A Spy in the Machine How a brutal government used cutting-edge spyware to hijack one activist's life By Amar Toor & Russell Brandom In November 2005, during the dead of night, five black cars pulled up in front of the home of Moosa Abd-Ali Ali. The doors opened, and a group of men stepped out. They could’ve been officers, or maybe they were just hired muscle — such distinctions aren’t always clear in Bahrain. But Moosa knew they were sent by the government, and they had come for him. Moosa was just 24 at the time, but he had already become a prominent anti-government activist within the small kingdom of Bahrain. He’d spent years protesting for equal employment rights and had been jailed and tortured on several occasions. When the cars pulled up outside his home that night, he had just served a nine-month prison sentence on charges that were never revealed to him. The men barged into Moosa’s house and dragged him out into the streets of Al-Akar, the seaside village where he lived with his wife and young son. They took him to a quiet, darkened alleyway and took turns beating him. Then they raped him. If he didn’t stop his activism, they told him, they would do the same to his family. Moosa didn’t leave his house for a week after the assault. On December 21st, 2005, he fled for London, after narrowly sliding by Bahraini security forces at the airport. "If I stayed in Bahrain I would have died in prison," he says. "I am sure of it." He hasn’t been home since. His torturers were now thousands of miles away. Or so he thought Moosa became an activist at the age of 14, when he saw one of his favorite teachers being carried away in handcuffs by a group of policemen. He was politically naive at the time, but the teacher’s arrest lit a fire. Days later, he joined his very first protest — an act for which he was held at gunpoint in his home and sent to jail for five months. Now 33, Moosa has spent most of his life campaigning for democracy and equal rights in Bahrain, a Middle East island nation of 1.3 million that has been ruled by the Khalifa family dynasty for more than 200 years. He’s been jailed seven times — "Not a small number," he says — and has endured brutal torture and assault at the hand of Bahraini officials. Bahrain’s government has a long and dubious human rights record, especially when it comes to free speech. Even the smallest forms of dissent are regularly met with severe punishment, and the crackdown has only intensified following the Arab Spring uprisings of 2011. This month, a prominent activist was sentenced to six months in prison over tweets that were critical of the country’s defense and interior ministries. Bahrain has also been a longtime ally of the United States and particularly the UK, a relationship the kingdom has maintained despite ongoing unrest. That’s why Moosa fled to London. If he couldn’t continue fighting from within Bahrain, he could at least do it from Bahrain’s closest and historically most important global partner. (Bahrain was effectively a British protectorate until 1971.) He was granted asylum in 2006, his wife and child joined him a year later, and for a while, it seemed as if he was finally safe. He found a job as a cameraman for a Bahraini news agency and embedded himself within London’s community of exiled activists. He was definitely still on the Bahraini government’s radar — his high-profile demonstrations and sizable social media following made sure of it — but he was finally free to protest, and his torturers were now thousands of miles away. Or so he thought.

One day in 2011, Moosa opened the Facebook Messenger app on his iPhone. What he saw was chilling: someone else typing under his name to an activist friend of his in Bahrain. Whoever it was kept posing personal questions prodding for information, and Moosa watched unfold right before eyes. He panicked. "It was like, ‘What’s going on? What’s happening?’" he recalls. He changed his password, alerted his friend, and stopped using Facebook Messenger — but the intrusions kept coming. In another instance, Moosa noticed that someone posing as him solicited his female Facebook friends for sex — part of an effort, it seemed, to blackmail or perhaps defame him in Bahrain’s conservative media. Facebook was only the beginning. Unbeknownst to him, Moosa’s phone and computer had been infected with a highly sophisticated piece of spyware, built and sold in secret. The implant effectively commandeered his digital existence, collecting everything he did or said online. The implant effectively commandeered his digital existence Upon his arrival in London, Moosa had become an unofficial archivist for his activist community, obsessively documenting every protest and broadcasting his videos to a large group of YouTube followers. Whenever something happened back in Bahrain, he’d receive a flurry of images and video footage from contacts and disseminate the content online and to media outlets. Now, whoever was behind the hack had access to all of his accounts, emails, documents, and a massive trove of videos. They could even control his computer’s webcam and microphone. An investigation would later reveal that Moosa’s online life was hijacked for eight months. All signs pointed to Bahrain as the culprit, and FinFisher, a mysterious spyware for-hire tool, as the weapon of choice.

It was May of 2012 when Morgan Marquis-Boire first got the package from Bahrain. He was working on Google’s incident response team at the time, protecting high-risk users from state-sponsored attackers. (He has since become security director for First Look Media.) Along the way, he’d seen a lot of spyware being sent after protesters during the Arab Spring. Most of the implants he ran into were easy to spot and remove. But this one, arriving in a protected attachment from BahrainWatch, seemed more complicated. Following standard procedure, Marquis-Boire set the program running in a virtual machine, essentially a fish tank where he could watch the virus at work. He watched the virtual machine’s working memory, keeping his eye on the software as it stretched its legs in the new environment. "Holy shit, I think this is FinFisher!" Then, without warning, the implant disappeared. That got Marquis-Boire’s attention. "I thought, ‘Oh we have a player here,’" he recalls. It was a sign of a more sophisticated author at work. The implant used a technique called process-hollowing — injecting its own code into a program that’s still running in order to use the legitimate program as cover. Digging through the working memory, Marquis-Boire found the implant hiding in "winlogon.exe," and he could see the new files that had rushed in to replace the old ones. One line of code stuck out, left over from a file path on the implant developer’s computer: y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-tdiv_qr.c "I thought, Finspy, that rings some bells," Marquis-Boire recalls. "Holy shit, I think this is FinFisher!" FinFisher had become a kind of bogeyman in the security community since brochures advertising the software’s capabilities popped up in a Wikileaks drop in December of 2011. FinFisher could purportedly empower its owner with the kinds of advanced intrusion techniques usually reserved for the NSA. "There was a certain amount of interest just because no one had seen it," Marquis-Boire says. "All we had were these leaked documents." The cover page of a FinFisher document released by Wikileaks. FinFisher was created and sold by Gamma International, an international surveillance company with offices in London and Frankfurt. The Gamma brochures promised remote monitoring and keylogging — they even said they could listen in on a target’s Skype calls in real time. It’s the kind of technology that could be subject to international export restrictions like the Wassenaar Arrangement, so finding it in the hands of the Bahraini government would have major diplomatic consequences. But so far, no one had been able to pin down the program in action. When Arab Spring protestors found evidence of FinFisher use by the Mubarak government in Egypt, Gamma simply said the software had been stolen. No one was ever able to prove otherwise. But now Marquis-Boire had caught a FinFisher sample in the wild, and thanks to the leaked brochures, he had a roadmap of everything the implant could do. The implant divided its tasks between different modules, like a crew of bank-robbers: one module would break through a device’s security and then deploy another module to log keystrokes, collecting the target’s passwords. A third module took screenshots of the desktop, catching anything the subject might be looking at. A fourth module encrypted the data into a unique file format, so anyone looking through a hard drive wouldn’t notice the device was recording anything. Once the data was safely encrypted, the implant would send the file back home to its command server — in this case, a server at Bahrain’s national telecom. Marquis-Boire enlisted the aid of Claudio Guarnieri, a researcher at security firm Rapid7, to further explore the software. The two uncovered a mobile version of the implant, which came in different versions for iOS, Android, and even Symbian, like a hot startup trying to cover as much of the market as possible. The new platform enabled dangerous new features like tracking targets through GPS and pulling contacts directly from the phone’s memory. There were specific modules for popular chat and VOIP apps like WhatsApp and Viber, in case you tried to escape by running to a third-party service. It could even activate the on-board microphone to listen in from your pocket. Once the implant was installed, your phone effectively became an enemy agent. "I’d be working at my computer and start squinting at my phone, thinking, maybe I should turn that off," Marquis-Boire says. "It produced this weird dissonance between me and this device that I carry around all the time." The implant divided its tasks between different modules like a crew of bank-robbers Then there were the command servers themselves. After studying the implant, Marquis-Boire and the others were able to recreate the fingerprint it used when it phoned home to the command server, which gave them a new way to catch FinFisher in the act. Why not send the ping into the wild and see how many servers answered? If it worked, it would show them all the FinFisher installations running on the open web. But finding that out meant sending out a ping to billions of IP addresses at once — which also meant finding an extremely understanding traffic provider. "I remember telling providers, ‘I want a big box with a lot of bandwidth,’" Marquis-Boire says. Most assumed he wanted it for criminal purposes, rather than to catch hackers in the act. "We finally found a provider that I was able to explain it to, and they still accidentally shut down the box halfway through." After a few false starts, the pings finally went out and the team waited to see what would come back. Instead of a few outposts, they found an army. FinFisher’s agents were everywhere: Japan, Germany, India, Serbia, Mongolia — there were even servers in the US. It was an atlas of personal invasions. All told, 25 countries hosted a server of some kind, each hired out to a different regime and pointing the x-ray at a different enemy of the state. But while he could see FinFisher’s control servers, Marquis-Boire still couldn’t see who they were working for. One server was on the official government grid of Turkmenistan, which made it easy enough to guess who put it there — but who was behind the for-hire servers in the US? When they listened in, who did they hear? The web is a busy place, and it keeps many secrets. A scan can’t dig up all of them. Marquis-Boire published the work in a series of three landmark papers from July 2012 to March of 2013, each titled with a cheeky Bond pun like "The Smartphone Who Loved Me" or "You Only Click Twice." The papers laid out everything he knew about FinFisher’s network, revealing a global surveillance network that was being hired out to some of the world’s most repressive governments. Targeted exploits weren’t just for the NSA anymore. They were available to anyone who could pay for them. Once the papers were published, FinFisher went back underground. The coders behind the program began to change its routines and filenames enough to let it slip by unnoticed. Soon, the servers weren’t responding to the same call Marquis-Boire had sent out. They had new procedures now, new passwords, and they knew they were being watched. Marquis-Boire had gotten his glimpse of the network, but then it knew it had been spotted and sank back into the shadows. Still, Marquis-Boire’s investigation had dug up enough for a definitive case that FinFisher had been used against Bahraini activists in London. That left two awkward possibilities: either the British government had approved FinFisher for export, or Gamma never reported the sale. The first option would mean messy publicity for UK officials, revealing that the government had facilitated the ongoing persecution of refugees. The second could be even worse, putting FinFisher and other programs directly in the crosshairs of British trade enforcers. And if Gamma violated the UK’s hacking laws, the fallout could be even greater.

In August, the humanitarian rights group Bahrain Watch published new evidence suggesting that the Bahraini government had been using FinFisher to conduct surveillance on prominent Bahraini lawyers, activists, and politicians, both in Bahrain and abroad. According to information from a massive data leak, Gamma not only sold FinFisher to the Bahraini government, but actively worked with the regime to remotely access and monitor the computers and smartphones of opposition activists. (Gamma did not respond to multiple requests for comment.) In the UK, Moosa Abd-Ali Ali was one of three Bahraini exiles allegedly targeted by the government, together with Jaffar Al Hasabi, 43, and Saeed Al-Shehabi, 60. The devices of all three men were infected in 2011, but the extent of the breach didn’t become apparent until recently. Gamma actively worked with the regime to access and monitor the activity of opposition activists Moosa, Jaffar, and Saeed represent three different generations of Bahraini activism, but they’re all fighting the same fight. Jaffar, tall and soft-spoken, has devoted his life to campaigning against the widely documented human rights violations committed by the Bahraini government, and has been living in exile in London since the mid-1990s. Saeed, a London-educated engineer and prominent opposition figure, acts as the elder statesmen of the group, professorial and eloquent with thinning gray hair. All three have been imprisoned and tortured in Bahrain — Jaffar as recently as 2010 — and all three have had their Bahraini citizenship revoked. In London, they’re part of a tight-knit community of Bahraini activists who orchestrate protests, petitions, and other events to raise awareness about the ruling family’s abuses and what they see as tacit complicity on the part of the British government. Even in the UK, Moosa and his compatriots are physically harassed by groups they believe are connected to the Bahraini regime. The three were attacked in an alleyway following a demonstration in 2009, the same year that arsonists laid siege to Saeed’s house in the dead of night. But they never thought that a UK firm would actively work with the Bahraini government to monitor them in a country that was supposed to keep them safe. "What we didn’t expect is that they would go that far by really intruding into our private lives," Saeed says over tea at an Islamic charity he runs in central London. Wary of endangering their families or other activists in Bahrain, the men have learned to keep politics out of their conversations and have curtailed their social media activity to varying degrees. "We feel that we are not safe," Jaffar adds. "It limits how we talk and what we can say." Using FinFisher, the Bahraini government effectively undermined the asylum Moosa and his compatriots were granted in the UK — the kind of cautionary tale of corporate-state surveillance that has become increasingly common in recent years. Ultimately, the men were lucky. FinFisher was detected and wiped from their devices, and a watchdog is pushing for an investigation on their behalf. But while Moosa and his friends recover, FinFisher is gathering new targets in new countries. Many of them may not be as lucky as Moosa.

"One, two, three, four, Al-Asoud, no more!" "Five, six, seven, eight, Saudi is a terror state!" Moosa’s voice bellows across the leafy streets of central London on a crisp November afternoon. His calls are echoed by Saeed, Jaffar, and three other Bahraini activists, all men. They’ve come here to the upscale, commercial district of Mayfair to protest directly in front of the Saudi Arabian embassy, as they do every Wednesday afternoon between 2 and 3 PM. Saeed and Moosa each hold up two large banners urging the British government to "stop supporting Bahrain’s torturers" and calling for Saudi troops to leave the island nation that they invaded following the Arab Spring. Jaffar patrols the sidewalk, handing out flyers with soft greetings. The demonstration is short and non-eventful. Louis Vuitton-clad women politely decline or outright ignore Jaffar’s extended hand, and the banners draw little more than passing interest and a few iPhone clicks. At precisely 3 PM, they pack up their things, under the watchful gaze of embassy guards across the street, and load them into a car with perfunctory swiftness. After the protest, the three men go their separate ways. The sun is weakening and traffic is snarling, but Moosa doesn’t seem to be in much of a rush, munching potato chips in the back of a car as we lurch closer to his office near the King’s Cross train station. Short and burly with a small mullet, Moosa has the build of a guy who carries heavy equipment all day. He’s quiet and warm in person, but his friends describe him as a tour de force in London’s activist community, his quick smile and soft dark eyes masking years of suffering. "I was looking for someone to punch." "In my opinion he’s one of the bravest people," says Sayed Ahmed, director of advocacy at the London NGO Bahrain Institute for Rights and Democracy (BIRD), and a longtime friend of Moosa. "Most victims, they want to forget what has happened to them, but Moosa is the kind of person — after what he went through, he only wanted to challenge it, to fight against it. He’s so determined." Of the three London activists implicated by FinFisher, Moosa is likely the one with the most to lose. His work revolves around the flow of information and media. His WhatsApp conversations update faster than most people’s Twitter feeds. Seated in front of an iMac in his agency’s King’s Cross office — a converted residence and occasional Islamic daycare that also houses BIRD — he eagerly clicks through the vast library of video footage he’s collected over the years, stored across six different hard drives: protests, official Bahraini visits, parliamentary events. If there’s a Bahrain-related happening in the UK, Moosa is there, camera in tow. Moosa was furious when he first realized his privacy had been compromised — "I was looking for someone to punch" — but he’s not worried about the government meddling with his videos. He stores them on hard drives and immediately uploads footage to the web once he receives it. If anything, the FinFisher saga seems to have emboldened him. He’s now begun conducting his own form of surveillance, obsessively tracking the online itineraries of Bahraini authorities in the hopes of upstaging their events with high-profile demonstrations. He’s shouted at ambassadors, waved banners in front of dignitaries, and even staged a demonstration directly in front of a seated Queen Elizabeth II — all in an effort to send a message to his compatriots back home. "When you shout at them here, they feel small," Moosa says. "When they are in Bahrain, they are bigger. If anyone talks to them, they are behind bars. But here in the UK, they can’t arrest me." "When you shout at them here, they feel small." There’s no indication that Bahraini authorities have used information gleaned from the activists’ computers against anyone in their network back home, but the possibility weighs heavily. "In private, with my family, I speak freely because… I don’t involve them with politics," Jaffar says. "But the other friends in Bahrain, we are afraid that they would be harmed or jailed. Because many people who [had] been in contact with us are in jail right now, and we fear for the safety of the others…. There are many in Bahrain right now who are hiding, because they are wanted by the government." Their primary concern stems not from what effect FinFisher could have on their activism, but from the specter of having their personal lives invaded — the same fundamental privacy concern behind much of the NSA surveillance controversies in the US. There are already signs that the Bahraini government has sought to discredit the activists online. In 2011, a link to a pornographic website appeared in Saeed’s Twitter feed. He didn’t post it and immediately deleted it, but the incident underscores a familiar tactic used to smear opposition figures. Mohamed Altajer, a Bahraini human rights lawyer who was also targeted by FinFisher, was blackmailed in 2011 with a video of him and his wife having sex. He received the video on the same day that authorities infected his computer, along with a threat to make it public unless he stopped defending activists.