In contrast to many of the private companies performing outsourced aggressive surveillance work for the world’s spy agencies, Hacking Team doesn’t try to hide behind a generic corporate identity. Gamma International, Academi and QintetiQ could be companies doing anything, but Hacking Team – well, it doesn’t take a genius to guess what line of work they are in.
Hacking Team works in the “cybersecurity” industry. That’s “cybersecurity” in the same way that arms manufacturers describe their business as “defence”. It doesn’t provide security at all, really; none of their software will help clients avoid cyberattacks, tighten up their internal networks, or patch flaws in their software. Its main business is offensive hacking.
It sells its Remote Control System (RCS) software to law enforcement and national security agencies around the world, letting them hack into targets’ computers and mobile devices, install backdoors, and monitor them with ease.
The company’s promotional material advertises its abilities: “Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move … Remote Control System: the hacking suite for governmental interception. Right at your fingertips.”
But apart from the clarity of its name, Hacking Team was just as opaque as the other companies in its industry. It didn’t disclose its clients, the technology behind its software, or the sort of work it was contracted to do, citing the need for privacy and security. All that changed this week when its own security was compromised, to the tune of 400GB of its data published online.
Back up for a minute to 2013. Reporters Without Borders (RSF) published an extensive report into “digital mercenaries” such as Hacking Team, who provide the technical expertise which underpins Snowden-era electronic surveillance. In it, the group named five “corporate enemies of the internet”: Hacking Team, Britain’s Gamma Group, Germany’s Trovicor, France’s Amesys, and America’s Blue Coat Systems. All of them, it said, “sell products that are liable to be used by governments to violate human rights and freedom of information”.
The report warned that those companies all sold products used to commit violations of human rights and freedom of information. “If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens,” it warned. And if they didn’t directly sell to authoritarian regimes, they were almost as guilty, of letting dangerous tools fall into the hands of malicious actors. If that happened, “their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights,” the report said.
Throughout, Hacking Team has insisted that it does not sell to repressive regimes. Following the RSF report, it said that “Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the EU, the US, Nato and similar international organisations or any ‘repressive’ regime”.
“We also go to some lengths to monitor reports of use of our software in ways that might be inappropriate or illegal. When we find reports of such issues, we conduct an investigation to determine if action is needed.”
Yet still the accusations kept coming. Most recently, in March 2015, Hacking Team was accused of providing the tools used by the Ethiopian government to spy on journalists and activists based overseas. A report from CitizenLab, based at the University of Toronto, found that several journalists based in Washington DC, working for an Ethiopian diaspora news channel called ESAT, had been infected with what appeared to be Hacking Team’s RCS spyware.
It was the second such report from CitizenLab. In February 2014, they hadreported similar targeting of journalists, again with the telltale signs of the RCS spyware.
Despite Hacking Team’s assurance that “we will refuse to provide or we will stop supporting our technologies to governments or government agencies that … we believe have used HT technology to facilitate gross human rights abuses”, it appears that it continued to provide the software to Ethiopia, even after CitizenLab unveiled abuses over a year earlier. CitizenLab says that its findings “suggest that Hacking Team may have continued to provide updated versions of its spyware to the same attacker, despite reports of use of the spyware against journalists.”
Hacking Team’s response was to criticise the research: “We’re aware of their work and have seen some of their past reporting, some of which, it seems, to be based on some nicely presented suppositions,” a spokesman told Vice.
Then, on Sunday 5 July, the company’s most private secrets were blown wide open. Almost half a terabyte of private documents were posted on its twitter feed by an anonymous hacker – and they proved damning reading.
The company, which accepted that documents had been stolen in the attack, refused to comment on the validity of the dump as a whole, and a spokesman told the Guardian that “interpreting even valid documents without complete picture of why they were created or how they were used can easily lead to misunderstandings and even false conclusions”.
But the documents suggest the company is eager to encourage misunderstandings when they are in its favour. In an internal email, sent after yet another CitizenLab exposé, a company spokesman appeared to brainstorm ways to discount the story. Part of the proposed response leant on the evidence that its RCS was involved:
“The Citizen Lab report … also asserts that HT [Hacking Team] software was involved, but bases this assertion on speculation by Citizen Lab investigators, on other press accounts and the presence of three letters ‘rcs’ in the code. The initials RCS are, of course, the initials of a Hacking Team product, Remote Control System, but are also commonly used in software code for the term (WHAT?) Frankly, they could mean anything.”
Wikileaks has subsequently created a searchable archive of Hacking Team emails pulled from the data dump. These have revealed that Mexico tops the list for revenues for the company with Italy and Morocco not far behind. The US, South Korea, Switzerland, Hungary and Russia have also been clients.
The emails also show that the UK has trialled Hacking Team software, but that a £385,000 deal was halted over the legality of the use of such software, and that the company’s primary “targets”, or adversaries to its business, were groups including Human Rights Watch and Privacy International.
This hack is not the first time that one of the digital mercenaries has been dragged into the sunlight. A year ago, the same hacker made a public dump of documents belonging to Gamma International, another of the five firms highlighted by RSF in its report. But the Gamma document dumps amounted to barely 1% of what was taken from Hacking Team, and correspondingly fewer revelations were contained within.
The tortured mess of regulations around the provision and export of spyware means it’s difficult to hold these companies to account, but slowly, public opinion seems to be turning against them. In November, new EU regulations meant that software like Hacking Team’s RCS and Gamma’s FinFisher became classed as a “dual use” good, one with civilian and military applications. It puts it in the same category as nuclear reactors and rocket fuel, and means it will become significantly harder to legally export to repressive regimes.
To a certain extent, that last point may be moot, however. Because the hack revealed more than just the internal documents of Hacking Team: it also laid bare the code for their intrusion software, and even revealed a critical vulnerability in Adobe Flash that the group had been using to inject malware in targets’ computers.
Just days after the data leak, that vulnerability was adopted by virus writers who used it to deliver their own malware, taking advantage of the fact that Hacking Team had never told Adobe of the flaw it had discovered. And the company is now warning that its own software is being used: “Before the attack, Hacking Team could control who had access to the technology that was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.”
The data dump is clearly not an unalloyed good. But if it’s the only way to discover what is going on inside the digital mercenaries of the world, it may be worth it anyway.