Embed Size (px)
Citation preview
– Page 1 –
PublicProsecutor’sOfficeMunichILinprunstr.25D-80097MunichGesellschaftfürFreiheitsrechtee.V.HessischeStr.10D-10115BerlinrepresentedbyChairDr.UlfBuermeyer,ulf.buermeyer@freiheitsrechte.orgReportersWithoutBordersGermanyPotsdamerStr.144D-10783BerlinrepresentedbyExecutiveDirectorChristianMihr,christian.mihr@reporter-ohne-grenzen.detheEuropeanCenterforConstitutionalandHumanRightse.V.ZossenerStr.55–58,D-10961BerlinrepresentedbyDr.MiriamSaage-Maaß,ViceLegalDirector,[email protected]önhauserAllee6/7D-10119BerlinrepresentedbyAndreMeister,[email protected]
criminalcomplaint
forviolationofsection18para.2no.1andsection18para.5no.1oftheForeignTradeandPaymentsAct
– Page 2 –
against
1. MrMarkusMeiler,CEOofElamanGmbH,businessaddress:Baierbrunnerstr.15,D-81379Munich,
2. MrHolgerRumscheidt,CEOofElamanGmbH,businessaddress:Baierbrunnerstr.15,D-81379Munich,
3. MrCarlosGandini,CEOofFinFisherGmbH,businessaddress:Baierbrunnerstr.15,D-81379Munich,
4. MrLucianHanga,CEOofFinfisherLabsGmbH,businessaddress:Baierbrunnerstr.15,D-81379Munich,
5. MrHolgerTesche,CEOofFinFisherLabsGmbH,businessaddress:Baierbrunnerstr.15,D-81379Munich,
6. additionalstaffmemberswhosenamesareunknownofElamanGmbH,FinfisherGmbH,andFinfisherLabsGmbH,businessaddressBaierbrunnerstr.15,D-81379Munich.
ThesuspectsindicatethefollowingaddressasthepostaladdressofthecompaniesFinFisherGmbHandFinFisherLabsGmbH:Sapporobogen6-8,c/oKanzleihph,D-80637Munich.
– Page 3 –
TableofContents
A. INTRODUCTIONANDSUMMARY ............................................. 4
B. ABOUTTHESUSPECTS ............................................................. 6
C. ABOUTELAMANGMBH,FINFISHERLABSGMBH,FINFISHERGMBH .......................................................................................... 6
D. ABOUTFINSPY ........................................................................... 7
E. THEFACTSANDCIRCUMSTANCES .......................................... 8 I. FINSPYONTHEFAKEADALETWEBSITE ..................... 8 II. ATTRIBUTIONTOFINFISHER ....................................... 11
1. FORENSICANALYSISOFTHEMALWARE .............................. 11 2. FURTHEREVIDENCE ................................................................ 12
III. TIMEOFEXPORTOFTHESOFTWARE ......................... 13 IV. LACKOFEXPORTLICENCE ........................................... 14
F. LEGALASSESSMENT ............................................................... 15 I. LICENSINGREQUIREMENTFOREXPORTINGFINSPY 15
1. LICENSINGREQUIREMENTINACCORDANCEWITHSECTION8PARA.1NO.2AWV ............................................... 15
2. LICENSINGREQUIREMENTINACCORDANCEWITHTHEDUAL-USEREGULATION .......................................................... 16
II. EXPORTWITHOUTTHEREQUIREDLICENCE ............. 17 III. THESUSPECTS’CRIMINALRESPONSIBILITY .............. 18 IV. ABOUTTHESTATUTEOFLIMITATIONS ..................... 19
G. POTENTIALINVESTIGATIVEMEASURES .............................. 19
H. ANNEXES .................................................................................. 21
– Page 4 –
A. INTRODUCTIONANDSUMMARY
Factualevidenceexistsforthefactthatthesuspects,whoatthepointintimerelevant for the criminal complaint were CEOs or staff members of ElamanGmbH,FinFisherGmbH,orFinFisherLabsGmbH,havemadethemselvesliabletoprosecutionbecauseofdeliberateviolationsagainsttheobligationtoobtainlicencesfordual-usesoftwareinaccordancewithsection18para.2no.1andsection18 para.5 no.1 Foreign Trade and Payments Act (Außenwirtschafts-gesetz,AWG)byexportingthesurveillancesoftwareFinSpytoTurkeyduringthe period between October2016 and July2017 without having previouslyobtainedtherequiredlicencefromthe[German]federalgovernment.
In summary, the criminal complaint is based on the following facts andcircumstances:
On29June2017,anextractofasurveillancesoftwareapplicationwasfoundonawebsitedirectedtoanexclusivelyTurkish-languageaudiencewhosesourcecode essentially corresponds to the source codeof the surveillance softwareapplication FinSpy. The website was designed so that users could easilyconsider it to be thewebsite used by the Turkish oppositionmovement fororganising–theso-calledAdaletwebsite.
Intermsofitsfunctionality,thefakeAdaletwebsiteservesthesolepurposeofconvincing visitors to the site to install a surveillance software applicationdisguisedasanAndroidapplicationthatcanbeusedfornetworkingontheirtelecommunicationsdevices.Afterbeingdownloadedtoamobiledevice, thisAndroidapplication,whichismalware,enabledtheattackertoaccesstelephoneand VoIP calls, data systems, screenshots and other photos, GPS data,microphones, and connection data aswell as various applications, includingWhatsApp, Line, Viber, Telegram, Skype, Facebook Messenger, Kakao, andWeChat.
Assoftwareanalysesbyindependentexpertsconfirmed,thepartiallyreadablesourcecodeofthemalwarefoundonthewebsiteispracticallyidenticaltothemalwareFinSpymanufacturedbythecompaniesFinFisherGmbHandFinFisherLabsGmbH(hereinaftersimply:FinFisher).AMicrosoftreport fromtheyear2016alsomentionsthatFinSpywasfoundinTurkey.
FinSpy is manufactured by FinFisher and distributed together with ElamanGmbH. Apart from individual samples,which form the basis of this criminalcomplaint and represent only parts of the FinSpy code, no data leak of theFinSpycodehasbeenreported.SincethesepartsarenotsufficientforproducingacompletemalwareapplicationcorrespondingtoFinSpy,itmustbeassumedthatnobodyexceptthecompaniesnamedhaveaccesstotheentiresourcecodeofFinSpy.
Becauseofitscomprehensivesurveillancefunctions,exportofFinSpymustbelicensedinadvancebythefederalgovernment,section8para.1no.2ForeignTrade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) in
– Page 5 –
conjunctionwithPartIChapterB,Code5D902a)inconjunctionwith5A902oftheExportListaswellasArt.3para.1oftheDual-UseRegulation(2018/1922)inconjunctionwithAnnexICode4A005.
In response to parliamentary questions, most recently on 19June2019, thefederal government confirmed that it has not issued any such licences sinceJanuary2015.
Itmustbeassumedthatthesuspects,asCEOsofthecompaniesmanufacturinganddistributingFinSpy,aswellasadditionalstaffmemberswhosenamesareunknown,haveatleastbeeninvolvedinorarrangedfortheunlicensedexports.Insodoing,theyhavemadethemselvesliabletoprosecutionundersection18para.2no.1andsection18para.5no.1AWG.
We encourage the initiation of investigative proceedings because of thesuspects’criminalconduct.
– Page 6 –
B. ABOUTTHESUSPECTS
Suspects1 and 2 have been CEOs of Elaman GmbH since 23October2013;suspect3hasbeenCEOofFinFisherGmbHsince12August2016; suspects4and5havebeenCEOsofFinFisherLabsGmbHsince12February2014,
Elaman GmbH - HRB [Commercial Register] 153662; FinFisher LabsGmbH-HRB176385;FinFisherGmbH-HRB205475,cf.alsoAnnex3.
C. ABOUTELAMANGMBH,FINFISHERLABSGMBH,FINFISHERGMBH
ElamanGmbH,FinFisherLabsGmbH,andFinFisherGmbHareheadquarteredatthesamebusinessaddressinMunichandare,asfarascanbeestablished,alsocloselyinterconnectedfunctionallyandintermsofpersonnel.Accordingtotheirregisteredbusinesspurpose,theyjointlyproduceanddistributesecurityproducts and systems for government agencies and government-relatedorganisations,
Elaman GmbH - HRB 153662; FinFisher Labs GmbH - HRB 176385; FinFisher GmbH - HRB 205475.
According to the excerpt from the Commercial Register, Elaman GmbH isresponsiblefornationalandinternationaldistributionandmarketing.Byentryinto the Commercial Register on 26September2013, FinFisher Labs GmbHreplaced Gamma International GmbH and is responsible for development,production,tradeanddistribution,research,aswellastrainingintheareaofsoftware and telecommunications. The wording of the description of theactivitiesofFinFisherGmbH,whichreplacedGammaInternationalSalesGmbHbyentryintotheCommercialRegisteron13October2013,isalmostidenticaland includes trade and distribution of software and telecommunicationssystems,research,andtraining,
FinFisher LabsGmbH -HRB176385; FinFisherGmbH -HRB205475;FinFisherHoldingGmbH-HRB205476.
Notonlytheactivitiesofthevariouscompaniesarerelatedtooneanother,buttheirofficesalsocoincide.Baierbrunnerstr.15,D-81379MunichistheofficialseatofElamanGmbH;theofficesofFinFisherGmbHandFinFisherLabsGmbHare in fact located there aswell.Theofficial addressof FinFisherGmbHandFinFisherLabsGmbHatSapporobogen6-8,c/oKanzleihph,D-80637Munich,isonlyaletterboxatasolicitor’soffice.
This network of companies has sold surveillance software to variousauthoritarianregimesinrecentyears.BusinessdocumentsleakedbyWikileakssuggestthatFinFisher/Elamanmaintainactivecustomerrelationshipswiththegovernments of Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon,Morocco,Oman,Paraguay,SaudiArabia,Taiwan,Turkey,andVenezuela,
– Page 7 –
https://wikileaks.org/spyfiles4/customers.html;https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/#1;lastaccessed2July2019.
ThefirstreportsaboutdeliveriesbyFinFishertoauthoritarianstatesreferredtogovernmentsintheMiddleEastduringthe‘ArabSpring’.FinFisher’sproductswererepeatedlyusedtheretooppressanddividethepoliticaloppositioninatargetedfashion.From2010to2012,forexample,thegovernmentofBahrainused FinFisher to attack solicitor’s offices, journalists, activists, and politicalleaders of the opposition movement. At first, the then CEO of FinFisher’spredecessorGammaInternationalSalesGmbH,MartinMünch,deniedexportstoBahrain,
https://web.archive.org/web/20120731005707/http:/www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrain-may-be-stolen-copy.html;lastaccessed3July2019,
butarchivalandlicensingdocumentsofin-housecustomersupportpublishedby a non-governmental organisation in August2014 evidenced that GammaInternational Sales GmbH had maintained business relations with thegovernmentofBahrainsince2010,
https://bahrainwatch.org/blog/2014/08/07/uk-spyware-used-to-hack-bahrain-lawyers-activists/;lastaccessed2July2019.
ThecommunicationstechnologyusedbyEthiopiandissidentswasalsoinfectedwithFinSpysoftwareinthepast,
https://www.eff.org/cases/kidane-v-ethiopia; last accessed3July2019.
D. ABOUTFINSPY
FinSpy is highly developed spywarewhich, according to the company’s owndescriptiononitswebsite,issoldexclusivelytogovernmentsforthepurposesofstrategicintelligenceandcriminalprosecution,
Corporateprofileonfinfisher.com;lastaccessed2July2019.
ThemalwareismanufacturedanddistributedbytheFinFishercompanygroup;ElamanGmbHisalsoinvolvedindistribution.FinSpyisoperatedinconnectionwithserverstowhichthedatagatheredaresent.Normally,theseserverscannotbeconfiguredandoperatedwithouttheinvolvementofthemanufacturer.OnceFinSpymalware has been installed on an affected person’smobile end-userdevice,FinSpyenablesthecustomertocovertlyaccesstelephoneandVoIPcalls,data infrastructures, screenshots and other photos, GPS data, microphones,connection data, as well as various applications, including WhatsApp, Line,Viber,Telegram,Skype,FacebookMessenger,Kakao,andWeChat,
– Page 8 –
Report ‘Alert:FinFisher changes tactics tohookcritics’, 14May2018,GustafBjörksten andLucieKrahulcova forAccessNow (hereinafter:‘AN Report’), pp.8ff.,https://www.accessnow.org/cms/assets/uploads/2018/05/FinFisher-changes-tactics-to-hook-critics-AN.pdf;https://citizenlab.ca/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/,lastaccessed4July2019.
FinSpy is particularly effective as it remains practically invisible to theuntrainedeye:afteritisactivatedforthefirsttime,FinSpydeletesthesymbolfromthesmartphone’smainmenu.ThepreviouslyknownversionsofFinSpywereactivatedwhenthesystemwasstartedwithouttheusernoticing,
ANReport,p.8.
E. THEFACTSANDCIRCUMSTANCES
I. FINSPYONTHEFAKEADALETWEBSITE
Turkey has become the country in the world with the most incarceratedjournalistsinrelationtothepopulation.Atpresent,atleast34journalistsarepoliticalprisoners.Hundredsofnewspapersandothermediaoutletshavebeenclosed down. Following the failed coup attempt of 15July2016, more than50,000peoplewerearrested;morethan140,000peoplewereremovedfromtheirjobs,
https://www.tagesschau.de/ausland/putsch-tuerkei-143.html,https://www.reporter-ohne-grenzen.de/tuerkei/, last accessed27June2019.
InJuneandJuly2017,themembersoftheTurkishoppositionwhowerenotyetincarceratedor inexile took to thestreetsoveraperiodof threeweeks ina‘March for Justice’ to protest against the authoritarian reaction of thegovernmentfollowingthefailedcoupattemptofJuly2016.Socialmediahaveglobally, and also in Turkey, developed to become an important means ofcommunication foractivists,humanrightsdefenders,andpoliticaldissidentsbecause of their openness, their reach, and the opportunity for protectedcommunication. Accordingly, intruding into social networks and electroniccommunications is attractive for authoritarian governments. The malwarewhichisthesubjectofthepresentproceedingswasofferedfordownloadunderfalsepretencesonawebsitewhosecontentsaddressedtheparticipantsofthe‘March for Justice’ (the so-called Adalet March). This website was a fakecampaignwebsite of theAdaletMarch.Messages frommultiple fakeTwitteraccountsthatmostlycommunicatedwiththeTwitterprofilesoftheoppositionRepublican People’s Party (Cumhuriyer Halk Partisi, CHP) made the targetgroupoftheattackawareofthefakeAdaletwebsite.
– Page 9 –
ThefakeAdaletwebsitewiththedomainadaleticinyuru.comwasregisteredon29June2017.Thenextday,themalwarewhichisthesubjectofthiscriminalcomplaint (hereinafter: A-Malware), was uploaded to this website. The fakeAdalet website had the IPaddress 178.32.124.175. This IP address wasoperatedbyasharedhostingservicewhichsellsstoragespacetocustomers.SinceexclusivelyTurkishwebsiteswereaccessiblethroughthisIPaddress,itislogicalthatthesharedhostingservicemakesservicesavailabletocustomersinTurkey. For this reason, it is logical that thewebsitewasnot launched fromanothercountry,butfromwithinTurkeyitself,
ANReport,p.5.
ScreenshotoftheTwitterprofilesrecommendingthefakeAdaletwebsite.
ThefakeAdaletwebsitedidnotprovideanactualservicetowebsitevisitors,butonlyadvertisedinstallinganAndroidapplicationontheirmobiledevices.Asisalsocommoninthecaseoflegitimateapplications,thisAndroidapplicationwasoffered fordownloadviawhatwasapparentlyacentrallyplacedGooglePlaylink.TheTweetsandthewebsitethemselvesimpliedthatthesoftwarewiththefilename‘KatilBizeV1.0.apk’(translatedfromtheTurkish:‘Joinus!’)madeacloud and calendar service available for networking purposes among theTurkishopposition.
Following installation, the application which is the subject of the presentproceedingsappearedontheusers’homescreensandwasshownasa ‘cloudservice’, pairedwith anAndroid symbol inspiring trust. However, instead ofofferingtheTurkishoppositioncloudservicesfororganisation,theapplicationwas a disguisedmalware agent. According to documented experiences withFinSpyoperationsinothercountries,thiscorrespondstothetypicalbehaviourandthestandardconfigurationofFinSpy.
– Page 10 –
Once the user attempted to open the application, or when the device wasrestarted for the first time after the download, the alleged Android Cloudsymbolremoveditselffromthehomescreen.Themalwarebecameinvisibletotheuser,
ANReport,p.5.
Left:ScreenshotofthefakeAdaletwebsite.TheFinSpymalwarewasdownloadedviatheGooglePlayLinklocatedinthemiddleoftheimage,whichlooksdeceptivelyreal.Right: This is how the FinSpy malware was displayed in the affected people’ssmartphonemenus.Themalwarewasdisplayedasa‘cloudservice’.
ThefakeAdaletwebsitewastakenofflineashorttimeafterthepublicationofthe AN Report. The website is archived online and can be accessed in itscomplete version of that time; themalware file which is the subject of thiscriminalcomplaintcanbedownloadedtheretothisday,
archive.org using the search term ‘adaleticinyuru.com’; last accessed29June2019.
Oncethemalwarewasinstalledonthemobileend-userdevice,itcouldtakeupitssurveillancefunctions.
Theyincludeaccesstoaddressbookinformation,calendarandtelephonecalllogs, file systems, screenshots and other photos, geolocalisation, coverteavesdroppingofthespokenwordthroughactivationofthedevice’sinternalmicrophone, so-called ‘spycalls’ (concealed calls to enable microphonesurveillance),collectionofcommunicationandmediafilesaswellasdatafrommessengers such as Line, WhatsApp, Viber, Telegram, Skype, FacebookMessenger,Kakao,andWeChat,
ANReport,p.13.
– Page 11 –
II. ATTRIBUTIONTOFINFISHER
1. FORENSICANALYSISOFTHEMALWARE
OnthebasisofextensiveforensicanalysesoftheA-Malwareandcomparisonswith older known versions of FinSpy, computer scientists of the non-governmental organisation ‘Access Now’ have established that, with aprobability bordering on certainty, this must be FinSpy because of strikingsimilarities of the source code and themetadata. The available source codesampleswerecompared.FinSpy’scompletesourcecodecannotbetakenfromthesoftware;tothisday,itisknownonlytoitsmanufacturer.TheFinSpysourcecodesamplethatwasusedforcomparisonoriginatedfromadataleakintheyear2014,
cf. https://www.pnfsoftware.com/blog/finfisher-finspy-mobile-app-for-android-decompiled/; https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/,lastaccessed3July2019.
ThefollowingfindingsoftheforensicmalwareanalysisclearlyindicatethattheA-MalwareavailablefordownloadfromthefakeAdaletwebsiteisidenticaltoFinSpy. An extensive technical analysis can be taken from the TechnicalAppendix,
cf.TechnicalAppendix,Annex1.
• Identicalsourcecodes:Theconfigurationoptionsof the twopiecesofmalware–thatis,thosepartsofthesourcecodethatdetermineexactlyhowthe fileoperates,whichpiecesof informationareconcealed to theuserof theend-userdeviceaffected,etc.–areextremelysimilar tooneanother. In parts, their source codes are even completely identical.Individualfunctions,forexampletheprogrammecodeforthesurveillanceoftelephonecalls,areidenticalwordforword(seeTechnicalAppendix,Part1).
• Linguisticcluesinthesourcecode:LinguisticcluesinthesourcecodeoftheA-Malwarearealsoremarkable.Forexample,Germanwordssuchas‘einstellung.html’(‘preference.html’)aretobefoundmultipletimesinthe source code, a phenomenon which is rather unusual in theinternationalisedprogrammers’scene.Whatisevenmoreunambiguous,are references to FinFisher by name. For example, unambiguous textfragments suchas ‘FIN_GIFT’ are tobe found in certain comments (seeTechnicalAppendix,Part2).
• Further development in accordance with strategic goals: Thosedifferences that exist between the source codes of the A-Malware andolderversionsofFinSpycorrespondtothestrategyofimprovingsecrecyand obfuscation pursued by FinFisher since the first leaks. The changeservesspecifically toremedythoseproblemsthatcouldhave led to theleakatthetime,
– Page 12 –
AN Report, p. 9, the findings of the computer scientists of ‘Access Now’ were technically verified by an independent expert team from ‘Cure53’, a German IT security company, cf. Annex V. More precise forensic analyses can be taken from the Technical Appendix in Annex 1 and, if required, can be reviewed by experts using the software samples in Annex 2.
2. FURTHEREVIDENCE
Inaddition,furtherevidenceindicatesthatFinSpywasexportedtoTurkey:
• FinSpyfoundbyMicrosoft:InitsSecurityIntelligenceReportforJanuarythrough June2016 (Vol.21), Microsoft reported that many Microsoftuserswereaffectedbymalwarethroughasystematicvulnerabilityintheoperating system. Microsoft unequivocally identified the malware asFinSpy. 84% of the affected users came from Turkey (see TechnicalAppendix,Part3),
Microsoft Security Intelligence Report, Volume21, January throughJune2016,pp.22-29.
• Additional FinSpy malware in Turkey: Access Now also foundadditional FinSpy activity in Turkey besides the A-Malware. The 2018Access Now Report on which this criminal complaint is based foundanother malware copy on VirusTotal, an online virus scanner tooloperatedbyGoogle,whichVirusTotalidentifiedasFinSpy(hereinafter:B-Malware).ThisB-MalwareisdistinguishedbyclearsimilaritiestotheA-Malware(seeTechnicalAppendix,Part4).
• Additional FinSpymalware in Libya:Malware was also uploaded toVirusTotal fromLibya; thismalwarewasclearly identifiedasFinSpybyVirusTotal. Thismalware is also very similar to the A-Malware, the B-Malware,andFinSpy.Sincenon-commercialactorsaregenerallynotableto distribute absolutely uniformmalware to themost varied places onEarth,thiscircumstancealsoindicatesthataprofessionalmanufacturerisbehindthemalwarefound(seeTechnicalAppendix,Part5).
Theseindicationspaintaclearpicture:inTurkeyaswellasotherplacesoutsidetheEuropeanUnion,uniformmalwareappearedduringalimitedperiodoftimewhose source codemost closely corresponds to theprevious findsofFinSpymalware.ThiscanonlybeanexportedversionofFinSpy.Foritisnotonlyhighlyunlikelythatanon-commercialactorwouldhavetheresourcesandexpertisetoproducemalwareofaqualitylikethatofFinSpy–thecompletesourcecodeofFinSpyhasneverbeenpassedonorstolen(‘leaked’)outsidethemanufacturingfirm–andtothensuccessfullydistributeitworldwide.Suchacourseofactionwouldalsobepointless.Itwouldbesignificantlymoreefficientforanycriminalactor aiming to produce effective spyware to simply design it from thebeginninginsteadofreproducingahighlycomplexindustrialproductstepbystep.
– Page 13 –
III. TIMEOFEXPORTOFTHESOFTWARE
In the forensic analysis, various characteristics of the A-Malware provideevidenceforthefactthatitwascreatedbetweenSeptemberandOctober2016,that is,afterthe introductionof the licensingrequirements intotheDual-UseRegulationeffective1January2015andtheAWVeffective18July2015.
The first indication is in the file ‘build-data.properties’,whichcanbereviewedbysimplyextractingtheoriginalfile.ThisfilecontainsmetadataforcompilingtheAndroidapplication, inparticulara library itusescalled ‘GMSCore’. Itcanbetaken from there that the systemcomponent ‘GMSCore’ from theA-Malwarecannothavebeencreatedbefore23September2016.
Althoughitispossibletochangekeymetadataofthebasiccomponentsofthemalwarewithenormoustechnicaleffort,thiswouldnotprovideanyoperativeadvantagetothedeveloper.Instead,itwouldcauseconsiderableconfusionforthefurtherdevelopmentofthesoftwareifthesecomponentscouldnolongerbeassignedtospecifictimes.
In addition, in the file component ‘META-INF/MANIFEST.MF’, there is areference to a piece of Android development software called ‘Gradle’,version2.2.1,withwhichAndroidprogrammescanbecreated.
However, version2.2.1 was published only in September2016, so that theFinFisherTrojancannothavebeendevelopedbeforethen,
https://developer.android.com/studio/releases/gradle-plugin; lastaccessed4July2019.
– Page 14 –
In addition, the digital signature of the A-Malware was created only on10October2016,accordingtotheinformationitcontains:
Thus the A-Malware cannot have been exported for the first time beforeOctober 2016,
cf.TechnicalAppendix,Part6.
TheB-MalwaredescribedunderII.2.alsoindicatesthatFinSpywasdeliveredtotheTurkishgovernmentwellbeyondOctober2016.TheVirusTotalanalysisshows that theB-Malwarewas created on 18July2017 anduploaded to theVirusTotal website on 21July2017. This means that FinSpy versions wereexportedtoTurkeyatleastuntilJuly2017,
cf.TechnicalAppendix,Part4.
IV. LACKOFEXPORTLICENCE
NeitherFinFisherGmbHnorElamanGmbHnorFinFisherLabsGmbHreceivedalicencetoexportthesoftwaretoTurkeyoranyothercountryoutsideEurope.The federal government responded to a parliamentary question as well asmultiple written questions regarding the facts and circumstances describedabovethatithadnotissued,toanycompanies,anyexportlicencesforintrusionsoftwaresuchasFinSpysinceintroductionofthelicensingrequirementfortheexport of software in the year 2015. Concerning criminal investigations, thegovernment referred to the public prosecutor’s offices responsible both intermsofthesubjectmatterandintermsoflocation,
Bundestagdocument19/3334,pp.5ff.;Bundestagdocument19/2419,p.34;confirmedinBundestagdocument19/2610,p.38;confirmedinBundestagdocument19/3384,p.56.
Thefederalgovernmentconfirmedmostrecentlyon19June2019thatalthoughithad issuedexport licences in13cases for telecommunicationssurveillance
– Page 15 –
technology and in 15 cases for surveillance centre equipment, it explicitlypointedoutthatithadneverissuedanexportlicencefor‘intrusionsoftware’(withinthemeaningof4D004,ListofDual-UseItems,Dual-UseRegulation),
ResponseofClaudiaDörr-Voß,StateSecretaryintheFederalMinistryfor Economic Affairs and Energy, of 19June2019 to the writtenquestionsfromFDPparliamentarianGydeJensen,p.1.
FinSpyisintrusionsoftwareinthissense.
F. LEGALASSESSMENT
Hence, the suspicion exists that the suspects made themselves liable toprosecutionundersection18para.2no.1andsection18para.5no.1ForeignTrade and Payments Act (AWG) by exporting FinSpy to Turkey betweenOctober2016andJune2017withouttherequiredlicence.
Atthetimeofexport,exportingFinSpyrequiredalicence(seeI).ThesuspectsexportedFinSpywithouthavingtherequiredlicence(seeII).Asfarascanbeestablished,thisisanintentionallycommittedcrime(seeIII),thecrimeisnottime-barred(seeIV).
I. LICENSINGREQUIREMENTFOREXPORTINGFINSPY
At the time of export, exporting FinSpy required a licence. The licensingrequirement results both from section8para.1 no.2 Foreign Trade andPayments Ordinance(AWV) in conjunction with PartI ChapterB,Code5D902a)inconjunctionwith5A902oftheExportList(1.)andfromArt.3para.1inconjunctionwithAnnexICode4A005oftheDual-UseRegulation(2.).
1. LICENSINGREQUIREMENTINACCORDANCEWITHSECTION8PARA.1NO.2AWV
In accordance with section8para.1 no.2AWV in conjunction with PartIChapterB, Code5D902a) in conjunction with 5A902 of the Export List, theexport of software that serves to establish surveillance systems forcommunication and information technology requires a licence. FinSpy issoftwarethatservestoestablishsurveillancesystemsforcommunicationandinformation technology. FinSpy enables covert access to telephone andVoIPcalls, data systems, screenshots and other photos, location data, themicrophonesandconnectiondataofthemobilephonesofthepersonsaffected,aswellas tovariousapplications. In thisway,manyanddiverseconfidentialtelecommunications data of the persons affected can be intercepted by theinfiltrationsoftware,
cf.SectionE.I.
– Page 16 –
FinSpyisnot includedinthederogationsformulatedintheGeneralSoftwareNote (GSN) preceding the Export List as it is neither freely available norgenerallyaccessiblewithinthemeaningofthelegaldefinitionsofthedefinitionsofterms.ShouldtheA-Malwarebeconsideredmerelymaintenanceoranupdateof an earlier version of FinSpy, this too would be subject to the licensingrequirement, since in accordance with PartI ChapterB, Code 5D902 of theExport List, the delivery of software for purposes of ‘use” of surveillancefacilitieswithinthemeaningof5D902also includesmaintenanceservices. Inthe definition of terms of the Export List, ‘use’ is defined as ‘operation,installation (including on-site installation), maintenance (checking), repair,overhaulandrefurbishing.’
The licensing requirement has existed since18July2015, and therefore alsoexistedatthepresumedtimeofexportbetweenOctober2016andJune2017,
4thRegulationamendingtheAWVof13July2015,FederalGazetteAT17July2015V1.
There are no transitional provisions. Even potentially existing contractualobligations entered into before 18July2015 andpotentially including futureupdates or maintenance would not preclude the licensing requirement.Section1 para.1 AWV differentiates between legal transactions requiring alicenceandactionsrequiringalicence.Insection2para.3AWG,exportislegallydefinedexclusivelyasanactualaction.
2. LICENSINGREQUIREMENTINACCORDANCEWITHTHEDUAL-USEREGULATION
ThelicensingrequirementonthebasisoftheDual-UseRegulationresultsfromArt.3para.1inconjunctionwithAnnexICode4A005.Onthebasisoftheabove-mentionedcomprehensivesurveillancefunctions,FinSpyis‘intrusionsoftware’which,within themeaning of the legal definition,was ‘specially designed ormodified to avoid detection by “monitoring tools”, or to defeat “protectivecountermeasures”,ofacomputerornetwork-capabledeviceandperforming...[t]heextractionofdataor information, fromacomputerornetwork-capabledevice,orthemodificationofsystemoruserdata’.
The licensing requirement for intrusion software in theDual-UseRegulationalready existed at the presumed time of export between October2016 andJune2017, for it was introduced into the Dual-Use Regulation through theCommission Delegated Regulation (EU) No. 1382/2014 effective1January2015.Therearenotransitionalprovisions,
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R1382;lastaccessed2July2019.
– Page 17 –
II. EXPORTWITHOUTTHEREQUIREDLICENCE
The suspects exported FinSpy to Turkey presumably between October2016andJune2017.Theexportofsoftwareislegallydefinedinsection2para.3no.2AWGasthetransmissionofsoftwareandtechnologyfromGermanytoathirdcountryincludingmakingitavailablebyelectronicmeanstonaturalandlegalpersons in third countries. In Art.2no.2iii, theDual-Use Regulation definesexport as the ‘transmission of software or technology by electronic media,includingbyfax,telephone,electronicmailoranyotherelectronicmeanstoadestinationoutsidetheEuropeanCommunity;itincludesmakingavailableinanelectronicformsuchsoftwareandtechnologytolegalandnaturalpersonsandpartnershipsoutsidetheCommunity.Exportalsoappliestooraltransmissionoftechnologywhenthetechnologyisdescribedoverthetelephone’.
AsdescribedinSectionE,numerouspiecesofevidenceareavailablefortheuseofFinSpybyaTurkishcustomer.TheA-Malware,whichwasfoundonthefakeAdaletwebsiteis,withaprobabilityborderingoncertainty,theFinSpymalwareasitisproducedanddistributedbythesuspects,
cf.SectionE.II.
AnanalysisofthesoftwareshowsthattheA-MalwarewascreatedattheearliestinOctober2016,
cf.SectionE.III.
TherearemanyindicationsthatthedevelopmentanddistributionofFinSpyandotherFinFisherproductstakeplaceinMunich.Inparticular,FinSpyisnolongerproducedanddistributedinEngland.IntheOECDproceedingsagainstGammaInternational UK LTD before the UK National Contact Point for the OECDGuidelines for Multinational Enterprises (reference number BIS/15/93), inwhichtheBritishContactPointdeterminedinfractionsbyGammaInternationalUKLTDagainsttheOECDGuidelinesforMultinationalEnterprises,thecompanyrepresentativeofGammapointedoutthatexportsofFinFisherproductsfromGreatBritainhadbeenterminatedinApril2012,
‘GammahasdeclinedtotelltheUKNCPwhetheranysupplywasmade(for customer confidentiality reasons), but has told the UK NCP thatGamma International UK Limited ceased any exports of Finfishersoftware inApril2012andsoonafter that (around July2012)ceasedanyexportsofhardwarecomponentsofthesystem(somecomponentscontinuedtobeshippedtoGermanylaterin2012butnotasexports)’,UKNational Contact Point for the OECD Guidelines forMultinationalEnterprises:PrivacyInternational&GammaInternationalUKLtd:Finalstatement after examination of complaint, December2014,https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/402462/BIS-15-93-Final_statement_after_examination_of_complaint_Privacy_International_and_Gamma_International_UK_Ltd.pdf,lastaccessed27June2019.
– Page 18 –
FinFisher Labs GmbH, with headquarters in Munich, replaced GammaInternational GmbH with its entry into the Commercial Register of26September2013. FinFisherGmbH,withheadquarters inMunich, replacedGammaInternationalSalesGmbHwithitsentryintotheCommercialRegisterof 13October2013. Finfisher Limited, with headquarters in Winchester,Hampshire,UnitedKingdom,wasclosedon24February2014,
cf. https://beta.companieshouse.gov.uk/company/07346435, lastaccessed27June2019.
According to the information in the Commercial Register, Elaman GmbH,FinFisher GmbH, and FinFisher Labs GmbH are concerned with trade anddistributionofsoftwareproductsconnectedtothecurrentsubject.NoneofthethreecompanieshadalicenceforexportafterJanuary2015,
Bundestagdocument19/3334,pp.5ff.;Bundestagdocument19/2419,p.34;confirmedinBundestagdocument19/2610,p.38;confirmedinBundestagdocument19/3384,p.56.
III. THESUSPECTS’CRIMINALRESPONSIBILITY
The suspects made themselves liable to prosecution undersection18para.2no.1 and section18para.5no.1AWGby exporting FinSpybetweenOctober2016and June2017without therequired licence.The factsandcircumstancessuggestthatthesuspects intentionallyviolatedtheexportprovisions(anddidnotmerelycommitanadministrativeoffenceinaccordancewithsection19para.1AWG).
During the period in question, the suspects were CEOs of Elaman GmbH,FinFisherLabsGmbH,andFinFisherGmbH.Sincethecompaniesdistributeonlytoalimitedcircleofcustomers,namelygovernmentsandgovernment-relatedorganisations,thereisnodoubtthattheymustbeawareofallongoingsupplyrelationships with foreign governments – in this case, with Turkey. ThecompaniesareneithersolargenoristhenumberofpotentialFinSpycustomerssohighthatitwouldsuggestitselftodecideaboutandcarryoutexportswithouttheknowledgeoftheCEOs.Thefactthatthefederalgovernment,accordingtothe information itgaveon19June2019,hasnot issuedanexport licence forintrusion software requiring a licence since January2015 additionally eithersuggeststhattheexportofsuchsoftwareisnotroutinebusiness,whichwouldsupportallthemorethattheCEOsknewaboutit,orthatnumerousadditionalexportsviolatingtheexportprovisionshavetakenplaceinrecentyears,aboveandbeyondthebusinessdealswithTurkey.
– Page 19 –
Thesuspicionisalsodirectedagainstthoseresponsibleattheexecutivelevelswithinthecompanies;theycannotbementionedherebynameduetoalackofknowledgeaboutthecompanies’structures.
IV. ABOUTTHESTATUTEOFLIMITATIONS
Since it suggests itself that the suspects delivered FinSpy to Turkey untilJuly2017,
cf.Annex1,Part4,
criminal liability in accordance with section18para.2no.1 andsection18para.5no.1 AWG does not become time-barred before July2020,section78para.3no.5CriminalCode.
G. POTENTIALINVESTIGATIVEMEASURES
Weencouragefurtherclarificationofthefactsandcircumstancesbymeansofthefollowinginvestigativemeasures:
Interviewsofthefollowingexpertwitnesses:
• GustafBjörksten,ChiefTechnologist,AccessNow,[email protected]
WitnessBjörksten isa co-authorof theAccessNowstudyandwilltestifyastothevalidityofthetechnicalanalysis.
• Dr.-Ing.MarioHeiderich,Cure53,BielefelderStr.14,D-10709Berlin
WitnessHeiderichworksfortheITcompanyCure53andreviewedthevalidityofthestatementsoftheAccessNowstudy,cf.Annex6.
• MattMiller;MicrosoftSecurityResponseCenter
WitnessMillerisaco-authoroftheMicrosoftSecurityIntelligenceReports,Volume21.ThewitnesswillconfirmthecorrectnessofthestatementsmadeinthisreportconcerningfindingFinSpyinTurkey.
Searchesandseizures:
SearchofthepremisesoftheaforementionedcompaniesinMunichandseizureofdocumentsanddatacarriers,securing
– Page 20 –
• copiesoftheFinSpymalware;itisanticipatedthatitwillbepossibletofindcopiesthatareidenticaltotheA-Softwarewhichisthesubjectofthepresentproceedings,
• customer correspondence with the Turkish government or otherrelevantactorsaswellasinternalcorrespondencethatgivesinformationabout the actions and the knowledge of the suspects and additionalemployeesofthecompanies,
• other documents indicative of the facts and circumstances describedabove,particularlyoftheincomefromunlicensedexports,whichshouldberelevantconcerningconfiscationofassetsgeneratedthroughthem.
Yoursfaithfully,
UlfBuermeyer,ChairofGesellschaftfürFreiheitsrechtee.V.
MiriamSaage-Maaß,ViceLegalDirectoroftheEuropeanCenterforConstitutionalandHumanRights
ChristianMihr,ExecutiveDirector,ReporterohneGrenzenAndreMeister,Netzpolitik.org
– Page 21 –
H. ANNEXES
1.TechnicalAppendix2.USBstickwith–asampleoftheA-Malware–asampleoftheB-Malware–asampleoftheFinSpymalware2014–adigitalversionofthecriminalcomplaintandtheannexes3.RelevantexcerptsfromtheCommercialRegister4.HardcopyoftheAccessNowreport:FinFisherchangestacticstohookcritics,May2018
5.HardcopyoftheMicrosoftSecurityReport,pages22-296.HardcopyofthereviewofthestatementsoftheAccessNowreportconductedbytheITcompanyCure53,March2018
