Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Surveillance Software Firm Breached

Hacking Team Hacked, 400 GB Data Dumped
Surveillance Software Firm Breached
Before/after: Attackers defaced Hacking Team's Twitter account logo.

Hacking Team, an Italian developer of "easy-to-use offensive technology" - including spyware and other surveillance software that it sells to police, law enforcement and intelligence agencies - appears to have been breached and large quantities of corporate information leaked.

See Also: Gartner Market Guide for DFIR Retainer Services

On July 5, hackers also appeared to have seized control of the Hacking Team's Twitter account, @hackingteam, after which they changed the company's logo and posted the following message: "Since we have nothing to hide, we're publishing all our e-mails, files, and source code."

The message included links to a Torrent file that reportedly includes 400 GB of the aforementioned data, including the source code for its "Remote Control System," known as both DaVinci and Galileo. Hacking Team advertises that the software is able to intercept Skype and voice calls, as well as data stored on PCs. The leaked data reportedly also includes passwords for multiple Hacking Team employees and customers, as well as previously disclosed zero-day vulnerabilities.

The Hacking Team data leak reportedly reveals that the company's customers have apparently ranged from the U.S. FBI and Drug Enforcement Agency to the governments of Sudan and the United Arab Emirates. Credit for the hack and data breach has reportedly been claimed by PhineasFisher, who has previously targeted vendors for allegedly selling surveillance software to repressive regimes. "Gamma and HT down, a few more to go :)," PhineasFisher said July 6 via Twitter.

Threat intelligence firm iSight Partners says in a research note that it believes that the breach occurred, and that most or all of the leaked data is genuine, because "convincingly fabricating that much information is prohibitively time intensive." It also warns that the source code could soon become part of other hackers' toolsets. "Hacking Team's tools and techniques will likely begin to be incorporated in other malware and surveillance tools." Allegedly leaked Hacking Team code has already been added to the GitHub code-sharing repository.

Hacking Team did not immediately respond to a request for comment about the breach, so the contents of those alleged customer lists could not be confirmed. Hacking Team senior system and security engineer Christian Pozzi, whose emails and personal passwords - including for multiple social media accounts - appear to have been included in the leak, says via Twitter on July 6: "We are currently working closely with the police at the moment. I can't comment about the recent breach."

But the authenticity of that message is questionable, since Pozzi's Twitter account later posted a message suggesting that it too had been compromised by hackers: "We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah." After those messages appeared, Pozzi's Twitter account appears to have been deleted in its entirety.

The Company's Customers

Numerous privacy rights groups say that the data leak provides a rare look into how governments spy on people at home and abroad. "Hacking Team is one of the most aggressive companies currently supplying governments with hacking tools," says Eric King, deputy director of civil rights group Privacy International. "[The] leak of materials reportedly shows how Hacking Team assisted some of the world's most repressive regimes - from Bahrain to Uzbekistan, Ethiopia to Sudan - to spy on their citizens.

Hacking Team advertises its Galileo and DaVinci software as being "the hacking suite for governmental interception," noting that it can handle "up to hundreds of thousands of targets, all managed from a central place." Some of the software's capabilities have been previously described by Citizen Lab, a privacy project run by the University of Toronto, which says that the vendor's spyware can copy files from the hard drive of an infected PC, record Skype calls and emails, intercept passwords typed into Web browsers, as well as remotely activate webcams and microphones. To employ the spyware, however, government agencies must first sneak it onto targets' PCs, and Citizen Lab says that phishing attacks are likely the most-used technique for accomplishing this.

Privacy researcher Christopher Soghoian, principal technologist at the American Civil Liberties Union, says via Twitter that according to the leaked information, Hacking Team's customer list "includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."

Soghoian adds via Twitter that according to a leaked March 2013 invoice for the first half of a related payment, Hacking Team also completed a €260,000 ($290,000) deal with the government of Azerbaijan by selling "through a shadowy front company in Nevada" named Horizon Global Group.

Citizen Lab had previously questioned whether Hacking Team was selling to governments that are widely viewed as being repressive. "We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan," it says in a 2014 report. "Nine of these countries receive the lowest ranking, 'authoritarian,' in The Economist's 2012 Democracy Index. Additionally, two current users - Egypt and Turkey - have brutally repressed recent protest movements."

The company's customer list had also earned it a place on the "Enemies of the Internet" list maintained by civil rights group Reporters Without Borders.

The Hacking Team's alleged "maintenance agreement" tracker has been published to text-sharing website Pastebin; it says that the company's customers also include the U.S. Drug Enforcement Agency - as news outlet Vice first reported in April - and government agencies across the EU, including the Czech Republic, Hungary, Luxembourg, Poland and Spain. The FBI, meanwhile, is listed in that maintenance agreement as having an "active maintenance contract" with Hacking Team through June 30, 2015, while both Russia and Sudan are listed as being "not officially supported." Again, however, the authenticity of that information could not be confirmed, and it's possible that whoever leaked the files altered, added or fabricated the information.

The FBI did not immediately respond to Information Security Media Group's inquiry about whether the bureau is, or has been, a Hacking Team customer.

Hacker Targets

Cryptography expert Matthew Green, a Johns Hopkins University professor, says that more than any other type of company except bitcoin exchanges, surveillance software vendors should expect to face serious and sustained hacks. Thus, they should harden their defenses accordingly, but few seem to do so, he says.

Indeed, Hacking Team is not the first surveillance software vendor to have been hacked. In August 2014, Gamma Group - the creator of FinFisher malware, which it spun off as a separate company in 2013 - was also breached by PhineasFisher, who announced via Reddit that a 40GB data dump leaked to BitTorrent included internal documents, as well as price lists and support queries.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.