Milan-based “digital mercenar[ies]”, Hacking Team, have
fallen victim to their own sword in a hack that has revealed documents that
allege that the company did business with various repressive regimes. The outfit use vulnerabilities and malware to
access the networks of their clients’ target in a legal offensive, which they
offer to law enforcement services and national security organisations.
A Reporters Without Borders report released in 2013 named
Hacking Team as a “corporate enem[y] of the internet”. Hacking Team has frequently denied selling
their software to repressive administrations and the firm responded to this
with a statement claiming that they go “to
great lengths to assure that [their] software is not sold to governments that
are blacklisted by the EU, the USA, NATO and similar international
organisations or any ‘repressive’ regime.” They repeat this on their website; yet the
400GB of documents purport that they have been providing services for several
repressive authorities including those from Azerbaijan, Bahrain, Kazakhstan, Russia,
Saudi Arabia, the UAE and Uzbekistan.
The integrity of these documents, which were communicated using
the official Twitter feed of the firm, have not yet been independently verified. The hackers posted to the feed for hours
after the initial deluge until the company regained control on Monday
morning. The posts, which highlighted
particular documents (including emails, invoices and screenshots of employee
computers), have since been removed. The
organisation’s Twitter name, which has also been changed back, was changed to
Hacked Team.
One of these tweets asserts that negotiations between Hacking
Team and a third-party reseller took place in the context of exporting their
software to Nigeria. Such a sale may
have circumvented the export controls put in place by Italy. Another such tweet, shows an internal debate
about a course of action after attacks by the University of Toronto averred
that they had sold hacking software to Ethiopia with the purpose of attacking
US journalists. These allegations have
never been confirmed or dismissed publically by the company; however, in March,
they were dismissed by a spokesperson who suggested that they were “based on
some nicely presented suppositions”.
January 2015 saw the company denying any current business
relations with the national intelligence service for Sudan to the Italian
representative of the UN. Despite this
one of the documents supposedly leaked from the company, contains an invoice
for 480,000€ received from the Sudanese.
The answer to the UN’s follow-up question, “whether there have [been]
any previous business arrangements”, is not recorded.
The organisation’s website specifically state that they “provide
[their] software only to governments or government agencies” and not to “individuals
or private businesses”. However another
invoice suggests that they had dealings with the private Brazilian company,
YasNiTech, to whom three months access to their remote access tool was
sold. This allowed the organisation to
hack into Android, Blackberry and Windows devices. It is unknown as to whether this was part of
a larger contract with the Brazilian state government, if not it is in clear
breach of their policy.
The hacker who has now claimed responsibility for the
Hacking Team hack, also claimed responsibility for the hack of their “wannabe competitor”,
Gamma Group International. GGI were best
known for their FinFisher surveillance software, 40GB of which was leaked in
2014, giving details of their clients, capabilities and pricing.
One of the employees of Hacking Team, Christian Pozzi,
tweeted saying that the documents are “false lies” and that “a lot of what the
attackers are claiming regarding [their] company is not true”. He stated that they “are currently working
closely with the police” and that he “can’t comment about the recent breach”. Later his feed was hacked and then the entire
account was deleted.
The rare chance to allegedly look inside the workings of a
cyber-surveillance firm, like Hacking Team, is being welcomed by numerous privacy
groups. Privacy International released a
statement, stating that the “tools [Hacking Team are selling] are [being] used
to target human rights activists and pro-democracy supporters at home and
abroad. Surveillance companies like
Hacking Team have shown they are incapable of responsibly regulating
themselves, putting profit over ethics, time after time. Since surveillance
companies continue to ignore their role in repression, democratic states must
step in to halt their damaging business practices.”
The veracity of these documents has not yet been confirmed
but many are calling for the initiation of a full investigation among them Marietje
Schaake, a Dutch MEP who’s been dealing with issues in surveillance tech for
years, who is calling for an “urgent, thorough investigation” into the legality
of the alleged sales and whether or not they are in contravention of the
European sanction against Russia and Sudan.
Whether or not the documents turn out to be genuine many people are asking
who’ll be the hacker’s next target.
In a previous post we discussed the exploitation of zero-day
vulnerabilities in Adobe Flash Player, specifically in regards to the flaw,
CVE-2015-3113. The data dump from the
Hacking Team hack revealed another zero-day vulnerability in the Flash Player and
Windows software: a patch for which is expected to be released today. Remember to update with this patch as soon as
possible to avoid attacks on your system.
No comments:
Post a Comment