07/05-09/2015
The controversial Italian surveillance company
Hacking Team, which
sells spyware to governments all around the world, including agencies in Ethiopia, Morocco, the United Arab Emirates, as well as the
US Drug Enforcement Administration, has been seriously hacked.
Hackers have made 400GB of client files, contracts, financial documents, and internal emails, some as recent as 2015, publicly available for download.
What’s more, the unknown hackers
announced their feat through Hacking Team’s own Twitter account.
Last year, a hacker who only went by the name
“PhineasFisher” hacked the controversial surveillance tech company
Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to
leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.
That same hacker has now claimed responsibility for the breach of Hacking Team, that sells a similar product called Remote Controlled System Galileo.
Lorenzo Franceschi-Bicchierai/
Motherboard:
On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to
@hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent
story I wrote about the company’s CEO claiming to be able to crack the dark web.
Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.
“I am the same person behind that hack,” he told me before coming out publicly.
The hacker, however, declined to answer to any further questions.
The leak of 400GB of internal files contains “everything,” according to a person close to the company, who only spoke on condition of anonymity. The files contain internal emails between employees; a list of customers, including some, such as the FBI, that were previously unknown; and allegedly even the source code of Hacking Team’s software, its crown jewels.
——————————————————————————————————————————————————————————————————-
HIGHLIGHTS:
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
Screenshot shows an email dated 2014 from Hacking Team’s founder and CEO David Vincenzetti to another employee. In the email, titled “Yet another Citizen Lab attack,” Vincenzetti links to a report from the online digital rights research center Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, which has exposed
numerous cases of abuse from Hacking Team’s clients.
Hacking Team has never revealed a list of its clients, and
has always and repeatedly denied selling to sketchy governments, arguing that it has an internal procedure to address human rights concerns about prospective customers.
The email about Citizen Lab is filed in a folder called “Anti HT activists.”
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
via
Thomas Fox-Brewster/
Forbes:
In-depth notes on the level of exploitation across a number of Android devices, from the likes of Samsung, HTC and Huawei. It appears the exploits weren’t always successful in accessing voice or texts on phones.
Hacking Team operations manager Daniele Milan’s email from January indicated some imminent features in Hacking Team’s tools included “physical infection of BitLocker protected disks”, thereby bypassing the much-used Microsoft disk encryption technology, as well as “extraction of information from pictures posted on Facebook and Twitter”. It will also soon be able to “capture of documents edited using Google Docs or Office 365”, the roadmap suggested.
Another email from Milan, dated 15 May, indicated the security-focused messaging application Wickr was on the target list too, thanks to a request from the US government. “I had a call this morning with an agent from Homeland Security Investigations [a body within the Department of Homeland Security], and he told me he got some requests to intercept suspects using this application, Wickr… we may want to keep an eye on it and eventually evaluate to add support.”
via
Dan Goodin/
ArsTechnica:
Another document boasts of Hacking Team’s ability to bypass
certificate pinning and the
HTTP strict transport security mechanisms that are designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the undated PowerPoint presentation went on to say.
Elsewhere, the document stated: “HTTPS Everywhere enforces https and could send rogue certificates to the EFF SSL Observatory.” HTTPS Everywhere is a browser extension developed by the Electronic Frontier Foundation that ensures end users use HTTPS when connecting to a preset list of websites. The statement appears to be a warning that any fraudulent certificates Galileo relies on could become public if used against HTTPS Everywhere users when they have selected an option to
send anonymous copies of HTTPS certificates to EFF’s SSL Observatory database.
——————————————————————————————————————————————————————————————————-
Renowned cryptographer
Bruce Schneier: “The Hacking Team CEO, David Vincenzetti,
doesn’t like me:”
In another [e-mail], the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was “exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money.”
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
Lorenzo Franceschi-Bicchierai/
Motherboard:
After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.
But the hack hasn’t just ruined the day for Hacking Team’s employees. The company has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.
“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.
A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.
It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.
In a
series of tweets on Monday morning, which have been since deleted, Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.
“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”
The future of the company, at this point, it’s uncertain.
Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard.
It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts.
Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely.
The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about.
To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
Hacking Team did not answer to repeated requests for comment, both to its US spokesperson Eric Rabe as well as directly to its office in Milan, Italy.
——————————————————————————————————————————————————————————————————-
When asked about the identity of the person or group who carried out the attack, Rabe indicated that he believed the attack was the work of a nation state or a criminal gang, and not the work of an activist as many have speculated:
“Doing our own forensics here, we think this was a very sophisticated attack, and certainly not the work of an amateur. The press seems to take the view that this was some sort of human rights activist but I think that is far from certain and it could easily have been criminal activity or some government activity,” adding that “this is almost certainly an international crime”.
When it was pointed out that if a government or criminal group was behind the attack then posting all the information online seems a strange move, Rabe said: “I am not sure why anybody would do that, but part of the effort here was to disrupt our operations as much as possible so I think that would be a motive for many different people.”
When asked if this could be the work of one of Hacking Team’s competitors such as UK-based Gamma International or Israeli NSO Group, Rabe said: “I think that is unlikely” though he admitted that just like everyone else he was speculating.
While some media reports have suggested the company is working with the Italian police to investigate the attack, Rabe says that all he will say is that the company is “working with law enforcement” reiterating that this was an international attack.
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
——————————————————————————————————————————————————————————————————-
*This post will be continuously updated as there is much more new information emerging. Post anything you find in the comments below and I will add them to the article. LAST UPDATE: 07/09/2015 @ 5PM EST
——————————————————————————————————————————————————————————————————-
Related Links:
To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3
http://leaksource.info/2015/07/07/hacking-team-hacked-400gb-data-dump-of-internal-documents-emails-source-code-from-notorious-spyware-dealer/