SA spies’ scary shopping list revealed

A massive security breach by hackers has provided a rare glimpse into the world of clandestine government snooping — and revealed that South African authorities showed an interest in buying highly sophisticated spyware.

What is more frightening is the possibility that the spy equipment could be used illegally to obtain information on ordinary citizens.

This emerged in a massive dump of a million confidential e-mails and documents by WikiLeaks after they were taken by hackers last weekend from controversial Italian surveillance and security firm Hacking Team.

The documents reveal details of elaborate software used in murky espionage operations and show that members of the South African Police Service and the South African Revenue Service tried to acquire some of these programmes.

The software of interest to the law enforcers and the taxman would allow spying on a grand scale, granting them access to private details of their targets.

block_quotes_start The software is designed to attack, infect and monitor target PCs and smartphones in a stealth way block_quotes_end

The software would allow the agencies to:

•  Remotely grab files and e-mail messages off computers using Apple, Windows and Linux operating platforms;
•  Monitor cellphone Skype calls and instant messages on platforms such as WhatsApp and Viber;
•  Access Facebook, Twitter and social media accounts; and
•  Take screen grabs off a cellphone, track its location and activate the phone’s microphone to turn it into a bugging device.

The leaked documents include e-mail correspondence between a Colonel B Grobler in police crime intelligence and Massimiliano Luppi, a key account manager at Hacking Team. Luppi inquired about a “commercial proposal” submitted by the company to sell Remote Control System to the police in 2011. The software, which has since been updated under the code name Galileo, is “designed to attack, infect and monitor target PCs and smartphones in a stealth way”.

It cannot be detected and works on Android, BlackBerry, Apple and Windows phones. It can track the location of the phone, grab files off the device, and turn the phone into a bugging device.

mini_story_image_hleft1

“Your quotation was submitted to Lieutenant-General [Richard] Mdluli. Before he could provide me with instructions, the following happened,” Grobler wrote back to the firm in 2011, adding a link to a news article about the former crime intelligence boss being embroiled in a love-triangle murder investigation.

The chain of correspondence does not indicate if the police purchased the software.

Cyber security expert Haroon Meer said the law did allow the sort of tools Hacking Team offered, but that it had to be carefully monitored and used only after following due process.

“It becomes a problem when these tools are used abusively, cracking down on journalists or activists instead. The big problem with Hacking Team was that they knowingly sold these tools to governments with a proven track record of trampling on their people’s rights.

“Tools like this, by analogy, are closest to wiretaps. The man in the street can’t wiretap people; police can, with the right piece of paper. SARS can when acting under judicial mandates. Hacking Team was selling ‘easy wiretaps’ to anyone, and this is the complaint,” he said

block_quotes_start Where is Gmail located and how do I subpoena them to provide information for evidence purpose? block_quotes_end

National police spokesman Lieutenant-General Solomon Makgale was unable to answer detailed questions about the e-mails yesterday due to difficulties contacting the relevant parties.

Clinton Phipps, national president of the Security Association of South Africa, said he suspected the police already had access to the type of data that the company was offering to help extract.

And a lot of cellphone service providers also had access to data that police could tap into.

He said it was of the utmost importance that the police operated within the laws.

“Our privacy acts are quite strong. [For this technology to be used] the law would have to change, or it would have to be used in conjunction with a court order,” said Phipps.

Another e-mail, from Helgard Lombard — a former member of a rogue spy unit at SARS — on July 24 last year, asked for information about concealing “smartphone infections”.

Lombard wrote: “Will appreciate it if you could send me information regarding the smartphone infections.

story_article_right1

The information must be as comprehensive as possible, e.g. is it necessary to ‘Root’ Android smartphones, can the infection be concealed in a MMS, etc. I would also want to know what the minimum quantity licenses would be that we have to acquire and what the annual maintenance fee [would] be for updates.”

The Sunday Times revealed in May that Lombard had submitted an affidavit to the Hawks admitting to spying on the National Prosecuting Authority. Affidavits by SARS employees said the former Directorate of Special Operations, better known as the Scorpions, paid Lombard sums of R900 000 and R250 000 to buy surveillance equipment.

SARS spokesman Luther Lebelo said yesterday the organisation was “not aware of such correspondence and is highly shocked by such allegations. SARS does not have records for such purchases. We, however, cannot speak on behalf of Mr Lombard.”

Other e-mails sent to Hacking Team include an inquiry from police Colonel AK Hoosen on July 24 last year asking: “Where is Gmail located and how do I subpoena them to provide information for evidence purpose?”

Company CEO David Vincenzetti alerted colleagues: “Please find a help request from a military guy in South Africa. Yes, such a request indicates that this guy is close to clueless. HOWEVER, we could exploit his request in order to establish a commercial contact.”

In turn, Luppi e-mailed Hoosen, saying it was “not possible to force Google to provide you with information related to one of their users”.

However, “what you can do, in order to bypass this bottleneck, is to infect the device of your suspect/target”, he said.

story_article_left2

Hacking Team’s customers are intelligence agencies and governments around the world — including some with questionable human  rights records — and use its software to fight crime. But it has also been used to snoop on political activists.

Besides the leaked documents, hackers stole the source code used to build spy software sold by the company, previously only available to government agencies.

“Hacking Team’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice. Before the attack, Hacking Team could control who had access to the technology...

"Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” said a spokesman.

Although the company has previously denied selling software to repressive regimes, the Guardian reports that the leaked documents appear to  show that among its clients are several repressive states known to conduct “aggressive surveillance of citizens, activists and journalists both domestically and overseas”.

sub_head_start The diaries of a digital mercenary sub_head_end

Hacking Team, which was itself hacked and had 400gigabytes of company data and e-mails leaked online this week, is one of the world's most controversial surveillance agencies.

The company, based in Milan, Italy, has long been questioned by activists over its use of spying technology that enables it - and its clients - to bypass encryption software and access individuals' smartphones while they are in use.

Its own website proclaims that clients can "acquire relevant data", "defeat encryption", "deploy a secret agent", and "go stealth and untraceable". The site also claims on its home page that clients can take "total control over your targets", will be "invisible to the target" and can get "clear" access to thousands of encrypted communications per day. All devices, mobile or otherwise, could be monitored, Hacking Team said in a brochure for its Galileo system.

But this clandestine surveillance, which the company calls "Remote Control System", has long been questioned by activists.

In 2013, Reporters Without Borders found that Hacking Team was one of five worldwide "digital era mercenaries". A summary of the Enemies of the Internet report states: "They sell products that are liable to be used by governments to violate human rights and freedom of expression."

In April this year, Privacy International released a briefing to the Italian government over Hacking Team's activities.

"Hacking Team has a consistent track record of delivering its software, including the RCS, to government agencies with records of human rights abuse and unlawful surveillance, and its products have been repeatedly used to conduct unlawful surveillance of journalists, activists and human rights defenders," the document states.

After this week's hack, Privacy International deputy director Eric King, in a statement, described Hacking Team as "one of the most aggressive companies currently supplying governments with hacking tools. Friday's leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens."

Hacking Team has regularly denied claims that its products are used to perpetuate human rights abuses.

One e-mail in the leaked cache of documents is from Vincenzetti in which he describes activists as "idiots ... good at manipulating companies and people".

In another e-mail, on June 8, he writes to some colleagues: "Imagine this: a leak of Wikileaks showing YOU explaining the evilest technology on earth! :-) You would be demonized by our dearest friends the activists, and normal people would point their fingers at you."

Less than a month later, that is exactly what happened, and the company's secrets have been laid bare.

jurgensa@sundaytimes.co.za, savidesm@sundaytimes.co.za