Breach Notification , Breach Response , Cybersecurity

Spyware Vendor Alert: Suspend Software

Hacking Team Warns Police, Government Users After Breach
Spyware Vendor Alert: Suspend Software

Surveillance software maker Hacking Team, also known as HT S.r.l., has confirmed that it has been hacked (see Surveillance Software Firm Breached).

See Also: Top Trends in Cybercrime; 411 Million Attacks Detected in Just 3 Months

The Italian company has advised users of its spyware - sold to police and government intelligence agencies - to temporarily suspend their use of the software, pending the company's data breach investigation.

Files released online on July 5 indicate that the company has sold its surveillance software to dozens of countries, including the United States and Spain, as well as Russia, Bahrain and Sudan, according to copies of the data that have been reviewed by multiple information security and privacy experts.

A hacker or hackers operating under the name "PhineasFisher," who previously claimed credit for hacking and leaking data from former FinFisher surveillance software vendor Gamma Group, has now claimed credit for hacking and leaking data from Hacking Team. But the true identity of Hacking Team's attackers remains a mystery. "They have so many enemies that listing the possible hackers of HackingTeam is pointless," says security researcher and penetration tester Joxean Koret via Twitter.

Evidence of the Hacking Team data breach first surfaced July 5, when the company's Twitter account was defaced and messages began pointing to a BitTorrent tracker file - hosted on New Zealand file-sharing service Mega - for a 400 GB data dump. Since then, security researchers have been poring through the information and publishing excerpts that detail internal company communications, support requests from customers, source code and invoices, amongst other information.

Hacking Team has not responded to multiple emailed requests for comment from Information Security Media Group. Reached by phone, a company representative referred all media inquiries to an email address that occasionally bounced emails back as being non-deliverable.

But Hacking Team's senior counsel and U.S. spokesman Eric Rabe has confirmed the breach, telling Reuters that "law enforcement will investigate the illegal taking of proprietary company property."

Hacking Team sells surveillance software that it says is designed to combat "crime and terrorism," and which can infect both Windows and Mac OS X devices, as well as numerous types of smartphones. The company advertises that its software can intercept data, even if targets are using encryption. Its flagship product, Remote Control System - a.k.a. Galileo - allows users to hack into targets' PCs, exfiltrate data from hard drives, intercept Skype calls and surreptitiously activate and record from webcams and PC microphones, among other capabilities.

Following the breach, Hacking Team recommends that all customers suspend their use of its software, pending the company's review of the hack and related data leak to see if it has compromised any customers' ongoing operations. "We would expect this to be a relatively short suspension of service," Rabe tells Reuters.

Human Rights Questions

Hacking Team and some other surveillance software manufacturers have been criticized by civil and privacy rights groups for selling their software to repressive regimes, or countries that target dissidents and journalists. "Hacking Team has a consistent track record of delivering its software ... to government agencies with records of human rights abuse and unlawful surveillance, and its products have been repeatedly used to conduct unlawful surveillance of journalists, activists and human rights defenders," according to an April 2015 report released by civil rights group Privacy International. The report says the company has also received at least €1 million ($110 million) in Italian government funding.

On its website, however, Hacking Team says that before any sale, it reviews customers "to determine whether or not there is objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations" and adds that "we do not sell products to governments or to countries blacklisted by the U.S., E.U., U.N., NATO or ASEAN."

The company also says on its website that customers must comply with the software's auditing features, which "allow administrators to monitor how the system is being used," and promises to cease sales and support to any country that it believes is using its technology "to facilitate gross human rights abuses."

Marco Valleri, a Hacking Team co-founder, told The Wall Street Journal in 2011 that his company was "fully compliant" with international laws. "Europe and the U.S. both have blacklists of countries that are not so friendly. We are allowed to sell only to friendly countries," he said.

But the company's 35 customers, according to leaked data, have included government agencies in Azerbaijan, Egypt, Ethiopia, Morocco, United Arab Emirates, Uzbekistan, Saudi Arabia and Sudan, which many civil rights monitoring organizations say regularly violate human rights.

Hacking Team Customers


Current/former customers of Hacking Team (blue), based on leaked client lists. Source: Joxean Koret

Hence many anti-surveillance campaigners have welcomed the Hacking Team leak. Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, has called it the "best transparency report ever."

Customers In U.S., EU Too

Other Hacking Team customers, according to the leaked data, include a number of European agencies, such as Poland's anti-corruption bureau, Luxembourg's tax authority and the Czech police. In the United States, meanwhile, listed current and former customers include the U.S. Drug Enforcement Agency and the U.S. Army, while the FBI has spent $773,000 on Hacking Team's software since 2011, Wired reports.

The FBI declined to comment on that report. "The FBI does not comment on specific tools. However, the FBI routinely identifies, evaluates, and tests potential exploits in the interest of cybersecurity," an FBI spokeswoman tells Information Security Media Group. "Criminals consistently exploit advances in technology to defeat traditional law enforcement techniques. As a result, the FBI must maintain corresponding awareness and capability when it comes to emerging technologies and tradecraft to combat crime and protect the United States while preserving civil liberties and ensuring compliance with all relevant laws and policies."

Hacking Team has a subsidiary in Annapolis, Md., and has reportedly been making a concerted effort to sell to more U.S. government agencies. But the FBI's use of the company's software was relatively minor, according to leaked emails reviewed by Forbes. "The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they use," Hacking Team's Rabe wrote.

Other emails cited by Forbes included a review of a meeting written by Hacking Team's operations manager Daniele Milan after a meeting at Quantico, Va. - where the FBI Academy is based - in which she reported that the bureau was especially interested in capabilities that would allow it to monitor and unmask suspects who use the Tor anonymizing network. "They [the FBI] continue to be interested in new features all the more related to TOR, VPN [virtual private networks] and less-click infections. In the past their targets were 20 percent on TOR, now they are 60 percent on TOR," Milan wrote. "They want to be able to catch the IP of their targets using TOR."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network