Cyberspying: The Ghost in Your Machine
- Heidi Swart
- South Africa
- 21 Feb 2017 12:26 (South Africa)
Whether it’s Donald Trump’s crackdown on immigrants or French police forcing a Muslim woman to remove her burqa, we live in a time when governments openly terrrorise citizens. Underpinning the violence: the “security state” – a cosy enclave where we can be beaten, searched, and have our privacy violated by government forces so that they can “keep us safe”. Technologically, the security state relies on two things – brute force and communications monitoring. Because, before they can beat, search, or violate you, they have to find you. In South Africa, both of these components are alive and well. The brute force was blatantly displayed by POP police and soldiers outside Parliament to beef up security for the State of the Nation Address. The surveillance tech, however, is an invisible weapon, primarily lurking in that place where we really live nowadays: cyberspace. And, while the soldiers had the eyes of the world on them, we as citizens have no way to effectively watch over government’s use of all-seeing cyberspying technologies. By HEIDI SWART.
I am paranoid by nature, so I try not to be. That’s why, when the cursor starts moving autonomously, ending my Skype session and randomly selecting dropdown menus, I ascribe it to a faulty mouse. It can’t be the broken trackpad. I lift the mouse, but the cursor keeps moving. Then I switch off the mouse and remove my hands from the keyboard. I watch as the cursor moves to application shortcuts and opens programmes in quick succession: PowerPoint, Excel, Outlook, iTunes. It hovers over the playlist and selects a song, which plays a few seconds, then a second, then a third. Then it hits the volume slider, pushing up the sound level until it borders on the offensive. But when the ghost in the machine opens Document Connection, a programme designed to remotely access and share files, and afterwards promptly accesses System Preferences, I know it’s time to end the party. I cannot get control of the cursor, so I just about lean on the off button. After about three long seconds, the machine shuts down.
But there is still a ghost in there. God knows what it has accessed. Everything was open to whoever had become the new user – the new me: Gmail, Facebook, Skype. Were my passwords intact? Would my Facebook page be littered with offensive posts? Or several angry contacts to whom “I” had sent nasty messages? Would my bank account be cleaned out? Or would they use my computer to access illegal sites, and land me in jail? And then, there’s my bad poetry.
Sounds paranoid. The thing is, three years ago, I’d have blamed the kid next door, run an antivirus programme, and moved along. But after investigating telecommunications monitoring by our government for two years, numerous warnings issued by my sources invade my sanity:
“They are definitely monitoring you.”; “After I spoke to you, my phone started heating up – they’re listening.” And other stories, like erased identities and frozen bank cards.
Then there’s the State Security Agency’s letter threatening to put Daily Maverick editor Branko Brkic and me in prison for “up to 10 years” under a draconian 1982 apartheid law.
And, coincidentally, I’m looking into a powerful piece of surveillance tech that fits the bill for what I just witnessed: FinSpy.
In recent years, there has been mounting evidence that our government uses FinSpy. It’s produced by the German-based company FinFisher GmbH (formerly a division of the international outfit, Gamma Group). According to FinFisher’s website, they sell exclusively to governments for law enforcement purposes. The software is considered military grade, and its export is controlled by the Wassenaar Arrangement, which regulates weapons exports from 41 countries, including South Africa and Germany. Under the arrangement, FinFisher is considered a dual-use item, meaning it can be used for military and civilian operations.
A 2011 FinSpy training manual reveals its dangerous capabilities. Its power lies in commonly known malware, the Trojan horse. As in the legend, the Trojan avoids detection by masquerading, for instance, as an Excel, Word or PDF document. It arrives in your mailbox and is designed so that your e-mail virus scanner is unlikely to detect it. Once you open the authentic-looking document, the malware is installed. It can also be installed when your PC looks for software updates: the malware can force your computer to do an automatic update without your permission. In addition, your web browser can be manipulated so that infection occurs when opening a web page.
FinSpy can outmanoeuvre 35 major antivirus software brands, according to tests run by Wikileaks in 2014. The malware can intercept e-mails, addresses of web pages you visit, messenger services, SMS texts, VoIP calls, and Skype (calls, text, and shared files). It can extract encrypted files and decrypt them, and retrieve deleted files from your hard drive. The software also includes key loggers, so everything you type can be recorded. Mouse clicks (where on the screen your mouse was as it clicked) can also be visually recorded. It can switch on your device’s camera or microphone, and record whatever sounds or images are within range, whether you are online or not. It can also track your use of social networks, discussion boards, blogs, and file-sharing. It runs on Windows, OSX, Linux, Android, Blackberry, iOS, and Symbian.
But even if my laptop were infected, I probably couldn’t prove who did it.
And that’s the big question here:
WHO are you?
Because anyone can buy cyber surveillance tech. For instance, a man comes home from work, and his wife is livid. The interrogation starts: Why wasn’t he at work? What was he doing at the bar? Is he having an affair?
Earlier, she bought and downloaded a surveillance application from an online store. She secretly installed it on her husband’s smartphone, flipped open her laptop, and monitored his location, numbers dialled, e-mails, and Whatsapp messages.
This is but one case of spousal espionage dealt with by a former crime intelligence official turned cybercrime investigator who spoke to me off the record. (He left crime intelligence when he was asked to install spyware on someone’s mobile device illegally.) He says there’s a good living to be made in his business, and while you may have to pay him thousands to clean your phone, the monitoring app cost the wife only R350.
Imagine what $350,000 can buy. “I know for a fact,” a source with links to foreign intelligence agencies told me, “that South Africa has an ongoing licence for FinFisher. And that it paid, in 2014, $350,000 for the licence.” At the time, that was just over R3.5-million. The source adds: “I can tell you who has the licence: It’s the NCC. The core licencee is the NIA.”
And, he says, South Afirica has quite the international reputation: “South Africa is known for using cybercrime, if you wish, cybercriminal tools, to spy on people. South Africa is very strong on using malware to spy on people.” He added that journalists, politicians and activists were prime targets.
The NIA, or National Intelligence Agency, is known today as the Domestic Branch of the State Security Agency, but the old name has stuck in intelligence circles. The NCC, or National Communications Centre, is the communications interception hub of the State Security Agency. Its legal regulation is questionable. In 2008, the Matthews Commission (set up by then minister of intelligence Ronnie Kasrils to investigate irregularities) found that the NCC was effectively intercepting communications illegally. Kasrils stepped down before recommendations could be implemented.
According to a 2014 FinFisher price list published by Wikileaks, a FinSpy licence renewal costs anything between €249,315 (R3,456,700) and €331,840, with the amount increasing each year that the licence is renewed. So, if my source’s information is on the money, then the SSA was, at the very least, in its third year of using FinSpy in 2014.
I needed to corroborate my source’s statements, so I fished around locally. It proved incredibly difficult. But I found some affirmation in an unlikely place: a source in the private security industry with close ties to intelligence. He’s also quite sympathetic towards our intelligence agencies. The guy is so straight up (a refreshing trait on this terrain) that when you ask him a yes/no question which he is loath to answer, he pauses, takes a stunted breath that sticks in his throat, and nods or shakes his head reluctantly. So when I asked him if the government was using FinFisher products, I got that slow, silent nod. Unfortunately, he couldn’t, or wouldn’t, tell me anything else. However, a third source in a senior position in a state intelligence agency confirmed that the State Security Agency was using FinFisher products.
Apart from source accounts, there is strong evidence of FinSpy’s presence in South Africa. In 2015, the Canadian technology research organisation and human rights watchdog, the Citizen Lab, found irrefutable proof that at least one FinSpy Master server – the hardware where all the intercepted data is stored – was physically located in South Africa. It was linked to two Telkom IP addresses.
In 2013, it was widely reported that the Citizen Lab found FinSpy servers linked to two of Telkom’s IP addresses. But the 2015 discovery is far more alarming. To understand why, one has to look at FinSpy’s surveillance architecture.
Agents in the field (be it in a coffee shop or a car outside your house) connect their FinSpy notebooks, which very much resemble ordinary laptops, to the FinFisher Master server. The Master server is located on the government agency’s physical premises, and is in turn connected to another server, the FinSpy Relay. The Relay is at a different physical location – often another country. It connects to the PC or mobile device targeted for infection. That target can be anywhere on the planet. The agent sends the Trojan to the target’s computer or mobile device and the target’s device is infected when, for example, opening a web page. Now, the agent accesses the target’s computer and extracts data, which then travels via the Relay to the Master server where it’s stored. Should the target attempt to trace the virus’ origin, they may find the Relay, but the geographic and online locations of the FinSpy Master server stays hidden.
In 2013, the Citizen lab couldn’t confirm if the servers were FinSpy Relays or Masters, meaning they may have belonged to another government. But the 2015 Master server discovery places FinSpy squarely within the country’s borders.
However, there’s a catch: Citizen Lab’s Bill Marczak said they couldn’t pinpoint who was using FinSpy.
“When we find an IP address and we try to get information about it, the only publically accessible information, usually, is which internet service provider (ISP) that IP address belongs to. In some cases we get lucky, and there’s some additional information. That could occur where the government runs their own ISP, or they might have certain IP ranges which are assigned to them publically. But in this case we have no such luck. We can just see it’s some user on the Telkom network. We don’t know which customer; only Telkom has that last piece of information.” I asked Telkom about this, but got no response.
The Citizen Lab findings are not the only indicators of FinSpy’s presence in South Africa.
In 2014, according to Wikileaks, South Africa had purchased 23 FinFisher product licences from 2009 to 2012. These licences were for FinSpy, FinFly USB, FinFly Lan, and the FinIntrusion Kit. The total bill for that period came to just over €2-million, according to Wikileaks. Significantly, their information shows that South Africa used a version of FinSpy that could target at least 100 computers or mobile phones simultaneously.
The other equipment licenced to SA, as listed by Wikileaks, is used for interception of communications and data in the field.
With the FinIntrusion Kit, a law enforcement agent can sit outside your home and temporarily disable your wi-fi connection. The agent’s laptop appears in your network preference menu to be your usual service provider network. You then “reconnect”, unwittingly, to the agent’s laptop.
FinFly LAN (Local Area Network) works similarly. (A LAN is a smaller network of computers – wired or wireless – within a limited area, such as a collection of company computers in an office building, or all the computers and mobile devices connected to a coffee shop’s wi-fi network.) The agent uses a laptop with FinFly LAN to log onto the same LAN as you, and then infects your computer.
FinFly USB does exactly what FinFly LAN does, except that a USB stick is inserted into the target’s computer, and FinFly monitoring software is then inconspicuously installed.
Apart from these Wikileaks publications, the WikiLeaks Counter Intelligence Unit mapped the international movements of surveillance tech company representatives via their cellphones. One such representative was Holger Rumscheidt of Elaman GmbH, a distributor for FinFisher based in Germany.
Wikileaks tracked Rumscheidt from October 2011 to July 2013. Their records show that he visited South Africa for a week in January 2012, and another week in February 2013. Rumscheidt visited 18 countries in that period. In 12 of these, the Citizen Lab had detected FinSpy servers either during 2013 or 2015, or on both occasions. They included countries that are not signatories to the Wassenaar Arrangement – Lebanon (2015), the United Arab Emirates (2013), Oman (2015), Turkmenistan (2013 and 2015), Jordan (2015) and Ethiopia (2013 and 2015). The other six countries are part of the arrangement, and include the Czech Republic (2013 and 2015), Austria (2013), Turkey (2013 and 2015), the UK (2013), the United States (2013) and Italy (2015).
Apart from the tracking, a company brochure published by Wikileaks showed that Elaman had an office in South Africa in 2011. I asked Elaman if they still had this office and were doing business with South Africa, but received no response.
So, what happens when you think FinSpy has infected your laptop? It’s complicated, says Marczak. “The tough thing is that the spyware is designed to get around antivirus products. It’s designed to not be detected. So it would be hard for the average user themselves to try to check whether their phone or computer was infected. At Citizen Lab, we can detect those in most cases. But the process of doing that is time-intensive and labour-intensive.”
Marczak says the Citizen Lab has detected the malware before: “We had a couple of cases like that from Ethiopia. Actually from Ethiopians living outside of the country who thought that their computers were infected, and in some cases we did verify that Ethiopian dissidents abroad were being targeted with FinFisher by what seemed to be the Ethiopian government. This was back in 2013.”
All good and well, but if the government is using the software to fight crime, why complain? It so happens there’s a snag. Enter the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica). This is the legislation that intelligences forces must abide by if they are going to intercept your online communications with FinFisher or any other interception device. In terms of Rica, your service provider will only allow law enforcement to intercept your communications should they receive a court order. The service provider then gives law enforcement access to the communications by diverting your smartphone or PC’s online communications to the law enforcement interception centres. Ultimately, the service provider is the gatekeeper. Not so with FinSpy, since your computer or phone can be infected from anywhere, as long as you’re online. Law enforcement won’t need your service provider’s assistance.
This means that no matter how many laws are put in place, we are largely dependent on the internal regulation and integrity of the State Security Agency for ethical use of the software. An agency that has SABC staffers looking over their shoulders, spooks Members of Parliament, and whose boss has his nails done at the parlour of a self-confessed Chinese rhino horn salesman, the likes of whom, technically, he is tasked with bringing to book. And he wasn’t even undercover.
I asked the Department of Justice how they would ensure citizen privacy in the light of such sophisticated technology. Spokesperson Mthunzi Mhaga said that “the current provisions of the RICA sufficiently regulate the use of FinSpy or similar software which may be used to intercept communications”. Spokesperson for the State Security Agency, Brian Dube, also said that the SSA and other intelligence agencies work in terms of the provisions of Rica. He said SSA policy forbade public discussion of “operational details of capabilities”, and therefore did not answer questions relating to the agency’s use of FinSpy. He did not answer my question as to whether the SSA hacked into my computer.
In the meantime, Marczak and I will be fishing around my Mac to see if the hackers were stupid enough to leave any tackle behind. For now, all I can do is update my antivirus software, hope for the best, and make sure I get dressed before I flip open my laptop. DM
Photo by Benjamin Disinger via Flickr.