How secret SARS unit spied on South Africans: report

A rogue spy unit within the South African Revenue Service used surveillance malware from Germany, Carte Blanche has reported

By - February 23, 2015 Share on LinkedIn

A “covert unit” within the South African Revenue Service used a surveillance software suite known as FinFisher to spy on the computer activities of its targets, Carte Blanche reported on 22 February 2015.

FinFisher can collect screenshots, logs of keystrokes, audio from Skype calls, passwords, and other data according to reports by Citizen Lab, and WikiLeaks.

News of Sars’ use of spyware comes after the Sunday Times reported towards the end of 2014 that a secret unit inside South Africa’s tax agency called the National Research Group (NRG) became a law unto itself.

Members of this group reportedly worked to infiltrate the ANC, looked into non-tax related matters such as taxi violence, and were used to fight the business battles of friends and relatives of senior Sars officials.

NRG was also allegedly ordered to follow top Sars officials like Leonard Radebe, Nandi Madiba, and Mandisa Mokoena to find information on them and destroy their careers.

Following the Sunday Times report, Sars suspended deputy commissioner Ivan Pillay and strategic planning and risk group executive Peter Richer. Recent media reports also suggest that spokesperson Adrian Lackay has resigned.

FinFisher in South Africa

FinFisher global proliferation - Citizen Lab (April 2013)

FinFisher global proliferation April 2013 – Citizen Lab

The fact that FinFisher spyware was being used in South Africa was first alluded to in April 2013 when Citizen Lab released a report saying that command and control (C&C) servers for the software were detected on Telkom’s network.

Citizen Lab’s report made headlines around the world because it revealed that one version of FinFisher’s spyware programs masqueraded as Mozilla Firefox.

While FinFisher didn’t infect Firefox, it impersonated it to fool Windows and anti-virus programs into believing it was legitimate software.

Mozilla slapped the company behind FinFisher with a cease-and-desist, demanding that it stop using Mozilla’s trademarks and branding.

FinFisher on the Telkom network

When Telkom was asked about the IP addresses where Citizen Lab found the FinFisher C&C servers in South Africa, it said the addresses were part of the dynamic pool allocated to ADSL users.

“These IP addresses are randomly assigned when ADSL users initiate an Internet session,” a Telkom spokesperson said.

“The ADSL customers need not be direct customers either. They could be accessing the Internet via ADSL services acquired through other licensed operators that retail ADSL.”

The South African Police Service, State Security Agency, and Department of Communications weren’t able to confirm who was running the FinFisher servers.

South Africa and the WikiLeaks SpyFiles: the plot thickens

ZAR FinFisher client screenshot

Screenshot from “ZAR” — a South African FinFisher client

Over the course of 2013 and 2014, WikiLeaks released additional information on the sale and use of FinFisher in South Africa.

Initially WikiLeaks only revealed that employees of the suppliers of FinFisher visited South Africa during 2012 and 2013.

Then, in September 2014, WikiLeaks released new documents asserting that the South African government spent over €2 million on FinFisher between 2009 and 2012.

Sars was asked to confirm that its recently exposed covert unit had procured FinFisher, and whether the figures released by WikiLeaks were accurate.

A spokesperson for the tax agency said Sars was not prepared to comment on media speculation.

“We have internal processes underway as regards the allegations of rogue behaviour by a small group of Sars staff, and will not jeopardise those processes by responding to each and every allegation as it is made to the media.”

Did SA government blow €2-million on spyware?

Spyware servers in SA: more details emerge

Spyware servers in South Africa: the plot thickens

News – SARS getting new powers to gathering info about you

Government spyware servers in South Africa: Telkom, Govt mum

Share your thoughts

Join the conversation

Connect with Us



Do you think South Africa should support private universities?

View Results

Loading ... Loading ...

More News

Electric buses coming to Cape Town


The City of Cape Town on Sunday said electric-powered buses would be rolled out next year as part of its MyCiTi services.

Stop corruption and violent protests in South Africa: #CEOPledgeSA

Failed South Africa Flag broken

Many of South Africa’s top companies and CEOs have committed to “Do the right thing; Stand by what is right; and Reject what is wrong” as part of the CEO Initiative Pledge.

7de Laan broadcast in trouble as Motsoeneng gets involved

7de Laan header

SABC executive Hlaudi Motsoeneng wants to meet with the producers of local soap 7de Laan as part of contract negotiations with the public broadcaster to renew the show.

How to get an uncapped 20Mbps broadband service for R40 per month

ADSL text modem network

Internet pioneer Mike Lawrie has built an internal DSL network at the retirement centre where he lives, which offers unlimited Internet access at R40 per month.

Free MyBroadband Newsletter