News of Sars\u2019 use of spyware comes after the Sunday Times reported towards the end of 2014 that a secret unit inside South Africa\u2019s tax agency called the National Research Group (NRG) became a law unto itself.<\/p>\n
Members of this group reportedly worked to infiltrate the ANC, looked into non-tax related matters such as taxi violence, and were used to fight the business battles of friends and relatives of senior Sars officials.<\/p>\n
NRG was also allegedly ordered to follow top Sars officials like Leonard Radebe, Nandi Madiba, and Mandisa Mokoena to find information on them and destroy their careers.<\/p>\n
Following the Sunday Times report, Sars suspended<\/a> deputy commissioner Ivan Pillay and strategic planning and risk group executive Peter Richer. Recent media reports also suggest that spokesperson Adrian Lackay has resigned.<\/p>\n FinFisher global proliferation – April 2013<\/p><\/div>\n The fact that FinFisher spyware was being used in South Africa was first alluded to in April 2013 when Citizen Lab released a report saying that command and control (C&C) servers for the software were\u00a0detected on Telkom\u2019s network<\/a>.<\/p>\n Citizen Lab\u2019s report made headlines around the world because it revealed that one version of FinFisher\u2019s spyware programs masqueraded as Mozilla Firefox.<\/p>\n While FinFisher didn\u2019t infect Firefox, it impersonated it to fool Windows and anti-virus programs into believing it was legitimate software.<\/p>\n Mozilla slapped the company behind FinFisher with a cease-and-desist, demanding that it stop using Mozilla\u2019s trademarks and branding.<\/p>\n When Telkom was asked about the IP addresses where Citizen Lab found the FinFisher C&C servers in South Africa, it said the addresses were part of the dynamic pool allocated to ADSL users.<\/p>\n \u201cThese IP addresses are randomly assigned when ADSL users initiate an Internet session,\u201d a Telkom spokesperson said.<\/p>\n \u201cThe ADSL customers need not be direct customers either. They could be accessing the Internet via ADSL services acquired through other licensed operators that retail ADSL.\u201d<\/p>\n The South African Police Service, State Security Agency, and Department of Communications weren\u2019t able to confirm who was\u00a0running the FinFisher servers.<\/p>\n Over the course of 2013 and 2014, WikiLeaks released additional information on the sale and use of FinFisher in South Africa.<\/p>\n Initially WikiLeaks only revealed that employees of the suppliers of FinFisher visited South Africa<\/a>during 2012 and 2013.<\/p>\n Then, in September 2014, WikiLeaks released new documents asserting that the South African government spent over \u20ac2 million on FinFisher between 2009 and 2012.<\/p>\n Sars was asked to confirm that its recently exposed covert unit had procured FinFisher, and whether the figures released by WikiLeaks were accurate.<\/p>\n A spokesperson for the tax agency said\u00a0Sars was not prepared to comment on media speculation.<\/p>\n \u201cWe have internal processes underway as regards the allegations of rogue behaviour by a small group of Sars staff, and will not jeopardise those processes by responding to each and every allegation as it is made to the media.\u201d<\/p>\n This article was republished with permission from MyBroadband<\/a>.<\/p>\n FinFisher spyware servers in South Africa<\/a><\/strong><\/p>\n 5.32 million tax returns submitted: SARS<\/a><\/strong><\/p>\nFinFisher in South Africa<\/h3>\n
![\"FinFisher](\"http:\/\/businesstech.co.za\/news\/wp-content\/uploads\/2015\/02\/FinFisher-global-proliferation-April-2013.jpg\")
<\/a>FinFisher on the Telkom network<\/h3>\n
South Africa and the WikiLeaks SpyFiles: the plot thickens<\/h3>\n
![\"ZAR](\"http:\/\/businesstech.co.za\/news\/wp-content\/uploads\/2015\/02\/ZAR-FinFisher-client.jpg\")
<\/a><\/p>\nMore on\u00a0Sars<\/h3>\n