The report, released Thursday, found 33 "likely government users" of FinFisher -- a well-known spyware program -- in 32 countries, including Ethiopia, Bangladesh and Egypt. The company did not respond to a request for comment on the report.
This type of spyware has the potential to take over a target's computer, capturing every keystroke and even gaining control of the computer's microphone and camera to turn the device into a sophisticated eavesdropping tool. Its spread puts surveillance tools once thought only to be within reach of advanced nations available to practically any country willing to pay, according to critics. Such hacking tools have allegedly been used to target people within the United States, including journalists and dissidents.
Researchers have been gaining more insight into how the companies that sell such tools operate. Last year, hackers broke into FinFisher's system and exposed confidential company information. Another cyberattack this year, allegedly by the same hackers, revealed a huge amount of information from FinFisher competitor Hacking Team, including e-mails and files that showed the technical details of how their systems work.
The information that emerged from these breaches helped researchers dig deeper into the companies' activities and confirmed earlier findings, said Bill Marczak, one of the authors of the Citizen Lab report.
"In many cases in security research you might not necessarily get proof, so it was really exciting to have that," he said. "We will be discovering new things in there for months and months, if not years."
The report found that technical errors in how servers used in such attacks were set up could be used to link the technology to likely government users.
In some cases, the servers used by government hackers to help infect victims' computers with malware and control their systems were hidden behind proxies, which are other servers that help hide the origin of the attackers. Citizen Lab researchers scanned the Internet and found 135 servers that matched a technical fingerprint of the spyware. But when they tried to identify the server by typing its Internet address into a Web browser, they were often instead sent to a decoy page. Those pages were "designed to disguise the fact that the server is a spyware server," the report said. In most cases, the servers used www.google.com or www.yahoo.com as decoys.
"What they were doing was just having the Finfisher server serving as a relay between the user and Google," Marczak said, essentially a type of redirect.
It became obvious that the sites were decoys because they did not reflect where the researchers were located, the report said. Instead, they appeared to show local search results from where the spyware was launched. The Yahoo decoy pages showed things like local weather results that could help the researchers pinpoint the general location of the true server.
With Google, the researchers could ask the decoy page directly "What is my IP address?" and it would return the address of the original server instead of the proxy. For instance, one apparent proxy server appeared to be located in the United States but returned an IP address from Indonesia when its Google decoy page was queried -- suggesting that the server may be connected to that nation's government, according to the report.