Online Surveillance Firm ‘Hacking Team’ Gets Hacked

hacking-team-introOnline hackers have released more than 400 GB of internal data, including staff emails and company documents, stolen from Hacking Team, a company in northern Italy that sells online spying software to governments and security services around the world.

It was named as a corporate “enemy of the internet” in 2013 by press-freedom advocacy group Reporters Without Borders, after developing software that it says can circumvent certain encryption schemes.

Hacking-Team

The software is designed to remotely record every keystroke made on a target device, vacuuming up passwords and, in certain instances, capturing messages before they are encrypted.

On its website, Hacking Team boasts that it offers “total control over your targets. Log everything you need. Always. Anywhere they are.”

Hacking Team has denied selling its spy software to repressive regimes, saying in February: "We rely on our own due diligence, published reports, international black lists and conversations with potential clients to assure ourselves to the extent possible that our software will be used legally and responsibly.”

And yet academic organisation CitizenLab published research earlier this year claiming Hacking Team software has been found in a number of repressively run countries including Azerbaijan, Egypt, Ethiopia, Kazakhstan, Morocco, Saudi Arabia, Sudan, Turkey and Uzbekistan.

In 2012, Slate magazine reported that Hacking Team-related spyware might be linked to an attempt to compromise the computers of award-winning independent Moroccan news website Mamfakinch.com. CitizenLab has also claimed there is evidence suggesting Hacking Team software was linked to cyberattacks on Ethiopian journalists living in the US.

A list that claims to show Hacking Team clients was posted online as part of the Hacking Team breach. It shows Mongolian, Uzbek, Sudanese, Russian, Ethiopian, Bahrain, Turkey, Moroccan and Kazakh security and police services patronized the company, alongside the American FBI. European Union member country police and security agencies from Poland, Cyprus and Hungary were also Hacking Team customers, according to the list.

Some of the leaked emails appear to show Hacking Team employees discussing how to deal with the negative media coverage arising from the use of their software by some of their customers. According to the Intercept, Daniele Milan, Hacking Team’s operations chief, suggested the Ethiopian intelligence agency’s account could be closed, commenting that its “reckless and clumsy usage of our solution (has) caused us enough damage.” However, Milan noted in another email, “I know that 700k is a relevant sum.”

According to the BBC, Hacking Team employee Christian Pozzi responded to the current hack on Twitter, writing, "We are awake. The people responsible for this will be arrested. We are working with the police at the moment.” He subsequently deleted his account on the micro-blogging site.

Hacking Team has been forced to ask customers to stop using the services it provides to governments, and an insider was quoted by Vice Magazine’s Motherboard project saying, “They’re in full-on emergency mode.” Security analytics site Schneier on Security commented, “It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this.”

The hacked data includes source code, which has already led to the detection of a major vulnerability in Adobe Flash not previously known to its manufacturer, which was allegedly discovered but not revealed to the public by Hacking Team. Adobe has released a fix after warning that “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

OCCRP and its affiliates are analyzing the data, and will produce a continuing series of stories investigating Hacking Team’s conduct and contracts.

OCCRP Looks at Hacking Team data.

Rustavi TV (Georgia) on its top-rated Sunday night news show "PS" reported that its Ministry of Internal Affairs has been approached several times by Hacking Team since at least 2010 and on at least one occasion invited Hacking Team salespeople to Tbilisi for a two-day product demonstration. The Ministry refused to confirm any purchases. The report was produced by OCCRP partner Lasha Kveseladze.

Meydan TV (Azerbaijan) reported Thursday that Azerbaijan’s Ministry of National Security struggled to understand the Hacking Team spyware it bought for nearly US$ 400,000, prompting frustration and occasionally snarky internal emails at HT over the Azerbaijanis' intransigence and inability to make the spyware work. The HT malware was designed to track users’ keystrokes and to remotely operate cameras and microphones, but it is unclear how many target computers or phones were ever infected.

RISE Project (Romania) reported that Hacking Team demonstrated its software to Romanian intelligence on Jan. 16 of last year. The visit was organized by the Institute for Advanced Technologies (IAT), a department of the Romanian Intelligence Service (SRI). A representative of the company reported in an email, “My feeling is they were evaluating the product for the intelligence services.  [IAT project manager] Marius [Moise] often raised their concerns about ‘trusting’ private companies and also slightly referred to some of our leaks happened in the past.” The RISE Project also discovered that Hacking Team had exchanged emails with the Romanian firm FinRo SRL, headed by Ion Toader.

Bivol.bg (Bulgaria) reported that Hacking Team had been asked by Dmitrov Kumanov of Bulgaria’s National Security Agency (DANS) to demonstrate its products, in particular how to “hack iPhone 6” and Android. An email from Milko Milenov of DANS stated, “I hope to have a budget for our future cooperation.”

Meydan TV (Azerbaijan) reported Wednesday that Azerbaijan's Ministry of Defense bought a license for Hacking Team's Remote Control System (RCS) surveillance spyware via a California-based intermediary called Horizon Global Group in 2013, despite the software company’s claim it never did business with intermediaries or repressive regimes. The software can secretly log “any action performed by … a personal computer … or smartphone,” including recording keystrokes and harvesting passwords, or turning on cameras or microphones without alerting the user.

Rise Project (Moldova) reported that Igor Carlasuc, from Moldova’s National Center For Anti-Corruption, expressed serious interest in buying Hacking Team’s spyware. In a 2014 email he emphasized that he wanted “to be able to monitor all kinds of operating systems (Windows, Mac, Linux, Windows phone, Android, iPhone, Blackberry)”. Moldova’s intelligence agency, the Security and Information Service, was also given a demonstration of Hacking Team’s products by the company’s staff in Chisinau, and there were also meetings between Hacking Team representatives and the Interior Ministry in 2013.

CINS (Serbia) reported that both the Ministry of Defence of Serbia and the country’s Security Information Agency had shown serious interest in Hacking Team’s spyware products. It also reported that Bosnian as well as Croatian border police had received a demonstration of Hacking Team software from a re-seller. 

OCCRP reported that Hacking Team gave a Dubai-based tech firm permission to ‘present and promote’ its spyware to Turkmenistan’s Ministry for National Security. The ministry has been accused of using torture against two journalists in 2006 and is part of a regime ranked among the world’s most repressive, alongside North Korea and Eritrea.

OCCRP reported that Belarus law enforcement had shown interest in Hacking Team spyware via Ukraine-based tech firm Altron. Unusually, the Belarusians wanted to transfer spyware and collect intercepted data using USB sticks, apparently to avoid leaving online evidence that could be used by researchers or human rights defenders to track their use of the spyware.