Government spyware servers in South Africa: Telkom, Govt mum

Command and control servers for FinFisher spyware which masquerades as Firefox reportedly found in SA, but Telkom and law enforcement agencies are mum

Privacy

Telkom and South African government agencies have been mum on the alleged discovery of command and control servers for a so-called spyware “suite” called FinFisher, sold by Gamma International UK Ltd.

FinFisher is described by its distributors (Gamma International) as “Governmental IT Intrusion and Remote Monitoring Solutions”.

Marketing material for FinFisher was leaked onto the Internet as part of the WikiLeaks Spy Files release towards the end of 2011.

The revelation that the Telkom network is playing host to at least two FinFisher command and control servers was recently published in a report by Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto.

According to the report, South Africa is one of the many countries that hosts command and control servers for the spyware. Among the other countries identified were The United States, United Kingdom, Australia, Canada, and the Netherlands.

FinSpy Firefox versus legit Firefox file info

FinSpy Firefox versus legit Firefox file info

Infection and Mozilla’s cease-and-desist

As with other spyware, the FinFisher suite needs a program to run on the target computer.

In this case the spyware program is referred to as FinSpy, and it has drawn the ire of Mozilla for keeping itself hidden by masquerading as Firefox.

It’s important to note that the Citizen Lab report doesn’t say anything about FinSpy infecting Firefox, or hiding in a Firefox download. All it does is look like Firefox to the operating system to fool any anti-virus measures (and users) into believing that it is a legitimate piece of software.

This impersonation didn’t sit too well with Mozilla though, as the organisation posted on its blog that it has sent a cease-and-desist letter to Gamma International.

“As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission,” Mozilla said.

They also went on to emphasise that FinSpy does not affect Firefox itself, even when the spyware is running.

“Gamma’s software is entirely separate, and only uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion.”

FinFisher global proliferation - Citizen Lab (May 2013)

FinFisher global proliferation – Citizen Lab (April 2013)

FinFisher Command & control servers in South Africa

In addition to describing how they’ve seen FinSpy infect the computers of political dissidents in Bahrain and Malaysia, Citizen Lab also revealed where they detected FinSpy command & control servers.

These are the type of servers to which FinSpy would connect to send the “screenshots, keylogger data, audio from Skype calls, passwords and more” it had collected from infected PCs to.

The Citizen Lab report indicates that they found two such command & control servers in South Africa with IP addresses that start with 41.241 and appear to be hosted on Telkom SA’s network.

The Citizen Lab report goes on to explain that while the spyware can be used for law enforcement, security, and intelligence services as well as more nefarious purposes, it does not necessarily mean that it is being used in these ways.

“The presence of a FinFisher Command & Control server in a given country does not necessarily imply that country’s government is operating the server,” the report states.

Silence from Telkom and government

When asked directly for information on the FinFisher services, neither Telkom nor government agencies provided comment.

A spokesperson for the South African Police Service directed us to the State Security Agency (SSA), who in turn tried to pass us on the Department of Communications (DoC).

Further questions to the spokesperson for the State Security Agency yielded an explanation that they would not, in fact, task the DoC with acquiring “information gathering” software to then use as an external resource.

The SSA would do such an acquisition themselves, but the spokesperson said that they would only be able to provide feedback to our queries on Monday, 6 May 2013.

More privacy and information security articles

Dictators used SA surveillance equipment: WikiLeaks

German-made spy software invades global systems: research (first Citizen Lab report on FinFisher)

Who can spy on your Internet browsing?

Security forecast for 2013 (mention of FinFisher being supplied to former Egyptian government)

Huawei and US security battle

Cyber espionage

Share your thoughts

Join the conversation

Connect with Us

androidappletwitterfacebookgoogleplusfeednewsletter

Poll

Do you think Brexit will benefit South Africa?

View Results

Loading ... Loading ...

More News

Oakbay confirms disciplinaries at ANN7

ANN7 logo

Oakbay Investments, the holding company of television station ANN7, has confirmed disciplinary proceedings at the company.

We are all living inside a computer simulation – here’s how it works

VR sex

In a recent interview, technology entrepreneur Elon Musk suggested we are living inside a computer simulation.

ANC is more powerful than ever

Jacob Zuma in Germany speaking

“We are not playing, do you hear me? We are the future of South Africa, we built South Africa,” said President Jacob Zuma at a recent ANC event.

Most reliable car brands in the world for 2016

Kia Serato

J.D. Power’s 2016 U.S. Initial Quality Study has revealed the most reliable car brands in the world.

X

Newsletter Subscription


Name
Email *
Enter the following to confirm your subscription *
Captcha image


Free MyBroadband Newsletter
Subscribe
×