They say what goes around comes around, and there's perhaps nowhere that rings more true than in the world of government surveillance.
Such was the case on Monday morning when Hacking Team, the Italian company known for selling electronic intrusion tools to police and federal agencies around the world, awoke to find that it had been hacked itself—big time—apparently exposing its complete client list, email spools, invoices, contracts, source code, and more.
Those documents show that not only has the company been selling hacking tools to a long list of foreign governments with dubious human rights records, but it’s also establishing a nice customer base right here in the good old US of A.
The cache, which sources told Motherboard is legitimate, contains more than 400 gigabytes of files, many of which confirm previous reports that the company has been selling industrial-grade surveillance software to authoritarian governments. Hacking Team is known in the surveillance world for its flagship hacking suite, Remote Control System (RCS) or Galileo, which allows its government and law enforcement clients to secretly install “implants” on remote machines that can steal private emails, record Skype calls, and even monitor targets through their computer's webcam.
Hacking Team in North America
According to the documents, that capability is being sold to US government agencies under cover names, through a front company called Cicom USA that has been reported on by Motherboard in the past.
The Federal Bureau of Investigation, which the newly-leaked files reveal as a Hacking Team customer for the first time, is known as “KATIE,” while the Drug Enforcement Administration, whose purchase of Hacking Team intrusion software was revealed by Motherboard, goes by the alias “PHOEBE.”
One of the leaked emails reveals the US Army also bought Hacking Team software, but its budget was cut following the purchase, denying it the funds necessary to set up a server.
Even further, a document describing the company's “US Action Plan” shows Hacking Team is actively pursuing contracts with other North American entities, including the Bureau of Alcohol Tobacco and Firearms, the US Navy, and the Royal Canadian Mounted Police, the Immigrations and Customs Enforcement, and the New York Police Department. The NYPD, for example, received a demo but did not purchase the software, according to a source.
Clients around the world
According to leaked contracts, invoices and an up-to-date list of customer subscriptions, Hacking Team’s clients—which the company has consistently refused to name—also include Kazakhstan, Azerbaijan, Oman, Saudi Arabia, Uzbekistan, Bahrain, Ethiopia, Nigeria, Sudan and many others.
The list of names matches the findings of Citizen Lab, a research lab at the University of Toronto's Munk School of Global Affairs that previously found traces of Hacking Team on the computers of journalists and activists around the world. Last year, the Lab's researchers mapped out the worldwide collection infrastructure used by Hacking Team's customers to covertly transport stolen data, unveiling a massive network comprised of servers based in 21 countries. Reporters Without Borders later named the company one of the “Enemies of the Internet” in its annual report on government surveillance and censorship.
“I feel quite vindicated that all our discoveries have in fact been confirmed by the leak,” Citizen Lab researcher Claudio Guarnieri wrote on Twitter. “Perhaps now [Hacking Team] will have a harder time lying about it.”
Hacking Team stonewalled the UN about its activities in Sudan
One of the more alarming names on the list is Sudan, a country infamous for its long history of human rights abuses—from persecution of human rights workers to slavery, genocide, and the widespread use of child soldiers. A series of letters show that in September 2014, following Citizen Lab's reports, an expert panel from the United Nations began an inquiry into Hacking Team's alleged sale of surveillance software to the Sudanese government, on the grounds that it could violate European sanctions on military arms.
But Hacking Team appears to have been stonewalling the UN for months. The company initially responded by saying that Sudan is not one of its customers, then claimed that the UN has no authority to ask questions because its hacking software is not considered a weapon. But it never clarified whether it has ever sold hacking software to Sudan in the past.
“You will certainly understand that the panel’s request doesn’t appear justified at all,” Hacking Team’s CEO David Vincenzetti wrote in a response in February to the UN. “Each further request from the panel appears to be a violation—unjustified and unjustifiable in any way—of the right of commercial confidentiality which we consider a primary right, worth the largest protection from the law.”
In a subsequent response, this one dated April 21, Vincenzetti went as far as to accuse the UN’s inquiry of being “damaging” to Hacking Team’s “reputation and image.”
Yet, among the leaked files there’s an invoice from the company to Sudan.
Exhibit A: Italy's UN rep tells the UN @hackingteam has no business in Sudan. Exhibit B: HT's invoice to Sudan pic.twitter.com/fcs0LR5AoL
— John Adams (@netik) July 6, 2015
The UN followed up on five separate occasions asking if Hacking Team had ever done business with Sudan, but its question went unanswered. The most recent letter from the UN, dated May 15th, 2015, assigned a response due date of June 30th.
According to contracts and invoices found in the cache, Hacking Team did indeed sell Remote Control System to the Sudanese government: In September of 2012, the country's National Intelligence Security Service made its second of two 480,000 Euro wire transfers (totaling about $1,046,000 USD) for use of the software. Hacking Team's list of client renewal dates shows that the Sudanese government's subscription continued until December 31st, 2014, a few months after the UN inquiry began. Oddly, the current status of both Sudan and Russia in Hacking Team's document is listed as “Not officially supported,” rather than “Expired.”
A source with knowledge of the matter, who could not speak on the record due to its sensitive nature, has also confirmed to Motherboard that Sudan was in fact a Hacking Team customer.
Hacking Team: we look for “red flags” when vetting customers
Eric Rabe, Hacking Team's spokesman, could not be reached for comment on the company's relationship with the government of Sudan and others. In the past, Rabe has claimed that Hacking Team has an internal audit process which ensures its products won’t be abused by repressive regimes. But he has refused to elaborate on that process, saying only that the company will “look for red flags” that indicate the software is being “misused.”
It's not clear from the documents that Hacking Team's definition of “misuse” actually includes human rights violations, considering how many of its clients are infamously oppressive governments.
But we’ve only scratched the surface of this massive leak, and it’s unclear how Hacking Team will recover from having its secrets spilling across the internet for all to see. In the meantime, the company is asking all customers to stop using its spyware—and likely preparing for the worst.
Additional reporting by Lorenzo Franceschi-Bicchierai.
Correction 7/7/15: This report originally described Toronto's Citizen Lab as a non-profit research group, when it is actually a research lab at the Munk School of Global Affairs. We regret the error.