LIMA, Peru — Ecuadorean opposition activist Dr. Carlos Figueroa was being pursued by the state when his email and Facebook accounts were hacked. Several dozen of his colleagues have similarly had their digital lives violated. All blamed President Rafael Correa’s government, but no one had proof.
The Associated Press has found compelling evidence that Figueroa was indeed hacked by Ecuador’s domestic intelligence agency, with software tailor-made by an Italy-based company called Hacking Team that outfits governments with digital break-in tools.
That would tag Figueroa as the first publicly identified target from a catalog of more than 1 million company emails stolen by an unknown hacker and leaked online last month.
AP’s finding also casts doubt both on Hacking Team’s claims that its intrusion tools, which intercept phone calls, collect emails and record keystrokes, are for use against serious criminals, not dissidents, and on assertions by Ecuadorean officials that they do not spy on domestic opponents.
The purloined Hacking Team emails have thrown back the curtain on state-sponsored hacking across the world, drawing outrage in South Korea — where a spy caught up in the scandal killed himself — and Cyprus, whose intelligence chief resigned following the disclosures.
They were gathered and made easily searchable online by WikiLeaks, the secret-spilling website whose founder Julian Assange has been holed up in Ecuador’s London embassy since 2012.
Evidence that Ecuador’s spies hacked Figueroa are in a series of emails exchanged between its SENAIN domestic intelligence agency and Hacking Team shortly after Figueroa was convicted of criminal libel in March 2014 and sentenced to six months in prison for allegations he made about Correa’s actions during a 2010 police revolt. Figueroa had skipped the court appearance, considering the verdict a foregone conclusion, and was in hiding.
The emails show that SENAIN employee Luis Solis sent a flurry of requests to Hacking Team for booby-trapped Microsoft Office documents and malicious links — so many that customer support engineer Bruno Muschitiello suggested Solis ease up. “The target may suspect something,” Muschitiello wrote on April 11, 2014.
The target isn’t named explicitly, but Solis dropped hints as he struggled with the digital burglary technology. The biggest clue was a phony invitation to a medical conference that he apparently created. The first 14 characters of the target’s email address are visible in a screenshot he sent to Muschitiello. It reads “dr.carlosfigue.,” a near match for the “dr.carlosfigueroa” address Figueroa was using at the time.
On May 5, Solis sent Muschitiello a screenshot of his control panel displaying 13 infected devices. One is named “MobilFigueroa” — “Figueroa’s cellphone.”
Muschitiello did not return messages sent by the AP, and Solis could not be located. A person who answered the phone at the extension for SENAIN’s communications office, and who would not identify himself, said Solis did not work at the agency.
Figueroa, a gastroenterologist who is a fierce opponent of Correa’s leftist government, said he is not certain he received the bogus email invitation to the medical conference. He said he received many strange emails at the time that he assumed were attackware and quickly deleted — but still got hacked.
“I had four email accounts and problems with all of them,” he said. “I also had problems with Facebook. At one point, it seems like they attacked all my communications on social media.”
“We all just assume our telephones are permanently tapped,” he told the AP.
Figueroa was arrested and emerged from hiding in July 2014 to visit his 75-year-old mother, who died of pancreatic cancer while he served out his prison term.
At no point, he said, did any state agency obtain a court order to eavesdrop on him. And the government still hasn’t returned the two laptops and two cellphones it seized when he was arrested, he said.
Last week, SENAIN director Rommy Vallejo told a select group of reporters that his agency did not spy on political opponents. But he refused to discuss its ties to Hacking Team.
His comments followed Correa’s denial that SENAIN had a contract with the company.
Other Hacking Team emails reviewed by AP suggest both statements are misleading.
The reviewed emails indicated that SENAIN has a 610,000 euro (more than $650,000) three-year deal with Hacking Team through a third party, which took effect in November 2013 and let SENAIN infect 30 devices at a time.
Email evidence also suggests that other dissidents and environmentalists were in SENAIN’s crosshairs.
While Figueroa was under attack, the emails show, SENAIN was using Hacking Team tools to craft booby-trapped documents with titles like “Questions – Yasuni” — a reference to the pristine Amazon wilderness reserve known as Yasuni. Correa’s plans to drill for oil there have prompted stiff resistance from environmentalists, many of whom have complained of being targets of government hacking and surveillance.
Anonymous hackers may have been targeted as well. A document seen by AP appeared designed to infect someone with an interest in the online vigilante movement.
Hacking Team spokesman Eric Rabe refused to discuss particulars when asked about the Figueroa case and company business in Ecuador, saying it is company policy not to identify clients.
The company has said it sells its digital break-in tools to government agencies for use against serious criminals, including terrorists, pedophiles and drug traffickers.
Rabe also said it is company practice to deal with clients’ operations at arm’s length. Technical assistance is offered on request “but not in regard to … specific surveillance operations. Clients don’t want outsiders involved.” He said Hacking Team cancels contracts if clients use its tools to break the law.
Ecuador’s human rights record is tamer than some other previous Hacking Team clients, such as Sudan, Ethiopia and Russia. But its government has been criticized by rights groups for harassing journalists, imposing stiff fines on critical media and ordering an environmental group dissolved.
As the attack on Figueroa suggests, the campaign is increasingly being carried out online.
“Every day there are complaints by opposition activists that their email has been broken into, their websites violated,” said Cesar Ricuarte, director of the independent Fundamedios press watchdog group. “A kind of digital war, really, is going on in Ecuador.”