Hacking Team S.r.l., an Italian firm that sold spyware tools to nation-states, incurred a large data breach over the week, with over 400 GB of emails, source code, and miscellaneous data released to the Internet at large via torrents.
The information from the breach confirmed long-standing accusations that until now were only supported by circumstantial evidence: Hacking Team was selling surveillance tools to authoritarian regimes around the world, many of which having records of human rights abuses.
Invoice records from the breach show that Hacking Team counts Egypt, Saudi Arabia, and Sudan among its customers. Sudan has been the subject of an arms embargo issued by the United Nation s (U.N.)— one that covered the sale of technical assistance — which was probably why Sudan was listed as “not officially supported” in Hacking Team’s customer database.
An invoice from 2012 showed that Hacking Team received a wire transfer of nearly half a million euros from the Sudanese government. Earlier this year, the Italian representative to the U.N. said in a letter that Hacking Team, which was being investigated by the U.N., has never done business with the Sudanese government.
“The spyware enables a government to access the phone’s emails, text messages, files from applications like Facebook, Viber, Skype, or WhatsApp, contacts, and call history,” reads a Human Rights Watch post describing the use of Hacking Team firmware by the Saudi Arabian government. “It also allows authorities controlling the spyware to turn on a phone’s camera or microphone to take pictures or record conversations without the owner’s knowledge.”
According to Citizen Lab, a Canadian think tank, Hacking Team’s software has been used to target the Shiite minority in Saudi Arabia and journalists critical of the government in Ethiopia, from where dozens of journalists have fled in the past decade due to “threats and intimidation.”
Hacking Team’s spyware toolkit, the Remote Control System (RCS), was first disclosed to the public on the Kaspersky Lab blog more than two years ago. Kaspersky, which sells anti-virus software, had detected copies of the RCS and reverse-engineered the spyware to explore its functions.
Kaspersky later revealed a list of the number of RCS “collector” IP addresses by country, which included many of the countries disclosed in the recent data breach, and some that weren’t, including mainland China, which has been known to force computer manufacturers to directly insert spyware backdoors into their products.
A staff member at Hacking Team, Christian Pozzi, took to Twitter to defend the company.
“Don’t believe everything you see. Most of what the attackers are claiming is simply not true,” Pozzi wrote. “The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus.”
Pozzi’s account was later hacked, and is currently offline.
Not all, or even most, of Hacking Team’s customers are associated with political repression. Australia, Germany, Switzerland, and the United States are also clients. Documents from the breach show that the FBI and the Drug Enforcement Agency have used software from Hacking Team since 2011, and that the firm is trying to expand to the offices of district attorneys.
