The Malaysian Government doesn’t buy spyware? Yeah, right

By Keith Rozario December 31, 2015

Despite denial in Parliament, evidence is there that the Govt did buy spyware
Evidence suggests it was used on citizens, especially Opposition supporters

The Malaysian Government doesn’t buy spyware? Yeah, right ON Nov 23 2015, Azalina Othman Said – Malaysia’s minister in charge of parliamentary affairs – denied that the Malaysian Government had procured spyware from Milan-based Hacking Team.

In a formal response (in Parliament, no less!), the minister simply stated, “For your information, no such device was purchased by the Prime Minister’s Department.”

For your information, dear minister, I don’t like being lied to.

Here’s step-by-step look at why we can trust the Hacking Team leak; why there’s conclusive proof Malaysia bought this spyware; and why we should be worried about the manner in which it is being used.

1) So let’s go: First off, can we trust the Hacking Team revelations?

Yes, we can.

Phineas Fisher, the hacker responsible for leaking the data, didn’t just release e-mail trails, but also included brochures, invoices and the secret zero-day exploits in a giant 500GB download. Those zero-days are ‘proprietary’ Hacking Team exploits, and it’s what made their infamous RCS software possible.

If someone claimed to have hacked the Coca-Cola Company, and published embarrassing e-mails of their chief executive officer, you might believe them. But if that same hacker released the secret Coke recipe, it makes the case far more compelling.

At the very least, the proprietary zero-day exploits released by Fisher prove that Hacking Team was indeed hacked.

2) Okay, so Hacking Team was hacked, that still doesn’t mean the e-mails are real.

Well, that’s right. It is entirely possible that Fisher ‘polluted’ the e-mail archive with fake e-mails to make our Prime Minister’s Department look bad.

Only thing is, Malaysia wasn’t the only country involved. We were on a list of 35 countries with receipts in their name for procuring the fine spyware from Hacking Team.

In case you’re wondering, that list includes Sudan, Nigeria, Russia, Singapore, Australia, Thailand and the good ol’ US of A.

And if you look microscopically at Malaysia (like I did), you find that all the information in the e-mails are consistent.

Which means the context of the e-mails are correct, the names are proper Malaysian names (with MyKad and passport numbers to boot), the addresses are accurate Malaysian addresses, and nothing (absolutely nothing!) looks out of place in the entire 15GB of e-mail I sifted through.

I have no reason to believe this isn’t the same for the other 34 countries, and you can shelve the idea that this was a Zionist plot against Muslim countries because the countries implicated include Thailand, South Korea and even the United States.

So unless the Israelis have it out for just about everyone, that theory doesn’t stand.

Sure it’s still possible that this was a forgery, but it’s far more reasonable to believe that Hacking Team was hacked and the entire archive was released unmodified from its original condition.

To believe otherwise requires not just massive leaps of faith – it would require a concocted attacker that was a highly skilled hacker, presumably had lots of free time and money (since the hack didn’t result in any monetary gain), and an axe to grind with 35 seemingly unrelated countries.

At some point, the evidence becomes too compelling to ignore, and I believe we’re way past that.

3) All that’s nice Mr Tech Evangelist, but do you have any real evidence?

Yes, indeed I do.

Back in June, I chose not to release certain documents for various reasons, but since the good minister has confirmed that no purchase of spyware was made by the Government, these are probably fake anyway.

I’ve linked two TT (telegraphic transfer) slips detailing large payments to Hacking Team from a company called Miliserv Technologies Sdn Bhd.

READ ALSO: Malaysian Govt spyware use unconstitutional, call for action

If the Government hasn’t procured spyware from Hacking Team, I strongly advise the minister to investigate this local Malaysian company for making huge payments to an enemy of the Internet.

TT-SLIP-No1 (€38,000 or RM170,270)

TT-SLIP-No2 (€210,00 or RM899,157– pardon the fuzziness, I had to remove some personal information of the company director).

4) Okay, the Government bought spyware. So what?

Good point. Hacking Team sold its specially crafted spyware to at least three agencies within the Malaysian Government.

These tools are meant for spying on specific individuals and not for mass-surveillance of the population, so most of us can breathe a sigh of relief since they’re not going for RedTube (a porn video site) members here.

Also, some agencies like the police or military intelligence have a legitimate use for spyware, the same way no-one should panic when the cops buy binoculars or wire-tapping equipment.

But it’s not the equipment that’s being questioned, it’s the manner in which that equipment is being used that is so controversial.

Is it being used with a warrant? Is it being used for catching criminals? Or is it being used to criminalise politicians (and their lawyers)?

So there is no need to deny buying it. Azalina should have just stated categorically that the Government did indeed procure the spyware, but used it specifically for on-going criminal investigations in accordance with all relevant Malaysian laws.

5) But did the Government use it that way?

The honest truth is that I don’t know. The beauty of buying this stuff through a company like Miliserv is that it puts the Government at a distance, and gives it sufficient coverage from accusations.

But … we can gauge who it is targeting by looking at the documents Miliserv asked to be infected.

The standard operating procedure for all spyware is to embed the payload into an innocuous file (like a Word document).This innocuous file acts as a carrier, and is used to entice the victim to open it.

Once opened, the infection springs into action, compromising the computer, and begins gathering information for home base.

The way we figure out who was being attacked is by looking at the carrier file. Back in 2013, the document used to spread FinSpy (also by the Malaysian Government) was a Word document entitled SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.

In the Hacking Team leaks, I saw a carrier file titled Pengundi Asing (foreign voter) that purported showed the use of foreign nationals to vote in the Malaysian general election, and another one entitled Dakwat Kekal (indelible ink), spreading more rumours about the indelible ink used in the very same election.

Besides the fact that the Malaysian Government was essentially spreading rumours about itself, these carrier documents don’t point to ISIS terrorists or hardcore gangsters. These point to the average citizen, and Opposition supporters specifically.

Doesn’t exactly scream lawful usage, does it?

Conclusion

Listen, I believe the police have a right to procure spyware, and quite frankly, at around €200,000, it’s basically pocket change for the Government.

But the evidence suggests that we’re not using it to catch criminals, but rather to spy on politicians.

And for a minister to straight-up deny it in Parliament, is perhaps expected (if I’m being honest) – but also suggests that there’s a lot more to hide.

The manner of the denial, without even offering any explanation on the purchases, makes it even more frustrating.

But not quite as frustrating as seeing so little coverage of this in the media. I was a bit tied up at work and Christmas shopping to blog about this, but local journalists (with whom I shared some of the downloaded e-mails) should have done better.

Malaysians deserve better than my part-time reporting. It’s a shame you guys only have me, otherwise you would have read this one month ago.

Keith Rozario blogs at keithRozario.com covering technology and security issues from a Malaysian perspective. He also tweets from @keithrozario. This article first appeared on his blog and is reprinted here with his kind permission.