Hacking Team Breach Shows A Global Spying Firm Run Amok

[Coss]

FEW NEWS EVENTS can unleash more schadenfreude within the security community than watching a notorious firm of hackers-for-hire become a hack target themselves. In the case of the freshly disemboweled Italian surveillance firm Hacking Team, the company may also serve as a dark example of a global surveillance industry that often sells to any government willing to pay, with little regard for that regime’s human rights record.

 

On Sunday night, unidentified hackers published a massive, 400 gigabyte trove on bittorrent of internal documents from the Milan-based Hacking Team, a firm long accused of unethical sales of tools that help governments break into target computers and phones. The breached trove includes executive emails, customer invoices and even source code; the company’s twitter feed was hacked, controlled by the intruders for nearly 12 hours, and used to distribute samples of the company’s hacked files. The security community spent Sunday night picking through the spy firm’s innards and in some cases finding what appear to be new confirmations that Hacking Team sold digital intrusion tools to authoritarian regimes. Those revelations may be well timed to influence an ongoing U.S. policy debate over how to control spying software, with a deadline for public debate on new regulations coming this month.

 

One document pulled from the breached files, for instance, appears to be a list of Hacking Team customers along with the length of their contracts. These customers include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense. Other documents show that Hacking Team issued an invoice to Ethiopia’s Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its Remote Control System, a spyware tool. For Sudan, a country that’s the subject of a UN embargo, the documents show a $480,000 invoice to its National Intelligence and Security Services for the same software.

 

“These are the equivalents of the Edward Snowden leaks for the surveillance industry,†says Eric King, the deputy director of Privacy International. “There are few countries [Hacking Team] aren’t willing to sell to. There are few lines they aren’t willing to cross.â€

 

In its marketing materials, Hacking Team describes its RCS product as “a solution designed to evade encryption by means of an agent directly installed on the device†an agency is monitoring. “You want to look through your target’s eyes,†reads the script of one of the company’s videos, shown below. “You have to hack your target.†Last year, researchers at Toronto-based Internet surveillance analysis group Citizen Lab and antivirus firm Kaspersky revealed Hacking Team software that targets every mobile operating system to take total control over phones.

 

Hacking Team hasn’t yet responded to WIRED’s request for comment. One Hacking Team engineer, Christian Pozzi, seemed to defend his employer briefly on Twitter, writing that the company’s attackers were “spreading lies about the services we provide.†His feed was soon hacked and then deleted.

 

Hacking Team’s newly exposed business practices call into question whether current regulations effectively prevent a private firm from selling hacking software to any government in the world. One written exchange between Hacking Team’s executives and UN officials shows the UN questioning Hacking Team’s sales to Sudan. A letter from the UN to the company references a March 2015 letter Hacking Team sent the UN, in which it argued that its spying tools didn’t count as a weapon, and so didn’t fall under the UN’s arms embargo. (The UN disagreed.)

 

“Sudan is one of the most strictly embargoed countries in the world,†says Chris Soghoian, a privacy activist and lead technologist for the American Civil Liberties Union who first spotted the UN correspondence in the Hacking Team data dump. “If Hacking Team believes they can lawfully sell to Sudan, they believe they can sell to anyone.â€

 

That issue of whether hacking tools are defined as weapons in the terms of arms control agreements couldn’t be more timely: An arms control pact called the Wassenaar Arrangement has been hotly debated in recent weeks over its measures that would control the international export of intrusion software. The US Department of Commerce has opened the process to public comment, a window that ends on July 20.

 

The Wassenaar Arrangement has been criticized by the hacker community as limiting security research and preventing the sharing of penetration testing tools. But Privacy International’s Eric King argues that the practices of Hacking Team demonstrate why the pact is necessary, along with what he describes as “carve-outs†to protect security research. “What’s clear is that these companies can’t be left to their own devices,†says King. “Some form of regulation is needed to prevent these companies from selling to human rights abusers. That’s a hard policy question, and one tool won’t be a silver bullet. But regulation and export controls should be part of the policy response.â€

 

The issue of whether hacking tools are defined as weapons in the terms of arms control agreements couldn't be more timely

Despite Hacking Team being based in Italy, the US Department of Commerce’s still-evolving export control regulations may still apply to the company, says the ACLU’s Chris Soghoian. He points to two firms he spotted in Hacking Team’s breached files who appeared to be reselling the company’s tools: Cyber Point International in Maryland and Horizon Global Group in California.

 

The hacked documents are far from the first evidence that Hacking Team has sold its tools to authoritarian governments. Researchers at Citizen Lab have accused Hacking Team of selling to countries including Sudan and the United Arab Emirates, who used it to spy on a political dissident who was later beaten by thugs. WIRED reported in 2013 on an American activist who was apparently targeted by Turkey using Hacking Team tools. But Hacking Team has responded with denials, criticisms of Citizen Lab’s methods, and claims that it doesn’t sell to “repressive regimes.â€

 

“Hacking Team has continuously thrown mud, obfuscated, tried to confuse the truth,†says Privacy International’s King. “This release helps set the record straight on that, and shows their deviousness and duplicity in responding to what are legitimate criticisms.â€

 

Wired.com

[Coss]

The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011

 

THE FBI IS one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It’s long been suspected that the FBI used Hacking Team’s tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true.

 

The FBI is not in good company here. According to several spreadsheets within the hacked archive, which contain a list of Hacking Team’s customers, many of the other governments who bought the same software are repressive regimes, such as Sudan and Bahrain. The documents show that the FBI first purchased the company’s “RCS†in 2011. RCS stands for “Remote Control Service,†otherwise known as “Galileo,†Hacking Team’s premiere spy product.

 

RCS is a simple piece of hacking software that has been used by the Ethiopian regime to target journalists based in Washington DC. It has also been detected in an attack on a Moroccan media outlet, and a human rights activist from the United Arab Emirates.

 

Once a target’s computer has been infected, RCS is able to siphon off data, and listen in on communications before they have been encrypted. According to researchers based at the University of Toronto’s Citizen Lab, who have monitored the use of RCS throughout the world, the tool can also “record Skype calls, e-mails, instant messages, and passwords typed into a Web browser.†To top that off, RCS is also capable of switching on a target’s web camera and microphone.

 

Hacking Team has generated a total of 697,710 Euros ($773,226.64) from the FBI since 2011, according to the hacked spreadsheets. In 2015, the FBI spent 59,855 Euros on “maintenance,†and in 2014 the agency spent the same amount on “license/upgrades.†No expenditure was recorded for the whole of 2013.

 

In 2012, however, the FBI allegedly spent 310,000 Euros for Hacking Team’s services, all on licenses or upgrades, and the year before it spent 268,000 Euros.

 

A final column on one of the hacked spreadsheets is entitled “Exploitâ€. For the FBI, the entry is written as “Yes.†Though it’s unclear exactly what this means, we can infer that the FBI’s version of RCS came with an exploit of some kind that could gain access to user’s computers, rather than being deployed through social-engineering means.

 

Regardless, the FBI has been known to hack the computers of criminals in the past. In fact, the agency has been using malware since at least 2002 for all sorts of criminal cases, and the FBI develops some of its own tools. In 2012, “Operation Torpedo†was launched, which involved loading malware onto a number of child pornography sites, and identifying the IP addresses of anyone who visited. A similar operation was launched shortly after, in order to catch users of Freedom Hosting, a dark web hosting company.

 

 

Those were both broad attacks, designed to sweep up as many offenders as possible. Hacking Team’s tools, on the other hand, are used for more targeted surveillance of specific individuals or groups. According to the hacked spreadsheets, the FBI has used RCS against 35 targets, although it is unclear who these targets are.

 

The FBI did not immediately respond to multiple requests for comment.

 

One interesting tidbit from the spreadsheet is that it appears that Hacking Team has not been selling these products directly to the FBI. Though the FBI is listed as the client, its “Partner/Fulfillment Vehicle†is listed as “CICOM USA.â€

 

That name is familiar. Earlier this year, an investigation from Motherboard revealed that the Drug Enforcement Administration had been secretly purchasing surveillance technology from Hacking Team. Within that contract, $2.4 million was sent “between the DEA’s Office of Investigative Technology and a government contractor named Cicom USA,†according to Motherboard.

 

An invoice with the file name “Commessa019.2014. CICOM USA x FBI.xls,†also included in the Hacking Team archive, lists a “One year renewal for Remote Control System,†charged to Cicom USA. The invoice says that the product lasts from July 1, 2014 to the June 30, 2015. The file name for the invoice explicitly includes the FBI, and not the DEA. However, the spreadsheet with the client list shows that the FBI is, in fact, joined by the DEA and the DOD in buying products from Hacking Team, which both also use Cicom USA as their “fulfilment vehicles.â€

 

Cicom USA is little more than a shell company for Hacking Team. “They have the same address, they have the same telephone number,†as Hacking Team’s US office, Edin Omanovic, a technologist at Privacy International, told WIRED in a phone interview.

 

As for what protections might be in place to make sure that the FBI (or any US government agency) is using this technology responsibly, it’s all a bit hazy.

 

“We think they get court orders, and we have even seen a few, but the applications don’t really describe how the software works, or how they will get it onto the target’s device,†Christopher Soghoian, Principal Technologist at the American Civil Liberties Union, told WIRED in an encrypted chat.

 

The problem is that the discussion around law enforcement using hacking as a means of information gathering has never been carried out in public.

 

“Congress has never explicitly granted law enforcement agencies the power to hack. And there have never been any congressional hearings on the topic,†Soghoian continued.

 

“We need to have a national debate about whether we want law enforcement agencies to be able to hack into the computers of targets. This is too dangerous a tool for them to start using by themselves.â€

 

Wired.com

[Flashermac]