WikiLeaks released a new batch of information relating to its “SpyFiles” series on Monday, 15 September 2014, suggesting that the South African government spent over €2-million on FinFisher spyware between 2009 and 2012.
As part of the release, WikiLeaks also provided links to download copies of FinFisher software.
“They are weaponised malware, so handle carefully,” WikiLeaks warned.
“This software is designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video, and audio through the webcam and microphone,” WikiLeaks said.
Another part of the release was the FinFisher customer support database.
“Some customers were identified through the analysis of support requests and attached documents they provided to FinFisher support,” WikiLeaks said.
“This included Slovakia, Mongolia, Qatar State Security, South Africa, Bahrain, Pakistan, Estonia, Vietnam, Australia NSW Police, Belgium, Nigeria, Netherlands KLPD, PCS Security in Singapore, Bangladesh, Secret Services of Hungary, Italy, and Bosnia & Herzegovina Intelligence.”
Although statements from WikiLeaks imply that it was the South African government that bought FinFisher licenses, the evidence it provides doesn’t point specifically to the South African government.
The first e-mail from the database attributed to the South African customer, “ZAR”, is reproduced below:
To whom it may concern
We are currently investigating the possibility of adding the FinSpy Mobile package to our cyber solution.
Brydon was always our contact person and he was in contact with our general manager, but he was moved to another structure. Can you please ask him to prepare a proposal and forward it to [email protected]
ZAR also later logged a support request because they were unable to update their FinUSB suite to version 3.6 and provided the following screenshot:
WikiLeaks was contacted to clarify what it meant by saying “[Some customers identified] included… South Africa”, but the spokesperson for the organisation did not respond to requests for comment.
The South African Department of Defence and State Security Agency were also contacted for comment, but did not respond by the time of publication.
FinFisher in South Africa on the Telkom network
Regardless of who the client is, WikiLeaks’ confirmation that FinFisher has a South African client that spent significant amounts of money on the software remains significant.
It corroborates a report by Citizen Lab from April 2013 which revealed that the Telkom network was playing host to FinFisher Command & Control (C&C) servers.
The FinFisher spyware would typically be configured to send all the data it gathers on an infected machine to a C&C server.
Telkom later explained that the IP addresses Citizen Lab identified as those of the FinFisher C&C servers were in the dynamic pool allocated to ADSL users, which would make it difficult to trace back to a specific user or organisation.
“These IP addresses are randomly assigned when ADSL users initiate an Internet session,” Telkom said at the time. “The ADSL customers need not be direct customers of Telkom either; they could be accessing the Internet via ADSL services acquired through other licensed operators that retail ADSL.”
South Africa and the SpyFiles: not our first rodeo
The FinFisher report is also not the first time South Africa has been mentioned as part of the WikiLeaks SpyFiles, nor is it the first time South Africa’s use of spyware has made the news.
In 2002, Mail & Guardian reported that the South African Police Service (SAPS) cyber crimes division and the National Defence Force intelligence division both bought copies of a tool called Data Interception by Remote Transmission (Dirt).
Fast-forward ten years, and we’re asking the SAPS whether it bought FinFisher, to which they respond by diverting all questions to the State Security Agency, who in turn passed us on to the Department of Communications.
Another government department linked to the SpyFiles is the Department of Trade and Industry (DTI).
VASTech and Netronome: SA companies in the SpyFiles
Towards the end of 2013, UK-based privacy rights group Privacy International wrote a letter to Minister of Trade and Industry Rob Davies regarding grants to the tune of R3.6-million provided to VASTech.
VASTech is one of the South African companies which WikiLeaks singled out in earlier SpyFiles releases because it said there was evidence that one of its systems, the VASTech Zebra, was used in Libya by Muammar Gaddafi’s regime to spy on citizens.
In 2011 when VASTech’s name first came up in the SpyFiles, the company told MyBroadband that the claims made by WikiLeaks were “clearly wrong” and “loaded”.
When their name came up again in a subsequent release in 2013, VASTech chairman William Barnard provided the following statement:
Although I have nothing new to add to the information we gave in 2011, I can say that I am now even more convinced that our systems are put to good use by legal governments to do law enforcement and defend and protect their citizens against violence and aggression. I therefore briefly repeat our position:
- We compete internationally and openly against several suppliers of similar systems.
- We only supply legal governments which are not subjected to international sanctions. Should their status change in this regard, we hold the right to withdraw our supplies and support unilaterally.
- We do not disclose any information on our clients or on the nature and substance of our contracts. These are normal conditions when contracting with governments.
Netronome, which has offices in Centurion, South Africa, was also mentioned as part of the SpyFiles 3 release in 2013.
A 2011 brochure of the company’s SSL Inspector network appliance made it into the SpyFiles due to its ability to decrypt secure online traffic within a network.
Asked about its inclusion in the SpyFiles, Netronome simply said that its SSL Inspector Appliance business had been acquired by Blue Coat Systems, and directed our queries there.
Blue Coat Systems provided the following statement when asked about the SSL Inspector:
We acquired the SSL appliance technology from Netronome in April and subsequently released our SSL Visibility appliance based on the acquired technology.
The SSL Visibility appliance is a network security device that is deployed by enterprises to provide visibility into SSL traffic on the corporate network. It is used by our customers in conjunction with existing security products, including IPS, data loss, compliance, and forensics solutions to identify threats in the network.
Our SSL Visibility Appliance logs the same type of data that would be logged by a switch, router, or firewall. It does not log content or identifiable user information and is not a surveillance device.
With the increased adoption of cloud-based applications, enterprises are seeing rapid growth in the amount of SSL traffic on their network – for some customers, SSL comprises as much as 55 percent of total network traffic.
New regulatory requirements, such as Health Insurance Portability and Accounting Act (HIPAA) and Sarbanes-Oxley (SOX), are contributing to the increase in encrypted Internet traffic by mandating or encouraging the transmission and storage of certain data in an encrypted format.
Such regulations also require enterprises to implement appropriate security controls, including intrusion detection and prevention systems, within their network infrastructure.
Enterprises use products like our SSL Visibility appliance to identify malware and other attacks lurking in SSL traffic that may infect end-user systems, or disrupt or extract data from their networks and to comply with government mandates regarding the use of appropriate security controls in their networks.
On a side note, the white paper in question was a publicly-available document posted on the Netronome website.