Cyber Incident Victim: Gamma Group
Date:
Aug 2014
Location:
United States of America
Summary
Leaked documents revealed that spyware developed by Gamma Group, specifically the FinFisher suite, was deployed to surveil computers across multiple nations, enabling monitoring of secure communications, webcams, files, and encrypted traffic. The malware evaded antivirus detection and exploited zero-day vulnerabilities sourced from third-party providers, targeting activists, journalists, and dissidents in operations linked to various governments and private entities. Hackers disclosed internal technical materials, pricing, and customer references, exposing the spyware's use by repressive regimes and raising concerns about its global proliferation. The breach highlighted Gamma's collaboration with exploit vendors and ongoing efforts to circumvent encryption tools, though the exact perpetrators of the surveillance campaigns remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2014, hackers leaked over 40 gigabytes of internal documents from Gamma Group International, a UK-based surveillance firm, exposing technical details of its FinFisher spyware suite and its use against targets across multiple countries. The documents, posted online and first announced by a parody Twitter account (@GammaGroupPR) on August 2, included software code, user manuals, strategy reports, and internal communications. Analysis by ProPublica and security researchers revealed that FinFisher had been deployed against computers in the United States, UK, Germany, Russia, Iran, and Bahrain, though the specific actors conducting the surveillance—whether governments or private entities—remained unverified. Customer email addresses linked to the materials suggested involvement by the Bosnian and Hungarian intelligence services, a Dutch law enforcement officer, the Qatari government, a German surveillance firm, and a Dubai-based consultant. Technical files demonstrated FinFisher’s capabilities: it could monitor encrypted web traffic, Skype calls, webcam feeds, and personal files by installing malware on target devices. A product called FinSpy evaded detection by most antivirus software, while FinFly ISP enabled "country-wide" internet traffic interception by mimicking legitimate websites to deliver malware.
The leak corroborated prior reports of Gamma Group’s activities, including its sale of FinFisher to Egypt’s State Security in 2011 and its use against Bahraini activists in 2012. Documents showed Gamma had tested methods to bypass encryption tools like Silent Circle’s mobile app, TrueCrypt, and Microsoft BitLocker, though Silent Circle’s CEO expressed skepticism about their success. Gamma also incorporated zero-day exploits from French firm Vupen Security to target vulnerabilities in Microsoft Office, Internet Explorer, and Adobe Reader. A leaked price list indicated software licenses cost nearly $4 million. Researchers Morgan Marquis-Bore and Bill Marczak of The Citizen Lab validated the documents’ authenticity through metadata tied to Gamma employees and alignment with known events, such as the hacking dates of Bahraini activists. Gamma did not publicly address the leak, and its listed contact number was disconnected. This incident followed earlier controversies, including Mozilla’s 2013 cease-and-desist letter to Gamma after it distributed a spyware-infected version of Firefox to target Malaysian activists. The hacker "Phineas Fisher," claiming responsibility on Reddit, cited Gamma’s history of enabling surveillance against dissidents as motivation for the breach.