Telkom and South African government agencies have been mum on the alleged discovery of command and control servers for a so-called spyware “suite” called FinFisher, sold by Gamma International UK Ltd.
FinFisher is described by its distributors (Gamma International) as “Governmental IT Intrusion and Remote Monitoring Solutions”.
Marketing material for FinFisher was leaked onto the Internet as part of the WikiLeaks Spy Files release towards the end of 2011.
The revelation that the Telkom network is playing host to at least two FinFisher command and control servers was recently published in a report by Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global Affairs, University of Toronto.
According to the report, South Africa is one of the many countries that hosts command and control servers for the spyware. Among the other countries identified were The United States, United Kingdom, Australia, Canada, and the Netherlands.
Infection and Mozilla’s cease-and-desist
As with other spyware, the FinFisher suite needs a program to run on the target computer.
It’s important to note that the Citizen Lab report doesn’t say anything about FinSpy infecting Firefox, or hiding in a Firefox download – all it does is look like Firefox to the operating system to fool any anti-virus measures (and users) into believing that it is a legitimate piece of software.
This impersonation didn’t sit too well with Mozilla, though, as the organisation posted on its blog that it has sent a cease-and-desist letter to Gamma International.
“As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission,” Mozilla said.
They also went on to emphasise that FinSpy does not affect Firefox itself, even when the spyware is running.
“Gamma’s software is entirely separate, and only uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion.”
FinFisher Command & control servers in South Africa
In addition to describing how they’ve seen FinSpy infect the computers of political dissidents in Bahrain and Malaysia, Citizen Lab also revealed where they detected FinSpy command & control servers.
These are the type of servers to which FinSpy would connect to send the “screenshots, keylogger data, audio from Skype calls, passwords and more” it had collected from infected PCs to.
The Citizen Lab report indicates that they found two such command & control servers in South Africa with IP addresses that start with 41.241 and appear to be hosted on Telkom SA’s network.
The Citizen Lab report goes on to explain that, while the spyware can be used for law enforcement, security, and intelligence services as well as more nefarious purposes, it does not necessarily mean that it is being used in these ways.
“The presence of a FinFisher Command & Control server in a given country does not necessarily imply that country’s government is operating the server,” the report states.
Silence from Telkom and government
When asked directly for information on the FinFisher services, neither Telkom nor government agencies provided comment.
A spokesperson for the South African Police Service directed us to the State Security Agency (SSA), who in turn tried to pass us on the Department of Communications (DoC).
Further questions to the spokesperson for the State Security Agency yielded an explanation that they would not, in fact, task the DoC with acquiring “information gathering” software to then use as an external resource.
The SSA would do such an acquisition themselves, but the spokesperson said that they would only be able to provide feedback to our queries on Monday, 6 May 2013.