Wikileaks: Singapore firm with government ties bought cyber snooping software
On September 15, Wikileaks released copies of invoices and support tickets from Germany-based software company FinFisher. This revealed the names of most of their clients, and how much they’ve paid for their technology. If you’re wondering why they deserve this, you should know that this particular firm deals in weaponized surveillance malware that reportedly includes the following:
…computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows, and Linux computers as well as Android, iOS, BlackBerry, Symbian, and Windows Mobile devices.
It turns out that a Singapore-based company named PCS Security was named in the list. According to Wikileaks, the company purchased 19 licenses for the malware products in 2012, of which 15 were subsequently “deleted”, although it’s unclear what Wikileaks meant by that. Altogether, this comes out to just over €3 million (about US$4 million) in spending.
One of the licenses purchased by the company is for the FinSpy software, which according to a brochure allows a user to remotely control and access any computer that it’s installed on. The FinFly USB device presumably installs the configured software onto the computer automatically once the device is inserted. A closer look at the FinSpy licenses purchased reveals that they allow for the eyeballing of 500 target computers.
Here’s the kicker: you won’t even know that you’ve been targeted, as the software uses anonymizing proxies to avoid public detection.
That might sound creepy, but compared to the FinIntrusion Kit, it’s merely child’s play. The brochure states that it allows the user to do three things: scan and intercept wireless networks, decode encryptions, and extract credentials. In short, users can technically hop onto any public wireless networks and grab all your account information.
And then there’s the FinUSB Suite, which consists of a notebook and ten encrypted USB dongles which are preprogrammed to search any computer for specific data.
PCS has a key customer: the Singapore government
In itself, it’s rather scary to imagine that any one company in Singapore has that kind of capability in their hands. What makes it worse is when government agencies are the primary customers of that particular company. Here’s what PCS Security has apparently been up to:
On a national scale, our Sentinel Passport Scanners are deployed at all border checkpoints in Singapore to allow effective and efficient clearance of international and local travellers round-the-clock. PCS also implemented the electronic registration of prepaid SIM cards in Singapore. The registration system provides follow-up traceability in security incidents involving the use of prepaid SIM cards.
PCS’ corporate profile further states that the company had been awarded a three-year bulk tender for the supply of IT security and audit services for Singapore’s government ministries/departments, statutory boards, organs of state, and participating universities.
It is unclear, however, whether these pieces of malware have actually been used, and if so, under what circumstances. Such “lawful interception” technologies have been around for a while, but this is the first time that any evidence of such products have surfaced in Singapore.
Singapore current affairs blog The Online Citizen noted that communications and information minister Yaacob Ibrahim brought up the need to “grow Singapore’s pool of information and communications security experts and build their capabilities” in August. Ibrahim added that Singapore needs to “devise ways to detect and deter ever-evolving attack methods, and also administer appropriate IT security governance for organisations.”
Tech in Asia has reached out to PCS Security for comments, and will update this article as soon as we get a response.
See: Singapore’s Kbox drops the ball on customers’ private data. Who’s next?
