A “covert unit” within the South African Revenue Service used a surveillance software suite known as FinFisher to spy on the computer activities of its targets, Carte Blanche reported on 22 February 2015.
FinFisher can collect screenshots, logs of keystrokes, audio from Skype calls, passwords, and other data according to reports by Citizen Lab, and WikiLeaks.
News of Sars’ use of spyware comes after the Sunday Times reported towards the end of 2014 that a secret unit inside South Africa’s tax agency called the National Research Group (NRG) became a law unto itself.
Members of this group reportedly worked to infiltrate the ANC, looked into non-tax related matters such as taxi violence, and were used to fight the business battles of friends and relatives of senior Sars officials.
NRG was also allegedly ordered to follow top Sars officials like Leonard Radebe, Nandi Madiba, and Mandisa Mokoena to find information on them and destroy their careers.
Following the Sunday Times report, Sars suspended deputy commissioner Ivan Pillay and strategic planning and risk group executive Peter Richer. Recent media reports also suggest that spokesperson Adrian Lackay has resigned.
FinFisher in South Africa
The fact that FinFisher spyware was being used in South Africa was first alluded to in April 2013 when Citizen Lab released a report saying that command and control (C&C) servers for the software were detected on Telkom’s network.
Citizen Lab’s report made headlines around the world because it revealed that one version of FinFisher’s spyware programs masqueraded as Mozilla Firefox.
While FinFisher didn’t infect Firefox, it impersonated it to fool Windows and anti-virus programs into believing it was legitimate software.
Mozilla slapped the company behind FinFisher with a cease-and-desist, demanding that it stop using Mozilla’s trademarks and branding.
FinFisher on the Telkom network
When Telkom was asked about the IP addresses where Citizen Lab found the FinFisher C&C servers in South Africa, it said the addresses were part of the dynamic pool allocated to ADSL users.
“These IP addresses are randomly assigned when ADSL users initiate an Internet session,” a Telkom spokesperson said.
“The ADSL customers need not be direct customers either. They could be accessing the Internet via ADSL services acquired through other licensed operators that retail ADSL.”
The South African Police Service, State Security Agency, and Department of Communications weren’t able to confirm who was running the FinFisher servers.
South Africa and the WikiLeaks SpyFiles: the plot thickens
Over the course of 2013 and 2014, WikiLeaks released additional information on the sale and use of FinFisher in South Africa.
Initially WikiLeaks only revealed that employees of the suppliers of FinFisher visited South Africa during 2012 and 2013.
Then, in September 2014, WikiLeaks released new documents asserting that the South African government spent over €2 million on FinFisher between 2009 and 2012.
Sars was asked to confirm that its recently exposed covert unit had procured FinFisher, and whether the figures released by WikiLeaks were accurate.
A spokesperson for the tax agency said Sars was not prepared to comment on media speculation.
“We have internal processes underway as regards the allegations of rogue behaviour by a small group of Sars staff, and will not jeopardise those processes by responding to each and every allegation as it is made to the media.”