Questions as rogue elements in South African agency spy on ‘everyone’

Suspected ‘rogue agents’ in South Africa's powerful and secretive State Security Agency (SSA) are using an illegally obtained military grade interception and decryption device to spy on almost anyone, investigation shows.

The Sunday Nation has unearthed the existence of a hi-tech spying device for the last 18 months, a type of international mobile subscriber identity (IMSI) interceptor.

Recently, SA's Inspector-General (IG) for Security Services testified before Deputy Chief Justice Raymond Zondo's state capture inquiry into the system of corruption which developed under former president Jacob Zuma, now serving 15 months in jail for refusing the constitutional court's order that he appears before Zondo.

During his testimony, the IG referenced the IMSI device, which had been the focus of contention between the SSA and its ostensible local supplier, but did not seem to know much about the device, or was unwilling to speak on record about it.

But Sunday Nation has independently established that the device was obtained illegally, without the necessary arms control end user certificate, as required in SA law, and that its sale to State Security Agency personnel was "under the table".

The device was obtained in late 2016 or early 2017 from China through a Chinese ex-patriot now living in South Africa.

The device, an IMSI 'grabber', is at the highest end of the technology spectrum with only about 12 countries in the world capable of producing them, though other States have bought similar devices for their own spying agencies.

The device appears to have been used not only in the ongoing factional battles within the ruling African National Congress (ANC), especially during its last internal elections in December 2017 when current President Cyril Ramaphosa narrowly won the party's top slot, but also during the recent failed insurrection ostensibly triggered by Zuma's jailing early last month.

The existence of 'rogue agents' in the State Security Agency, fiercely loyal to Zuma, and having mostly been appointed during his tenure as president while key government departments were being 'captured', has been known for some time.

A critical process for Ramaphosa since his assumption of power has been the 'uncapturing' of SSA, starting with a new boss not slavishly loyal to the Zuma faction of the ruling party.

But while the agency has a new leadership, there are elements still loyal to Zuma and those favouring 'radical economic transformation', a politically-loaded phrase meant to operate as a cover to those 'with their hands in the public purse', and now discredited as an artificial construction of defunct UK PR firm Bell-Pottinger.

Some of those rogue elements were involved in the recent rioting and mass looting that amounted to a failed insurrection, according police minister Bheki Cele, who at the height of the looting referenced rogue "spooks" (spies) as being the planners.

State Security Agency Minister Ayanda Dlodlo was questioned about the existence of the 'rogue' elements in SSA and their alleged role in the planned insurrection and key target attacks, which preceded the mass looting.

She initially confirmed that reports of such elements' involvement were being investigated, but later stepped away from implicating currently serving agents by saying it was past employees of the SSA who were involved, with a former Deputy Director-General in the department named.

But Sunday Nation is aware that such 'rogue' elements are still active in the SSA, one of whom threatened violence and arrest when formal inquiries were made regarding the existence of the IMSI grabber in its possession.

Spokesman for the SSA, Mava Scott, was approached last year by Sunday Nation for comment, with none forthcoming.

The IMSI device was first brought to attention when its alleged South African suppliers, Saber Industries, based in Bloemfontein, Free State province, threatened legal action to obtain an outstanding US$1 million from SSA .

Sunday Nation contacted the owner of the company, former Chinese mainland resident Chin-Chao Chen.

Little is known about this man's background. In his late 50s or early 60s, he arrived in SA in mid-1990s, with his light industrial business being established in 1996.

His 29-year-old son James is the claimed "inventor" of the IMSI grabber, but has no applicable technical background. 

The claim is considered by security experts as "so far beyond improbable as to be certainly a lie" since the device involved, linked to a dedicated laptop, is far too sophisticated.

The device is capable of interception of all forms of electronic communications, including military-style frequency hopping encrypted radio transmissions, but also cell phone, wi-fi and even bluetooth – and can decrypt in near real-time, even able to change elements of messages before sending them. The device was dubbed ‘Warmonger’ and was obtained under an SSA project named Clarity, paid for out of a secret SSA slush fund which has little to no public oversight, even in Parliament, and therefore could be kept entirely secret.

Such a device, being classed as military grade, requires under SA law an end user certificate from the National Conventional Arms Control Committee (NCACC), which operates within the Defence department.

No such certification exists for the device, or none could be supplied by relevant authorities, which amounts to the same.

Absolute proof that the device was made by the Chinese military and security sector cannot be obtained without visual inspection of it, last seen in the SSA's Pretoria offices.

But all senior security sources spoken to by Sunday Nation on the issue insist that very few countries could make such devices, perhaps 12 at most, and that China is almost certainly the source.

Sunday Nation inspected the premises of the device's alleged "suppliers", which shares contact and address details with a plastic sheeting company in Bloemfontein owned by Chen, and established that there is no infrastructure, technology lab or relevant facility at which it could have been developed.

The issue became partially evident in the public domain when Saber Industries wanted to use the courts to force the SSA to pay the outstanding money.

Chen told Sunday Nation that the second half of the device's cost had been paid by the SSA, and that the matter was therefore "settled".

But pressed for answers to questions on its development, ostensibly by his son, Chen declined further comment, asking for questions in writing which he ignored.

During an inspection of his premises, Sunday Nation asked several times to speak to either Chen senior or his son James, all requests for further comment were denied.

But Chen had initially confirmed in telephonic questioning that the device was supplied by Saber Industries, that there had been a cost dispute over it, but that, once that was "settled", all passwords and activation elements had been handed over.

The SSA admitted to having access to interception equipment but, in its defence against the claim for the full payment for it, said it had not received either activation codes or passwords.

Aside from Chen's contradiction of that position, Sunday Nation sources said the device was "active and being used".

The device was supposedly at the SSA's Pretoria office lying unused, said security officials.

But it was not in the SSA offices during the ANC's elective conference in December 2017 when outgoing ANC leader Zuma wanted his ex-wife Nkosazana Dlamini-Zuma to replace him – and had thought that that would happen through his faction's control of branch delegates to the conference.

However, the last-minute shift of some 200 votes from Mpumalanga province delegates – who voted in their chosen man, David Mabuza, as deputy leader – to Ramaphosa's ticket meant Zuma's plan for 'more of the same' after his departure from office was doomed.

The subsequent contention within the ruling party has seen it split from top to bottom and contributed significantly to the violence and looting which followed Zuma's imprisonment.

However, security sources tell Sunday Nationthat the attempted insurrection was long in the planning and Zuma's jailing merely the convenient moment to launch it.

Sources also said that the interception and decryption device – which can defeat commercial end-to-end encryption, such as used by WhatsApp and similar platforms – was "almost certainly" used in carrying out the failed insurrection.

"There were people listening in on everything that other SSA elements and police crime intelligence knew about and were countering – which turned out to be far less than what had actually been planned," said one senior source.

He added, "Several countries routinely use them, though ostensibly only for 'anti-terrorism' or counter-surveillance by foreign powers, but also for penetrating drug cartels, crime syndicates and similar high-value policing or security operations.

"France does state-wide surveillance using similar devices costing about US$4-6 million a year, as an example of state use that is known and acknowledged.