multiple relays (FinSpy Relay) whose purpose is to act as command and control (C&C) servers. The FinFisher spyware deployed on victims’ devices communicates with the relay servers, which provide a link to the master server.

A scan conducted by Citizen Lab using the Zmap tool revealed the existence of 135 servers, which includes both FinSpy Masters and Relays. The master servers are deployed on the customer’s premises so identifying their location exposes governments that use FinFisher. The proxies are located in other countries as their purpose is to protect the location of the master.

While the developers of FinFisher claim relays make it “practically impossible” to discover the location of the master servers, Citizen Lab has found a way to use these proxies to determine the real location of the master.

If the IP address of a FinSpy Relay is entered into a web browser, the user is usually presented with a decoy page, often or If the decoy page is Google, researchers can perform a search for “my ip address” and the search engine will display the real IP address of the FinSpy Master. That happens because the search request goes through the Relay to the Master, which in turn queries Google and sends the result back to the Relay, which displays it to the user conducting the “my ip address” search. Since the query is made by the Master, Google will return its IP address and not the one of the Relay.

This technique doesn’t work in the case of Yahoo, but Citizen Lab has found an alternative method to obtain location information. While in the case of Yahoo researchers haven’t managed to obtain exact IP addresses, the webpage’s source code contains location data because Yahoo uses it to display customized weather information and news on the homepage.

Advertisement. Scroll to continue reading.

Some of the other decoy pages identified by experts also revealed IPs or location data.

Citizen Lab noticed that the number of servers returning decoy pages has decreased over time, most likely because FinFisher or its customers have realized that they can be problematic.

Using the aforementioned techniques, experts identified FinFisher users in 32 countries. In addition to previously known customers, 16 new countries have been identified, including Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela. In some cases, researchers were able to trace the identified IP addresses to specific government organizations, but some information has been redacted in Citizen Lab’s report to avoid interference with legitimately sanctioned activities.

FinFisher customers

“A key goal of this research is to provide a resource to those working on policy and research in this space. We also believe this kind of reporting is essential to help ensure that citizens have the opportunity to hold their governments accountable,” Citizen Lab said in its report.

FinFisher’s systems were breached last year and tens of gigabytes of data were leaked online. However, the incident doesn’t appear to have had too much of an impact on the company’s operations.

Hacking Team, a FinFisher rival based in Italy, was also hacked this year presumably by the same attacker. Just like FinFisher, Hacking Team also seems to be confident that the breach will not have a negative impact on business, despite the fact that hackers leaked source code, exploits, and private communications.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.