Last Sunday, the Milan-based spyware firm uncreatively known as “Hacking Team”—notorious for selling powerful, out-of-the-box surveillance tools to any government or law enforcement agency willing to pay the hefty price-tag—was itself hacked by unknown actors.
The firm’s compromised Twitter account began tweeting links to over 400 gigabytes of internal data, including company emails, invoices, financial documents, and source code—most of which appears to have been stored sans encryption on company servers.
To add insult to injury, the hacker(s) responsible—seemingly the same person(s) who infiltrated spyware purveyor Gamma Group last year—changed Hacking Team’s Twitter account name to “Hacked Team.”
The contents of the data dump confirms what researchers and journalists had long suspected: that Hacking Team regularly sells its spyware to repressive regimes—including Ethiopia, Morocco, Saudi Arabia, and Sudan—some of whom have used the technology to spy on reporters and activists.
In other words, the company has more than earned the appellation bestowed upon it by Reporters without Borders: Hacking Team is an “Enemy of the Internet.”
Avoiding Accountability: A How To
Included in the many thousands of leaked company emails (which are now hosted and archived on WikiLeaks.org) is an exchange between Hacking Team PR chief Eric Rabe and my Century Foundation colleague Barton Gellman, who reported on the spyware industry for the Washington Post in 2014.
The August 2014 exchange, and the flurry of internal emails that accompany it, are instructive, demonstrating how an extremely cagey company like Hacking Team choreographs its evasive dance for the press.
In the e-mail, Gellman bases his line of inquiry on a (then-forthcoming) report by Morgan Marquis-Boire of Citizen Lab at University of Toronto, who had procured a leaked copy of an operating manual for Hacking Team’s Remote Control System (RCS) spyware.
After a fruitful back-and-forth, in which Gellman commends Rabe for some uncharacteristic candidness—“Are you new? I haven’t seen this kind of substantial response from HT before”—Gellman presses further on the most controversial revelations in the report.
“What’s alleged,” he writes, “is that all a target has to do is click on a YouTube video or log in to [Microsoft’s] live.com and the Hacking Team system will perform a man-in-the-middle attack and inject spyware into the traffic stream, after which the HT customer can conduct surveillance on the target’s computer at will.”
Gellman then explains the seriousness of the allegation:
“Google and Microsoft don’t like being used as attack surfaces against their users, targeted or not. They say a legitimate government investigation would bring a warrant or comparable legal process and ask for the information, not hack into the link between the companies and their users. I’m looking for a reply to that.”
HT’s Rabe doesn’t immediately respond. Instead, he forwards the exchange to Hacking Team chief operating officer Giancarlo Russo, who forwards it to operations manager Daniele Milan.
“Can you help with this?” Russo writes to Milan. “It’s an allegation from the WSJ [sic] after receiving a new report from CL [Citizen Lab] based on the leaked manual.”
A half an hour later, Milan responds: “Technically what they are saying is correct, and leveraging on that (they have the manuals) they are saying ‘Microsoft don’t like that’ to intimidate us.”
Here we see Hacking Team lowering into its defensive crouch. Gellman’s factual reporting is dubbed “intimidation.” Milan knows that Gellman is “technically correct,” but he doesn’t want anybody saying so out loud.
“Our clients don’t like at all that our methods are discussed on the media, especially at this level of detail,” Milan writes. “I would just say, ‘we cannot comment on those allegations,.’”
Rabe—who had already spoken to Gellman in some detail—asks the others whether he can play down the Microsoft/Google exploit.
“If possible,” he writes, “It would be good to say [to Gellman]: ‘Nothing in our system uses Microsoft or Google to deliver Hacking Team software to users of their services.’ Can we say that?”
The good faith answer to that question is, of course, no. They can’t say that because it’s not true.
Milan admits as much: “In the manual there are explicit references to YouTube in the description of one of our TNI attack methods,” he writes, “[It] blocks videos on YouTube and requires the user to install a fake Flash update to view them. The agent is installed when the target installs the update.”
Indeed, researchers combing through Hacking Team’s files have found three previously unknown Flash vulnerabilities—or “zero-days”—that would allow attackers to remotely inject malicious code onto a target’s computer. Adobe has made quick work of patching these latest holes in its Flash software, though many security experts recommend removing the exploit-prone platform from your machine altogether.
Who Hacks the Hackers?
Ultimately, Gellman published his story before Hacking Team was forced to decide just how elaborately to stretch the truth in this case. Read Gellman’s full Washington Post story here. But their willingness to lie, flagrantly, to journalists, researchers, and UN investigators alike, appears to have been a hallmark of their tradecraft—one which allowed them to peddle the tools of repression with impunity for years.
Indeed, it bears mentioning that this illegal hack—undertaken by someone who, in her/his own words, lacked “the patience to wait for whistleblowers”—is the only reason the truth, and perhaps a little justice, is beginning to emerge.
And for that, we can all be grateful.
Click here to read the rest of Bart Gellman and Hacking Team’s exchange—including Hacking Team’s internal scheming and kvetching about Bart.
And here to read a do-it-yourself guide to hacking by the hacker who (reportedly) hacked Hacking Team and Gamma Group: “Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers.”