The cybersecurity firm ESET sees "strong indicators of major internet service provider (ISP) involvement" in a new round of attacks from a state-sponsored spyware campaign, according to a report released Thursday.

The report concerns attacks using the FinFisher brand of spyware, a commercially available product made by a private contractor and sold to nations and law enforcement agencies.

ESET claims it has discovered attempts to infect systems with the latest version of FinFisher in seven countries. In two of those countries, the attacker appears to have used the ISP to deliver the malware. The remaining five countries were struck using more conventional modes of distributing malware.

In the newest FinFisher attacks, users trying to download WhatsApp, Skype, Avast, WinRAR, VLC Player and other software from legitimate sites were rerouted to malware-laced versions of the same software.

ESET has not released which countries were targeted. It is not yet known who the FinFisher customer behind the attacks is.

ADVERTISEMENT

There are a number of ways to redirect traffic in this way, but ESET believes that the attacks were launched at ISPs. For one, within each country hit by this attack, all the targets used the same internet provider. Also, leaked FinFisher documents show that the company offers a FinISP service to infect victims using an ISP.

This would be the first known public sighting of a FinISP attack.

It is unclear if the internet provider is helping the attacker willingly or if their systems were compromised.