Who hacks the hackers? It’s a question the founder of Hacking Team — a company which supplies its own version of surveillance malware to governments worldwide — is struggling to answer after the Hacking Team’s database was compromised, its website knocked out, and more than 400 gigabytes of data made public. Trails of email communications also show deals with nations like Libya, Egypt, Sudan, and even Australia to license the company’s flagship spying software. Now, agencies are under scrutiny as pages from their surveillance playbooks see the light of day — is Hacking Team friend or foe?
The Usual Suspects
For years, the Hacking Team has been under fire from security researchers, NGOs, and even the United Nations for “supplying its intrusion and surveillance software to oppressive dictatorships like Sudan,” according to ABC. But founder David Vincenzetti says the Milan-based company is actually the “good guy” in this story, since they’ve taken steps such as pulling support for their product in Ethiopia, where it was used to spy on journalists and activists. Their flagship product, Remote Control System (RCS), installs malicious software on a user’s device which can remotely activate cameras and microphones, capture data, and then send it back to a command and control center for analysis. The company claims their software is “totally invisible,” and can “defeat encryption” and easily obtain texts or emails. In other words, it’s surveillance malware writ large, given that more than few governments have spent the money to leverage RCS and roll it out nationwide.
For his part, Vincenzetti says that “the geopolitical changes rapidly, and sometimes situations evolve,” claiming that his company only sold to nations like Libya when they were fast friends with the United States and other first-world nations. What’s more, he argues that without regular updates, RCS and other tools are blocked, in effect making Hacking Team the gatekeepers of continued surveillance and potential arbiters of justice.
Trouble Down Under
Thanks to the recent hack of the company’s website, however, it’s been revealed that at least five Australian agencies — AISO, the Australian Federal Police (AFP), NT Police, NSW Police, and anti-corruption watchdog IBAC — have all been conducting negotiations with Hacking Team to license their software. The leaked emails show IBAC on the cusp of signing a $500,000 deal with the malware company, but unable to finalize the details because they couldn’t reach agreement on server locations. IBAC says “it is not a client of Hacking Team and has never purchased any of its services.” True on both counts, but makes no mention of a possible deal or negotiations.
The AFP, meanwhile, has been identified as a previous client of Hacking Team, though they parted ways in 2011. Not surprisingly, the agency won’t comment on “what may or may not form part of its operational or technical methodologies.” And Canberra company Criterion Solutions apparently signed a non-disclosure agreement for information about RCS, leading some to suggest that they would act as Hacking Team’s point of sale in Australia. The company denies these claims.
And Australia isn’t alone — a recent Vice News article notes that Canada‘s Royal Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Services (CSIS) were in talks to purchase RCS back in 2011. The RCMP opted to shelve the deal, but there’s no word on CSIS’s final decision.
Possible human rights complaints and citizen surveillance aside, there’s a more compelling side to this story: that Hacking Team itself was hacked. Vincenzetti says “this is not an impromptu initiative: the attack was planned for months, with significant resources, the extraction data took a long time.” He asserts that only an organization “at the government level” could have carried out such an attack. Two questions emerge. How did Hacking Team not notice the “long time” it took to crack their system and steal massive amounts of data? And why do government agencies seemingly fail to understand that malware makers are themselves vulnerable to hacks — and that the exposure of emails and contract details could bring public scrutiny and outcry?
There are no easy answers here. But it’s worth knowing that agencies from nations worldwide are very interested in accessing mobile device data where and when they want. Your best bet? Stop them before they get started; surf using secure connections, obscure your activities with a VPN or Tor-based network and make them work if they want to score your data.