The Hacking Team Defectors
Illustration by Shaye Anderson

FYI.

This story is over 5 years old.

Tech

The Hacking Team Defectors

“Hacking Team shouldn’t be a fucking religion that if you wanna leave you’re an infidel or a traitor."

I am sitting in a nondescript all-white office room in Sliema, a touristy, commercial town that faces Malta's capital of Valletta. I'm staring at my computer, typing commands into the terminal, and I have no idea what I'm doing.

Sitting across the room there's a hacker who looks nothing like the image of a hacker that popular culture has ingrained in our minds. He has a buzz-cut, he's clean-shaven, has an earnest smile, and is wearing a dark blue polo shirt and cargo shorts. He looks more like a tourist than someone who used to develop spyware for the infamous Italian surveillance tech company Hacking Team.

Advertisement

He is sending me a bunch of commands written in the Python programming language, trying to exploit a flaw in my MacBook's operating system, so that I can get administrative privileges on my work computer.

"Let me write another backdoor," he says.

After a few failed attempts, and a couple more Python scripts, it finally works.

"Fuck yeah, you're root," he says, using the technical term for a user who has full privileges on a computer. "We just exploited your computer!" he adds, laughing.

I laugh too, and then I realize that, technically, a guy that used to work at Hacking Team, the surveillance technology vendor that sold its products to almost 40 law enforcement and intelligence agencies from across the world, according to data dumped online this summer, just hacked my computer.

***

His name is Alberto Pelliccione. Until last year, he was the man responsible for developing Hacking Team's Android spyware, and one of the employees who had worked on the company's marquee product, the surveillance suite known as Remote Control System or RCS, since its early days.

In February of last year, Pelliccione resigned. Since then, the company's top brass, particularly the CEO David Vincenzetti, has gone after him for leaving, and later sued him for allegedly using Hacking Team's code to create an antidote to the company's spyware, a defensive system called ReaQta.

Now, after a mysterious hacker only known as PhineasFisher breached the company in July, exposing its most guarded secrets, such as internal emails, list of clients, and even the spyware's source code, Pelliccione was fingered by Vincenzetti as a potential suspect.

Advertisement

But he's not the only one who's faced the wrath of his old company.

A small group of high-level former employees, who all left after Pelliccione, are also suspected of being behind the hack, and have been called "infidels" and "traitors" by the Italian press. Their departure, as well as what happened to them after they left, shows that even internally, some were not happy about the direction the company took in the last few years; there have been multiple reports that Hacking Team's products were being abused by some of its customers, such as Morocco, the United Arab Emirates, Ethiopia, or Saudi Arabia.

"Hacking Team shouldn't be a fucking religion that if you wanna leave you're an infidel or a traitor."

The group of former employees was accused of having played part in the hack after months of separate lawsuits against five of them. Two of them even received visits from the Italian intelligence—all ploys that seem to be a way to intimidate and punish them for having left the company.

A Hacking Team former employee asked not to be named because Vincenzetti, "with his ongoing lawsuits, is at least a little bit effective in his terrorist tactics aimed at forcing people not to talk."

Guido Landi, who worked as a developer at Hacking Team focusing on Windows, is one of the former employees that the company is going after. For him, Hacking Team is a "madhouse," led by a "fascist" who won't forgive anyone who dares to leave.

Advertisement

Another former employee said that ever since Pelliccione left, the ones that followed him were immediately "categorized as enemies, criminals, people of dubious reputation."

This past summer, before the breach, another developer announced that he wanted to resign. Immediately, according to internal emails, Vincenzetti worried that he might leave for a competitor and wrote in an email to other executives that he was considering "legal actions."

Intimidating people wanting to leave was "routine procedure," according to a former employee. Landi confirms, saying that he heard of various cases. "As soon as you resigned, you became the enemy," he says.

"Hacking Team shouldn't be a fucking religion that if you wanna leave you're an infidel or a traitor, Pelliccione tells me. "It's just a company and if you're sick of it, you should have the right to leave."

***

Hacking Team's former Android developer Alberto Pelliccione. Photo: Lorenzo Franceschi-Bicchierai/Motherboard

At the end of 2007, Pelliccione was researching robotics and artificial intelligence at the National Research Council in Rome. That's when he got a call from an old friend who was working at Hacking Team. At the time, the company was a small firm focused mostly on consulting and helping companies, such as big banks, to protect themselves. The year prior, the company had just started working on its offensive hacking solution, which would later be known as DaVinci, the first version of RCS. When he joined, Pelliccione says there were less than four people working on the project.

Advertisement

"We were doing stuff the world had never seen," Pelliccione tells me.

Slowly, RCS became the company's main, and eventually only business, and Pelliccione became the lead developer of the mobile team, first focusing on Windows mobile, and then Android.

Initially, the company only sold to the Italian government, but thanks to aggressive marketing, and a rising global demand for tools to break into criminals' computers and cellphones, Hacking Team quickly went global, selling all over the world. Despite the booming business, the company was able to keep a low profile until late 2012.

On October 10, 2012, researchers at the Citizen Lab, a digital watchdog at the University of Toronto's Munk School of Global Affairs, revealed that the Moroccan government had used a sophisticated spy software to target the local citizen journalist group Mamfakinch. The researchers found that the malware used against the journalists was called "DaVinci," and traced it back to Hacking Team.

It was the first time the company's products had been linked to human rights abuses. Hacking Team's top brass called for an emergency meeting, as the Citizen Lab report had also exposed the company's tools, which relied on being invisible to antivirus software to be effective. The management asked the developers to go back to the drawing board, and make DaVinci stealth again.

Publicly, Hacking Team brushed off the report, saying its policy was not to discuss its customers, and that the company's goal was to provide tools to investigate crimes. Internally, the top brass told its employees that there was no way for them to know how the customers used the tools, and that there was no way for them to know whether the targets in Morocco were really activists or criminals.

Advertisement

"You shouldn't sell to Sudan. Period. Same goes for Ethiopia. And even in other less evil countries, there were abuses."

But the developers, as well as other employees, were taken aback, according to Pelliccione. They started asking questions, and debating whether the tools they were creating were being used to fight crime and terrorism, or quash dissent.

"That debate lit up internally on that day, and never subsided," Pelliccione tells me.

The executives also decided to compartmentalize and separate the sales and field application engineers teams, who had the most visibility into the customers, from the developers—"a separation aimed at avoiding internal discontent," Pelliccione says.

The compartmentalization became even physical. The developers were working on the ground floor of Via Moscova 13, Hacking Team's headquarters in Milan, while the management was placed on the first floor, and the sales and field application engineers, who travelled around the world demoing the products, worked on the fifth floor.

At that point the employees had a harder time knowing what was going on, and how some of the tools were being used, or whom the company was selling to. But Citizen Lab researchers kept revealing more cases of abuse, and Pelliccione says there probably are many more that nobody will ever know about.

Landi, who says he had little visibility into the customers, admits that he could have asked friends at the higher floors, but he decided not to, preferring not to know. Looking back, however, he says Hacking Team sold to countries it shouldn't have sold to.

Advertisement

"You shouldn't sell to Sudan. Period. Same goes for Ethiopia," Landi says. "And even in other less evil countries, there were abuses."

For his six years at Hacking Team, despite being the lead of the Android development team, Pelliccione says that he was never hired full time, and never felt really valued by the company. For that reason, and because of the internal debate over the legitimacy of Hacking Team's tools, he decided to leave.

"Nobody likes to know that what you make is used for evil," he says. "No matter how much you regulate these tools, you'll never effectively know how they could be used. You can hope they will be used for good, but you never know who really ends up using them."

Hacking Team declined to comment for this story, but the company has long maintained that it doesn't sell to countries where there are "credible concerns" that its products "will be used to facilitate human rights violations." Yet, after Citizen Lab reported a first suspected case of abuse by the Ethiopian government, the company didn't stop selling to the country, which was later caught again targeting the same journalists using Hacking Team's spyware.

The company even used to have an external review board that was supposed to make sure the Hacking Team didn't sell to repressive regimes. Despite this panel, which turned out to be formed by lawyers at the international firm Bird & Bird, the company sold to Sudan, when the UN had put the country on an embargo blacklist.

Advertisement

Exhibit A: Italy's UN rep tells the UN John AdamsJuly 6, 2015

The company has also always claimed that it had no visibility into how the customers were using its products. But in reality, whenever a client wanted to infect a target with a booby-trapped document, it would send the document to Hacking Team's technicians, who were tasked with weaponizing it. While this didn't necessarily mean that the company knew whom the documents would be sent to, they could have an idea, depending on the content of the document.

In 2013, Reporters Without Borders named Hacking Team one of the "Enemies of the Internet" for selling tools to repressive regimes. A year later, on February 12, 2014, Citizen Lab revealed that the Ethiopian government had used Hacking Team's spyware to hack into the computers of several journalists in the diaspora, in what activists saw as yet another clear attack on freedom of speech.

For Pelliccione, that was the final straw. Two days later, he told his bosses that he wanted to resign. On Feb. 21, the company announced in an internal email that he was leaving to launch his own security company in Malta.

"I wish Alberto all the best," Hacking Team's Chief Operation Officer, Giancarlo Russo, wrote in the email, in which he described Pelliccione's decision as "bold and courageous."

But Vincenzetti, the CEO, didn't take it that well.

"Alberto was one of the top guys," Vincenzetti wrote in an email sent only to other executives. "This has NEVER happened."

Advertisement

"No matter how much you regulate these tools, you'll never effectively know how they could be used."

The CEO immediately doubted Pelliccione's real motives, wondering if he'd take other people with him to create a "spin-off" company or a "competitor." In the following weeks, another employee, a field applications engineer, left the company too. In an email discussing her departure, Vincenzetti talked about "serious cracks" in the company, and the risk of more "defections" that could end up "destroying" the company.

In May, Vincenzetti shared more bad news, another "serious loss," this time it was Landi, another key developer.

"Guido [Landi] is the right arm of [Chief Technology Officer] Marco Valleri," Vincenzetti writes. "Without him, we can't guarantee the invisibility of our product."

Vincenzetti added that he had involved Hacking Team's "highest contacts" with the Italian government to figure out where Landi was going. He was likely referring to two agents at the Italian secret service, the country's intelligence arm: Coronel Riccardo Russi, and General Antonello Vitale.

When another key employee named Mostapha Maanna resigned a few days later, Vincenzetti started to see a "conspiracy," as Pelliccione puts it, and was worried the former employees wanted to compete with Hacking Team.

In the following months, Vincenzetti launched a full on probe into their activities, according to leaked emails and documents. Russi played a fundamental role in it, personally meeting with Landi and Maanna, and even paying them a "visit," as he himself put it in an email, sent from his personal account in August of 2014.

Advertisement

Meanwhile, Pelliccione founded ReaQta and set up shop in Malta to create a new system that uses artificial intelligence to detect cyberattacks. Worried about Pelliccione, Hacking Team hired private investigators from the US firm Kroll to figure out what he was up to, according to a leaked internal report.

In the following months, Kroll posed as a potential buyer to learn more about ReaQta. The investigators met with Pelliccione, as well as with one of his collaborators, Alberto Velasco. At the time, Velasco was also an Hacking Team freelance contractor who represented the company in the United States. It was Velasco's American-based company, Cicom USA, that acted as middle man when the Drug Enforcement Administration bought Hacking Team's software in 2012.

In a meeting in Annapolis, Maryland, on January 16, 2015, Kroll investigators asked Velasco and Pelliccione, who was connected via Skype, whether ReaQta could block Hacking Team's malware. The two, according to the firm's report, "laughed nervously." Pelliccione then said that indeed, ReaQta could neutralize Hacking Team's tools.

For Hacking Team's brass, that was an admission of guilt. Four months later, on May 5, Vincenzetti filed a lawsuit in Italy against Pelliccione, Velasco, Landi, Maanna, and Serge Woon, another former employee who went to work with ReaQta, for conspiring to create an "antidote" against Hacking Team, using stolen code.

Advertisement

"These accusations are just an act of retaliation."

In the lawsuit Vincenzetti wrote that ReaQta's ability to block Hacking Team's RCS can only be due to the "subtraction of RCS source code from Hacking Team's systems." Vincenzetti accused Maanna and Landi of leaving Hacking Team with the purpose of helping Pelliccione commercialize ReaQta. The company also sued Velasco in the United States, as well as Woon in Singapore.

The former employees deny all the accusations. Pelliccione tells me that the lawsuit is nonsense, given that ReaQta is a defensive product, while Hacking Team is an offensive tool. And it wouldn't make sense for him to market ReaQta as an antidote given that Hacking Team is used by a small number of customers for targeted surveillance. In other words, it wouldn't make business sense, he says.

Hacking Team spokesperson Eric Rabe declined to comment on the lawsuits, saying these are "internal matters."

Since going to court, the company has kept the pressure on the former employees. Last summer, before getting hacked, it hired private investigators to tail Maanna, according to leaked emails and reports from the detectives. In an email, a Hacking Team lawyer told the detectives that company was looking for "evidence" of Maanna's "participation in an Islamic group." The detectives' report, however, is nothing but mundane, as they didn't find any evidence of affiliation with any groups, but just witnessed Maanna go play tennis and to the grocery store.

Advertisement

A picture of Mostapha Maanna, another former employee of Hacking Team, taken by detectives hired by the company to tail him.

A few weeks after the devastating hack, in which PhineasPhiser siphoned off 400 gigabytes of internal data, Italian prosecutors started investigating the former employees. (Pelliccione and Landi declined to comment about the investigation).

Alessandro Gobbis, the lead prosecutor, confirmed to me in a phone call in August that the former employees were being investigated after someone "outside" of the prosecution signalled them as potential suspects. Gobbis declined to reveal the names of all the former employees who are under investigation, as well as who fingered them as potential suspects. Sources, however, told me it was Vincenzetti who implicated them. The prosecutor also declined to reveal any other details of the investigation, given that it was still ongoing.

"We're looking into all the possibilities," he told me over the phone.

Hacking Team's spokesperson Rabe said in an email that the company "has not named or accused anyone of the attack since the perpetrators are simply unknown," and that Hacking Team "can only speculate about who or even why the company was targeted this attack."

In the weeks after the hack, Vincenzetti said that the attack was a "vicious and reckless crime," perpetrated with the goal of destroying the company. But Vincenzetti also promised not to back down, saying the company will emerge with "new and better tools."

The group of former employees strongly deny their alleged involvement in the attack.

Advertisement

"We had nothing to do with it," Pelliccione says. "I feel like these accusations are just an act of retaliation."

***

Hacking Team's official twitter account on the day of PhineasFisher's attack.

It's a scorching hot summer day in Malta. Pelliccione and I are sitting at a table, eating a chicken shawarma. After six years developing tools to hack into people's computers, Pelliccione has switched sides, and is now using his skills and experience to keep the hackers out.

It's been more than a year since he left Hacking Team. During that time, the hacker has been working with a small team of developers to create a next generation defensive solution called ReaQta-Core. Pelliccione says ReaQta-Core uses artificial intelligence and machine learning to protect against malware, and lives at the CPU level, so it's able to provide better protection than traditional antiviruses. The company hasn't received venture capital yet, but it's now actively looking for investors.

During our lunch, Pelliccione looks into the void for a second.

"Do you remember when that security firm analyzed Hacking Team's Android implant?" he asks.

He's referring to an analysis by Trend Micro, which called the company's Android spyware "the most professionally developed and sophisticated Android malware ever exposed."

I nod. He stares at me, and quotes the analysis, smiling.

"When I read that," he says, pretending to tip his nonexistent hat, "I shook my own hand. I wrote that malware!"

Check out more of our extensive Hacking Team coverage here.

Illustration by Shaye Anderson