After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.
But the hack hasn’t just ruined the day for Hacking Team’s employees. The company, which sells surveillance software to government customers all over the world, from Morocco and Ethiopia to the US Drug Enforcement Agency and the FBI, has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.
“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
“They’re in full on emergency mode.”
Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.
On Sunday night, an unnamed hacker, who claimed to be the same person who breached Hacking Team’s competitor FinFisher last year, hijacked its Twitter account and posted links to 400GB of internal data. Hacking Team woke up to a massive breach of its systems.
A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.
“The hacker seems to have downloaded everything that there was in the company’s servers,” the source, who could only speak on condition of anonymity, told Motherboard. “There’s pretty much everything here.”
It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.
“I did not expect a breach to be this big, but I’m not surprised they got hacked because they don’t take security seriously,” the source told me. “You can see in the files how much they royally fucked up.”
“You can see in the files how much they royally fucked up.”
For example, the source noted, none of the sensitive files in the data dump, from employees passports to list of customers, appear to be encrypted.
“How can you give all the keys to your infrastructure to a 20-something who just joined the company?” he added, referring to Pozzi, whose LinkedIn shows he’s been at Hacking Team for just over a year.
“Nobody noticed that someone stole a terabyte of data? You gotta be a fuckwad,” the source said. “It means nobody was taking care of security.”
In a series of tweets on Monday morning, which have been since deleted, Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.
“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”
The data dump contains information on Hacking Team’s clients, including a list of current and past law enforcement and intelligence customers. A source confirmed to Motherboard that the list is accurate and legitimate.
While Hacking Team has always declined to confirm or deny who its sold to, researchers from the Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, have been able to map some of its customers in the past. But the new files reveal previously unknown customers, such as the FBI, Spain, Chile, Australia, Russia, as well as new details of known customers such as Sudan, a country where Hacking Team was likely legally barred from selling, due to international sanctions and embargoes.
Hacking Team did not answer to repeated requests for comment, both to its US spokesperson Eric Rabe as well as directly to its office in Milan, Italy.
The future of the company, at this point, it’s uncertain.
Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard.
It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts.
Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely. The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about.
To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
"With access to this data it is possible to link a certain backdoor to a specific customer.”
"With access to this data it is possible to link a certain backdoor to a specific customer. Also there appears to be a backdoor in the way the anonymization proxies are managed that allows Hacking Team to shut them off independently from the customer and to retrieve the final IP address that they need to contact,” the source told Motherboard.
Meanwhile, Hacking Team will do “the impossible to avenge this,” the source said. “But at this point there’s not much they can do.”
This story has been corrected. A previous version of this story said that Sudan was among the newly revealed customers of Hacking Team, but it was actually revealed last year by Citizen Lab.