Spyware servers in SA: more details emerge

New information in the latest release of WikiLeaks’ “Spy Files” suggest that suppliers of the FinFisher surveillance software suite visited South Africa in 2012 and 2013.

This comes after a report from Citizen Lab released earlier this year named South Africa as one of the countries where they detected command and control (C&C) servers for FinFisher.

As part of its most recent “Spy Files 3” release, WikiLeaks has also published data from its own “WikiLeaks Counter Intelligence Unit (WLCIU)”.

According to WikiLeaks, WLCIU has been “tracking the trackers”, among them employees of Elaman and Gamma International who visited South Africa during 2012 and 2013.

Through earlier Spy Files releases, WikiLeaks has identified Gamma International and Elaman as distributors of the FinFisher spyware suite.

In the WLCIU data, WikiLeaks shows that Holger Rumscheidt from Elaman visited South Africa from 8 January 2012 to 15 January 2012, and again from 26 February 2013 to 28 February 2013.

Louthean John Alexander Nelson, an employee of Gamma, is shown as visiting South Africa between 22 February 2013 and 2 March 2013.

However, only Rumscheidt is listed as having visited South Africa on the WLCIU tracking map on the WikiLeaks website.

WikiLeaks noted that it removed data from the map “where it is believed the companies were present in a country due to Intelligent Support Systems (ISS) conferences and meetings, or for flight transit.”

Asked about Nelson’s visit to South Africa earlier this year, a spokesperson for Citizen Lab said that they have noticed a pattern in the travels of Gamma representatives.

“Although the WLCIU data does not tell us the purpose of his visit to South Africa (e.g., vacation, business, etc.), the visit does appear to be part of a pattern of Gamma reps travelling to countries where we have found servers,” Citizen Lab said.

According to Citizen Lab, these include Qatar, UAE, Brunei, Malaysia, Serbia, Ethiopia, Czech Republic, Latvia, Indonesia, Mexico, Nigeria, Turkmenistan, South Africa, and Ethiopia.

FinFisher global proliferation April 2013 – Citizen Lab

FinFisher in South Africa

When Citizen Lab released its report towards the end of April 2013, it revealed that FinFisher C&C servers were being hosted on the Telkom network in South Africa.

Provided with the IP addresses of the servers by Citizen Lab (which both started with 41.241), a Telkom spokesperson told MyBroadband that the addresses fell within Telkom’s pool of dynamically allocated addresses.

“These IP addresses are randomly assigned when ADSL users initiate an Internet session,” Telkom said. “The ADSL customers need not be direct customers of Telkom either; they could be accessing the internet via ADSL services acquired through other licensed operators that retail ADSL.”

As FinFisher is typically sold to governments, we previously reached out to agencies that would be likely customers of the product.

The South African Police Service (SAPS) directed our queries to the State Security Agency (SSA), who in turn pointed us to the Department of Communications (DoC).

The spokesperson for the SSA said that it is the agency’s policy to neither confirm nor deny anything that might reveal information about its capabilities.

According to the SSA, questions pertaining to FinFisher are best addressed by the DoC, though the spokesperson for the agency explained that it would not procure such information gathering software through the DoC.

Asked about the discovery of FinFisher C&C servers in South Africa, the spokesperson for DoC told MyBroadband that it did not buy the spyware suite.

More WikiLeaks, Spy Files, and FinFisher articles

South Africa’s link to The Spy Files

Spyware servers in South Africa: the plot thickens

Government spyware servers in South Africa: Telkom, Govt mum

Dictators used SA surveillance equipment: WikiLeaks

German-made spy software invades global systems: research

Who can spy on your Internet browsing?