For €2,500 a day, governments could buy large scale astroturf campaigns, and for €1 million, services to create false criminal charges.
In the summer of 2014, a little known boutique contractor from New Delhi, India, was trying to crack into the lucrative $5 billion a year market of outsourced government surveillance and hacking services.
To impress potential customers, the company, called Aglaya, outlined an impressive—and shady—series of offerings in a detailed 20-page brochure. The brochure, obtained by Motherboard, offers detailed insight into purveyors of surveillance and hacking tools who advertise their wares at industry and government-only conferences across the world.
The leaked brochure, which had never been published before, not only exposes Aglaya's questionable services, but offers a unique glimpse into the shadowy backroom dealings between hacking contractors, infosecurity middlemen, and governments around the world which are rushing to boost their surveillance and hacking capabilities as their targets go online.
Read more: The Hacking Team Defectors
The sales document also outlines how commonplace commercial spy tools have become. For €3,000 per license, the company offered Android and iOS spyware, much like the malware offered in the past by the likes of Hacking Team, FinFisher, and, more recently, the NSO Group, whose iPhone-hacking tool was just caught in the wild last week. For €250,000, the company claimed it could track any cell phone in the world.
These were standard services offered by a plethora of companies who often peddle their wares at ISS World, an annual series of conferences that are informally known as the "Wiretappers' Ball."
But Aglaya had much more to offer, according to its brochure. For eight to 12 weeks campaigns costing €2,500 per day, the company promised to "pollute" internet search results and social networks like Facebook and Twitter "to manipulate current events." For this service, which it labelled "Weaponized Information," Aglaya offered "infiltration," "ruse," and "sting" operations to "discredit a target" such as an "individual or company."
"[We] will continue to barrage information till it gains 'traction' & top 10 search results yield a desired results on ANY Search engine," the company boasted as an extra "benefit" of this service.
Aglaya also offered censorship-as-a-service, or Distributed Denial of Service (DDoS) attacks, for only €600 a day, using botnets to "send dummy traffic" to targets, taking them offline, according to the brochure. As part of this service, customers could buy an add-on to "create false criminal charges against Targets in their respective countries" for a more costly €1 million.
Also starting at €1 million, customers could purchase a "Cyber Warfare Service" to attack "manufacturing" plants, the "power grid," "critical network infrastructure," and even satellites and airplanes. Aglaya even claimed to sell unknown flaws, or zero-days, in Siemens industrial control systems for €2 million.
Some of Aglaya's offerings, according to experts who reviewed the document for Motherboard, are likely to be exaggerated or completely made-up. But the document shows that there are governments interested in these services, which means there will be companies willing to fill the gaps in the market and offer them.
"Some of this stuff is really, really, sketchy," Christopher Soghoian, the principal technologist at the American Civil Liberties Union, who has followed the booming market of surveillance tech vendors for years, told Motherboard. "When you're offering the ability to attack satellites and airplanes, this is not lawful intercept. This is basically 'whatever you want we'll try to do it.' These guys are clearly mercenaries, what's not clear is if they can deliver on their promises. This is not a company pretending that it's solely focusing on the lawful intercept market, this is outsourcing cyber operations."
Ankur Srivastava, the CEO and founder of Aglaya, did not deny that the brochure is legitimate, only saying this particular product sheet was passed on only to "one particular customer."
"These products are not on our web site, with our customers and nor do they represent the vision of our product portfolio," Srivastava said in an email. "This was a custom proposal for one customer only and was not pursued since the relationship did not come to fruition."
Srivastava added that he regretted attending ISS because Aglaya was never able to close a deal and sell its services. He also claimed that the company doesn't offer those kind of services anymore. (One of the organizers of ISS World did not respond to a request for comment, asking whether the conference vetted or condoned companies offering such services.)
"I would go the distance to aim to convince you that we are not a part of this market and unintentionally underwent a marketing event at the wrong trade-show," he added.
When asked a series of more detailed questions, however, Srivastava refused to elaborate, instead reiterating that Aglaya never did any business as a government hacking contractor and that attending ISS was "an exercise of time and money, albeit, in futility." He complained that his company's failure was likely due to the fact that it is not based "in the West," hypothesizing that most customers want "western" suppliers.
Asked for the identity of the potential customer who showed interest for these services, Srivastava said he did not know, claiming he only dealt with a reseller, an "agent" from South America who "claimed to have global connections" and "was interested in anything and everything."
The document itself doesn't offer any clues as to the country interested. But Latin American governments such as the ones in Mexico and Ecuador are known to have used Twitter bots and other tactics to launch disinformation campaigns online, much like the ones Aglaya was offering. Mexico, moreover, is a well-known big-spender when it comes to buying off-the-shelf spyware made by the likes of Hacking Team and FinFisher.
"I would go the distance to aim to convince you that we are not a part of this market."
Srivastava also dodged questions about his company's spyware products. But a source who used to work in the surveillance tech industry, who asked to remain anonymous to discuss sensitive issues, claimed to have seen a sample of Aglaya's malware in the wild.
"It was crap," the source said. "The code was full of references to Aglaya."
One of his customers was targeted with it at the end of last year, when he received a new phone via mail, under the pretense that he had won a contest that turned out to be made up, according to the source. As ridiculous as this might be, this is actually how Aglaya targeted victims, given that they couldn't admittedly get around Apple's security measures and jailbreak the device to infect it with malware.
This sloppy workaround was described in an article in the spyware trade publication Insider Surveillance.
"For installation, Aglaya iOS Backdoor requires an unattended phone and a passcode," the article read. "By 'unattended' we're hoping they mean 'idle,' not 'impounded.' Or that they're not expecting agents to sneak into the target's bedroom to plant the malware...or wait for him to divulge the password while talking in his sleep."
The anonymous source, in any case, said that there is certainly a market for the services offered by Aglaya, including the sketchier ones.
"I think it's credible that there is interest for these type of services at least in certain countries in the Middle East," the source said.
Another source, who also requested anonymity to speak freely, said that an Aglaya representative once claimed that his company had customers in the Middle East. The source also said that Aglaya's claims of having abandoned the surveillance tech business are "a lie," adding that he has seen an updated version of that brochure last year.
Aglaya might have some customers, but it's likely a small fish in the surveillance and hacking business. There are certainly many more companies, likely with better services and more customers, that we don't know about. We also might never know about them, unless they get caught because customers abuse their tools—as in the cases of NSO Group and Hacking Team—or their marketing materials leak online.
Often, these companies peddle both defensive and offensive services. Srivastava, after dodging most of my questions, offered to let Motherboard take a look at Aglaya's latest product, dubbed SpiderMonkey, a device that detects "Stingrays" or IMSI-catchers, the surveillance gizmos used by police and intelligence around the world to track and intercept cellphone data.
"Please do keep us in mind," he said, likely repeating a line that he told his unknown "one" customer two years ago.
Want more Motherboard in your life? Then sign up for our daily newsletter.