HackingTeam, a Milan, Italy-based company that makes surveillance software for governments was hacked on the evening of July 5, according to several reports, including Reuters.
Four hundred gigabites (GB) of internal documents from Hacking Team were released to the public as a Torrent file and on July 6 the company’s Twitter account was hijacked for almost 12 hours and used to further point to the released information, media reports said.
“Since we have nothing to hide, we’re publishing all our emails, files and source code,” the hacked Twitter account reportedly published before later being deleted. The company’s website has been taken down as of publication time.
The released data included full lists of current and former clients, business correspondence, lists of passwords and login details for client sites, and source code for products.
A list of current and former clients as of 2014 was included in the release. The FBI and Drug Enforcement Administration (DEA) are listed as current clients while the U.S. Department of Defense is noted as “Not Active,” the documents show.
The DEA has used HackingTeam’s tools since 2012 in collaboration with the Colombian government but not domestically in the United States, the documents said.
Other active clients include security services of countries with a record of human rights abuses, including Azerbaijan’s Ministry of National Defence, Egypt’s Ministry of Defense, Ethiopia’s Information Network Security Agency, Kazakhstan’s National Security Office, Morocco’s Intelligence Agency, Nigeria’s Bayelsa Government, several Saudi Arabia agencies, and Sudan’s National Intelligence Security Service. Sudan and Russia’s Intelligence Kvant Research were designated as “Not officially supported,” rather than the alternatives of active or expired.
HackingTeam was previously listed along the “Enemies of the Internet” by Reporters Without Borders for helping countries with a history of human rights abuses use its main Remote Control Systems tool.
HackingTeam’s signature product, Remote Control Systems (RCS), is also referred to as DaVinci. A kind of spyware, it reportedly allows governments to hack into targeted computers to gain nearly complete control.
“Here in HackingTeam we believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities. Technology must empower, not hinder,” the company’s website said. It also noted the company “exclusively” focuses on offensive security.
“Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable,” the company’s website said.
“On the issue of repressive regimes, Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the E.U., the U.S.A., NATO and similar international organizations or any “repressive” regime,” Eric Rabe, a U.S.-based public relations official for HackingTeam said in response to the allegations in 2013.
“Furthermore, we have created an external board to review potential HT sales, and this board has a veto over sales it deems illegal or unwise. We also go to some lengths to monitor reports of use of our software in ways that might be inappropriate or illegal. When we find reports of such issues, we conduct an investigation to determine if action is needed,” Rabe added.
HackingTeam has previously refused to disclose its client list and denied selling surveillance tools to the Sudanese government. If the leaked documents are accurate, the company violated its own policies, selling equipment to Sudan, which is under a United Nations arms embargo and has a history of many human rights abuses.
Most of the countries connected to the company in the leaked files were previously linked in open source reports from critics.
Citizen Lab researchers at the University of Toronto previously linked Hacking Team to the Ethiopian government’s targeting of expatriate journalists based in the Washington, D.C., area using the Remote Control System (RCS) spyware tool.
One of the leaked documents is an April 2012 contract with Ethiopia’s Information Network Security Agency for an RCS license, worth $1 million. Another contract was listed, providing RCS to the National Intelligence and Security Services of Sudan for almost $528,000 as a first payment, of 50% of the total dated to July 2012.
The RCS tool has also reportedly been found used against journalists critical of Morocco’s government and pro-democracy activists in the United Arab Emirates.
A Dutch member of the European Parliament, Marietje Schaake submitted questions to the European Commission on how HackingTeam may have violated European Union sanctions.
Noting the leaked documents, Schaake highlighted that if these documents are true, the company appears to have violated the EU sanctions regime on Sudan and Russia. She also said a UN panel that monitors implementations of UN sanctions against Sudan has previously “argued that the RCS is ideally suited to support ELINT operations that fall under the category of ‘military equipment’ or ‘assistance.’”