The surveillance company says whoever hacked it also unleashed dangerous tools that can now be used by criminals, but experts are skeptical.
And now, because of that, Hacking Team is warning that "anyone," including "terrorists, extortionists" and criminals, could take that code and create their own versions of the company's spyware to hack and monitor pretty much whoever they want.
"Hacking Team's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice," the company's spokesperson Eric Rabe said in a statement on Wednesday.
"Terrorists, extortionists and others can deploy this technology at will if they have the technical ability."
Hacking Team, which sells surveillance software and tools to government agencies across the world, called this a "major threat" and an "extremely dangerous" situation they can't do much to prevent because before the attack they had the ability to "control who had access to the technology," but now they don't have that ability anymore.
While experts agree that, in theory, criminals could use the leaked source code of Hacking Team's Remote Control System (RCS), they also cautioned that criminals have plenty of similar tools to choose from to achieve similar results.
"The terrorists and extortionists angle is just PR bullshit," Pedro Vilaca, a researcher who specializes in reverse engineering OS X malware, told Motherboard in an online chat. "There are tons of tools already available to those people."
Moreover, Vilaca added, now that Hacking Team's spyware is out, antivirus firms can update their products to detect it, and Hacking Team itself said in the statement that they expect antivirus tools to do just that. So the source code likely needs to be repurposed and modified to keep up with new defenses.
Even the hacker who claimed responsibility for the attack scoffed at Hacking Team's claims.
"No hackers will use RCS except to play around for amusement, there are much better tools already available," said the unnamed hacker, who previously revealed to Motherboard that he was the same one that breached Hacking Team's competitor Gamma Group last year.
"The terrorists and extortionists angle is just PR bullshit."
"The value of RCS was in tailoring its capabilities to law enforcement requirements, and in the support contracts and training hacking team provided," he told me in a chat.
Bill Marczak, a researcher at the Citizen Lab at the University of Toronto's Munk School of Global Affairs who has studied Hacking Team's malware and activities for years, agreed that it's "highly unlikely" criminals would go to the trouble of putting together all the source code and infrastructure to use RCS.
"The truth is, terrorists and cybercriminals have successfully deployed spyware for quite some time now," he told me in an encrypted chat. "It's not like they were waiting to get their hands on this."
Other spyware tools, such as njRAT, which is widely used by cybercriminals, "offer essentially the same features."
A source with knowledge of Hacking Team's code said that recreating the entire RCS system from source code is "absolutely not trivial." It's more likely, the source said, that criminals could use some of the code to write a backdoor, or remote access tool (RAT), something that Marczak agreed with.
Recreating the entire RCS system from source code is "absolutely not trivial."
In fact, some leaked data has already been abused by criminals. Security firms warned on Wednesday that a Flash vulnerability leaked among the Hacking Team files, which at the time was yet to be patched (or "zero-day"), has been spotted in the wild, and included in some exploit kits commonly used by criminals. Adobe pushed out a patch on Wednesday, so as long as systems are up to date, criminals shouldn't be able to exploit it anymore.
The hacker who hit Hacking Team took the company's new statement it with sarcasm.
"They should bring back Christian Pozzi as their damage control spokesman," he said, referring to the company's systems administrator, who went on a now-deleted Twitter rant on Monday morning. "Eric Rabe is funny, but Christian was hilarious."