Leaked Emails Show Hacking Team Lied to Its ‘Rascal’ Customers
Internal emails prove the company had control over its customers’ surveillance infrastructure, tagging malware and servers.
Image: Hacking Team
Contrary to its public claims of vetting customers to make sure its software wouldn't be abused, leaked documents and emails showed that Hacking Team, sold its spyware to authoritarian countries with poor human rights records such as Ethiopia or Sudan, and even considered selling to Bangladesh's "death squad," and Rwanda. But as it turns out, the company wasn't transparent even with its own customers.
Hours after the hack last week, Motherboard reported that Hacking Team, in full on "emergency mode," as a source put it, had told all its customers to shut down their spy operations. The company, however, could've shut down operations itself, since it had a hidden "backdoor" into the customers' infrastructure, according to the source.
The company wasn't transparent even with its own customers.
Days later, asked about that "backdoor," Hacking Team's co-founder and CEO David Vincenzetti was adamant in denying it.
"It's bullshit," he told Italian newspaper La Stampa over the weekend. "Our system works under the principle of 'customer isolation.' That means Hacking Team installs it, releases the updates, but can't in any way know what it's used for."
Yet, Hacking Team's own internal emails and documents show that the company does have a certain level of visibility into its customers' infrastructure, more than it's willing to publicly admit. In other words, Vincenzetti isn't being completely honest, or at least, as a person with knowledge of how Hacking Team's software works, is only telling a "half-truth."
In a document titled "Crisis Procedure," the company lays out what to do whenever something bad happens, including the case when a sample of its marquee product, the spyware Remote Control System (RCS), or Galileo, leaks online.
The company's employee can "associate" the sample's "watermark" to the client, according to the document, and "kill" the "anonymizer," which is a proxy server set up between the infected target and the "collector" server, where Hacking Team's customers gather data from their targets.
"Our system works under the principle of 'customer isolation.'"
Leaked emails also confirm this procedure, and reveal that Hacking Team never disclosed the fact that it could kill servers remotely to its clients. Moreover, the company even "watermarked" those servers, and routinely scanned them unbeknownst to its customers.
"We just did a little census of our customers' collectors," Marco Valleri, the company's chief technology officer, said in an email less than two weeks ago.
The census, Valleri continued, revealed that three customers, one in Azerbaijan, one in Morocco, and one in Italy, have their infrastructure "vulnerable" to tracking, the same tracking techniques that Citizen Lab used to expose 21 Hacking Team's customers last year.
"This makes it possible to associate, in theory, an RCS sample to a specific country," Valleri said, describing the customers who let their infrastructure open to tracking as "rascals" or "mischiefs." (All the emails referenced here are in Italian.)
Valleri and other colleagues then went on to discuss what were the best ways to tell these customers to change their servers' settings to avoid being exposed—without telling them that Hacking Team tested their infrastructure unbeknownst to them.
The company's operations manager Daniele Milan concluded that the best way was to talk directly to the Italian customer, plan an on-site visit in Morocco, and talk to the one in Azerbaijan—even though the customer there is a "dickhead" and might get angry and accuse the company of "violating its security," Milan wrote.
Other emails also confirm that all the customers' collector servers were watermarked by Hacking Team with unique codes for each customer. And it wasn't just the servers, all the customers' copies of Hacking Team spyware were also watermarked, as another email suggests.
Hacking Team's spokesperson Eric Rabe declined to answer a series of questions regarding the watermarks and Hacking Team's ability to kill servers remotely.
"I have no comment on the details of how the Hacking Team system works," Rabe told me in an email, "despite the fact that there is a good deal of information out there."
Claims that Hacking Team's system runs on "customer isolation," as the source put it, "it's all bullshit."
In fact, Claudio Guarnieri and Bill Marczak, two security researchers who have been investigating Hacking Team for years at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, confirmed the existence of the watermarks.
After checking the spyware watermarks found in the leaked emails on the Hacking Team malware samples that he has collected over the years, Guarnieri, confirmed that most of the malware samples do in fact contain a watermark.
Those watermarks, he told Motherboard in an encrypted chat, allow him identify which customer the malware samples belong to. Even employees of Hacking Team routinely did the same check when a sample was published on the online repository Virus Total, according to several emails.
Marczak confirmed to Motherboard that among the leaked source code, there is a script (rcs-kill.rb) that allows Hacking Team to effectively "kill" the "collector" server and make it unusable to the customer, at least until it gets restarted.
The customers, according to a source with knowledge of the company's operations, did not know of any of this, otherwise they would have been "pissed."
In other words, Vincenzetti's claims that Hacking Team's system runs on "customer isolation," as the source put it, "it's all bullshit."