Hacking Team: Mass Surveillance Made In Milan

Monday 27 August 2012

Of all the companies I have encountered while working on stories about surveillance technology used by police and governments, Italy's Hacking Team is one of the most intriguing.

The Milan-based "offensive security" firm manufactures a kind of spy software, called "Remote Control Systems" (RCS), that infects computers and mobile phones in order to secretly siphon data.

RCS is designed to covertly record emails, text messages, phone (or Skype) calls, GPS location, and take screenshots - before sending this information back to law enforcement agencies for inspection. It can be used to target almost any device or platform - Windows, OSX (operating system that runs on Mac computers), iOS (used by iPhones and iPads), Android, Blackberry, Symbian, Linux - and can infect a computer or phone by tricking a user into opening an fake document file.

The technology is controversial, not least because Hacking Team boasts in its own marketing materials that it can be deployed "country-wide" to spy on the communications of more than 100,000 people simultaneously.

Human rights groups say that it could, in the wrong hands, easily be abused to target activists, political opponents, or anyone else deemed a worthy target - and these concerns certainly appear to be well founded. As I reported for Slate last week, the first instance of Hacking Team's spyware being used for nefarious purposes has purportedly been found in Morocco, where a team of award-winning citizen journalists (and prominent critics of Morocco's government) were targeted with what security experts say they are certain is a version of Hacking Team's RCS spyware.

Due to the secretive nature of Hacking Team's work, there is much we still don't know about where and how this technology is being deployed. However, in the months ahead, I fully expect that more details about countries using Hacking Team's technology will inevitably emerge.

In the meantime, I've decided to share here a summary of the main issues and things I've discovered so far. The information comes from a combination of sources: primarily an interview I conducted with Hacking Team's co-founder David Vincenzetti in October 2011 (a portion of which appeared later in the Guardian), along with marketing materials and documents published in the WikiLeaks Spy Files in December. If you have information you would like to add - or if you have source material related to Hacking Team which has not yet entered the public domain - please contact me.

Who uses Hacking Team's spy technology?

Hacking Team refuses to divulge details about specific customers and/or countries it deals with. However, the company's co-founder told me in 2011 that it had sold the RCS spyware to "approximately 50 clients in 30 countries in all five continents" since 2004. The company's website says it only sells its software to governments and law enforcement agencies.

What is Hacking Team's technology used for and why?

Hacking Team says its spy software is necessary in a world where terrorists and other serious criminals are constantly crossing borders, using various devices to communicate while sometimes using encryption. RCS allows law enforcement agencies to bypass encryption by recording data before it becomes encrypted. It also allows them to monitor targets across borders and gives them access to data that they might otherwise find very hard to otherwise obtain, such as photographs or document files stored on hard disks.

Most western democracies have laws governing the use of surveillance technology of this kind, and will use it only when they believe it necessary to detect or prevent serious criminal activity. The fear held by human rights groups is that Hacking Team's technology may have been sold to countries that do not have strict laws governing its use, which could mean that it is being abused to target, for instance, pro-democracy activists.

The fact that Hacking Team openly advertises that its software can be used to spy on hundreds of thousands of people's communications is a particular cause for concern, as it is difficult to conceive of any situation where the mass interception of communications on this scale could be justified.

(Note: A French company that in 2007 sold Gaddafi's Libyan regime surveillance technology, used to spy on dissidents, is currently facing a judicial probe for alleged complicity in crimes against humanity.)

What is Hacking Team's position on potential human rights violations?

In the words of David Vincenzetti: "We pay the utmost attention to whom we are selling the product to. Our investors have set up a legal committee whose goal is to promptly and continuously advise us on the status of each country we are talking to. The committee takes into account UN resolutions, international treaties, Human Rights Watch and Amnesty International recommendations."

What kinds of communications can RCS record?

The short answer is: everything. RCS has the capacity to record emails, Skype chats, instant messenger conversations, and text messages. It can log keystrokes (and passwords), mine documents from a hard drive, and steal private encryption keys. The software also has a function called "remote audio spy" which can be used to turn on a laptop or mobile phone's microphone, recording audio from a device without its user's knowledge.

Won't anti-virus software pick up RCS?

Hacking Team boasts that its spyware is "stealth" and "is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls."

How much do governments and LEAs pay for Hacking Team's technology?

According to David Vincenzetti: "RCS is a complex system and its price varies greatly depending on the number of targets to be monitored and the features included in it. RCS can be used for monitoring just a few targets (tactical use) or for monitoring targets 'country-wide', that is, hundreds of thousands of targets. Just to provide you with a very approximate price figure, I can tell you that a medium-sided installation might cost 600k euros." (€600,000 = £475,000 or $751,000.)

Who are the people that work at Hacking Team?

Hacking Team was founded in 2003 by self-described "serial entrepreneurs" David Vincenzetti and Valeriano Bedeschi. Valeriano and Vincenzetti say they have been working together in computer security for more than 20 years and Hacking Team is their fourth company. Their previous company was called Intesis srl, a software firm Vincenzetti describes "one of the most successful ventures in the Italian IT market." Since 2007 Hacking Team has had venture capital backing from two Italian funds: Innogest and Finlombarda.

The company employs around 35 people, and as of August 2012 was recruiting a "Field Application Engineer" to "guide them [our customers] through the process of learning, testing and adopting our Solution." It added that prospective candidate must be "willing to travel all over the world!" (Screenshot, 27 August, 2012.)

How does Hacking Team design its surveillance tools?

An interesting insight into the type of software programming used by Hacking Team was offered by a job vacancy description posted on its website in 2012. Hacking Team said it was looking for a "hacker / developer" with knowledge of the following: "C++, Objective-C, some x86 or ARM Assembly, Ruby or Python, ActionScript or reversing skills. Design Patterns and Agile Programming are a must."

In layman's terms, this means Hacking Team uses a series of programming languages used on different devices (Macs, PCs, mobile phones), and also works with code (Actionscript) primarily used with Adobe Flash Player. Many Trojan-style tools exploit security flaws in Adobe Flash Player to infect users with spyware.

UPDATE I, 10 October 2012: A new report by Citizen Lab security researchers has found evidence suggesting Hacking Team's surveillance spyware was used to target a prominent activist in the United Arab Emirates. Similar to the tactic used against the Moroccan journalists (see above), an email was sent to the UAE activist that tricked him into downloading the spyware. The email claimed to be from "Arabic WikiLeaks" and included a link to an infected file purporting to be a .doc file named "veryimportant". Hacking Team has so far not issued comment. Read more details in my report for Slate, here.

UPDATE II, 25 April 2013: In February, a detailed analysis by a researcher at Russia's Kaspersky Lab dissected Hacking Team's spy technology. Notably, the Kaspersky researcher claims to have found "about 50 incidents" in which Hacking Team's surveillance tool was used in countries including Italy, Mexico, Kazakhstan, Saudi Arabia, Turkey, Argentina, Algeria, Mali, Iran, India and Ethiopia. An updated Kaspersky analysis in April states that it has detected Hacking Team's technology in 37 countries. The highest number of attacks using the spy tool were found in Mexico, Italy, Vietnam and the United Arab Emirates. However, a small handful of attacks on users allegedly involving the Hacking Team technology were also detected in Iraq, Lebanon, Morocco, Panama, Tajikistan, India, Iran, Saudi Arabia, South Korea, Spain, Poland, Turkey, Argentina, Canada, Mali, Oman, China, the United States, Kazakhstan, Egypt, Ukraine, Uzbekistan, Colombia, Taiwan, Brazil, Russia, Kyrgyzstan, the United Kingdom, Bahrain, Ethiopia, Indonesia, Germany, and Libya.

Constant Fear In Manzer Khel

Saturday 25 August 2012

In the last few days I've been working on a piece about 'unmanned aerial vehicles', or 'drones' as most people call them. I was interested to discover that there is a company based in England that has manufactured technology sold and exported to the United States for use as part of drone systems. The US uses its drones for controversial covert attacks in places like Pakistan, Yemen and Somalia - attacks that many believe are being conducted in violation of international law.

In a factory on a bland-looking industrial estate in Towcester, Northamptonshire, General Electrics Intelligence Platforms (GEIP) has produced single-board computers that it has acknowledged may be used on the ground stations that communicate with drones. The company says the parts are not used as part of "weapons systems" but are rather "used solely in connection with the operation of the aircraft itself." Nevertheless, human rights group Reprieve is demanding that the British government restrict exports of this technology for use in drones because it says it is "helping to kill, maim and terrify citizens."

What's particularly interesting is that lawyers acting on behalf of a Pakistani elder named Malik Jalal have sent a letter to the UK government's Department for Business, Innovation and Skills (BIS) regarding technology exported by GEIP. Jalal lives in Manzer Khel, North Waziristan, a tribal village that has been hit by repeated strikes by US drones as part of a 'targeted killing' programme which has operated covertly in Pakistan since 2004. Jalal's lawyers, Tuckers, are requesting that BIS officials provide a series of answers about approvals of GEIP exports. The exports, they allege, are helping to facilitate strikes that are a violation of international law on armed conflict and a breach of human rights.

Most striking about the letter is one passage that describes an aspect of drones I hadn't considered before: their psychological impact. It is hard imagine what it must be like to know that there are remote control aircraft soaring 20,000ft in the sky above your head every day, armed with deadly 'Hellfire' missiles and on the hunt for groups of suspected militants. But this particular paragraph goes some way to explaining the profound and alarming effect it is having on the people living in North Waziristan. It's something I think everyone should read:

As a result of the UAV strikes, Malik Jalal and others residing in the area live in constant fear. There are very often UAVs hovering overhead. Members of Malik Jalal's tribe cannot tell whether they are intending to fire missiles or simply for surveillance, and the knowledge that any one of them at any time could launch a missile is unbearable. Malik Jalal as the tribal elder feels particularly helpless that he is unable to stop the UAVs and he fears for the physical safety of his family as well as the psychological effects, especially on the young, of the UAVs' presence. Even young children are aware of the UAVs and can see them and hear their buzzing overhead. The UAVs also affect the economy and daily life. People are scared to be out together in large groups or to travel with others in case they are mistaken for militants and targeted, and many parents are reluctant to send their children to school in case they are hit during the journey.

You can read the full lawyers' letter here.

It is estimated that up to 3,303 people have been killed in US drone strikes on Pakistan since 2004, including as many as 880 civilians. The issue is causing huge tension in the country and politicians have repeatedly called for America to stop its attacks - to no avail.

The BIS told me that it "takes is export licensing responsibilities seriously" but said that "we do not comment on individual licence requests, the application or the end user." Of more interest was what a spokesman for the Ministry of Defence (MoD) told me when I called to query how the Royal Air Force uses drones. In an apparent attempt to distance the MoD from the increasingly controversial US bombings in places like Pakistan, the spokesman said: "I wouldn’t want you to confuse the way we operate drones with the way the Americans operate drones. They use them for wholly different missions."

A Space For Notes

I've been meaning to get round to this for quite some time. I'm starting a 'notes' section here, which I'm going to use to post bits and pieces - interesting scraps of information I find that don't make it into articles I write, short reflections, thoughts, and any other miscellaneous ramblings, missives, screeds.

I've long needed a space for this, but for some reason I've never made it happen. How frequently I will post I'm not sure, but certainly the intention is to make it quite regular and habitual. I think it will help with the writing process and will also allow me to document things that often end up forgotten somewhere: the little scribbles and quotes and descriptions I often jot down, which at the time seem important, but before long end up gathering dust in the ever-growing pile of notebooks that clutter up my flat.

So here we are. notes.rjgallagher.co.uk. Born on a rainy day in August, 2012.