Hacking Team Breach Shows a Global Spying Firm Run Amok

The epic hack of a global, private spying company comes just as the US government considers new regulations to control the export of digital intrusion tools.

Few news events can unleash more schadenfreude within the security community than watching a notorious firm of hackers-for-hire become a hack target themselves. In the case of the freshly disemboweled Italian surveillance firm Hacking Team, the company may also serve as a dark example of a global surveillance industry that often sells to any government willing to pay, with little regard for that regime's human rights record.

On Sunday night, unidentified hackers published a massive, 400 gigabyte trove on bittorrent of internal documents from the Milan-based Hacking Team, a firm long accused of unethical sales of tools that help governments break into target computers and phones. The breached trove includes executive emails, customer invoices and even source code; the company's twitter feed was hacked, controlled by the intruders for nearly 12 hours, and used to distribute samples of the company's hacked files. The security community spent Sunday night picking through the spy firm's innards and in some cases finding what appear to be new confirmations that Hacking Team sold digital intrusion tools to authoritarian regimes. Those revelations may be well timed to influence an ongoing U.S. policy debate over how to control spying software, with a deadline for public debate on new regulations coming this month.

One document pulled from the breached files, for instance, appears to be a list of Hacking Team customers along with the length of their contracts. These customers include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense. Other documents show that Hacking Team issued an invoice for $1 million to Ethiopia's Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its Remote Control System, a spyware tool. For Sudan, a country that's the subject of a UN embargo, the documents show a $480,000 invoice to its National Intelligence and Security Services for the same software.

"These are the equivalents of the Edward Snowden leaks for the surveillance industry," says Eric King, the deputy director of Privacy International. "There are few countries [Hacking Team] aren't willing to sell to. There are few lines they aren't willing to cross."

In its marketing materials, Hacking Team describes its RCS product as "a solution designed to evade encryption by means of an agent directly installed on the device" an agency is monitoring. "You want to look through your target's eyes," reads the script of one of the company's videos, shown below. "You have to hack your target." Last year, researchers at Toronto-based Internet surveillance analysis group Citizen Lab and antivirus firm Kaspersky revealed Hacking Team software that targets every mobile operating system to take total control over phones.

Hacking Team hasn't yet responded to WIRED's request for comment. One Hacking Team engineer, Christian Pozzi, seemed to defend his employer briefly on Twitter, writing that the company's attackers were "spreading lies about the services we provide." His feed was soon hacked and then deleted.

Hacking Team's newly exposed business practices call into question whether current regulations effectively prevent a private firm from selling hacking software to any government in the world. One written exchange between Hacking Team's executives and UN officials shows the UN questioning Hacking Team's sales to Sudan. A letter from the UN to the company references a March 2015 letter Hacking Team sent the UN, in which it argued that its spying tools didn't count as a weapon, and so didn't fall under the UN's arms embargo. (The UN disagreed.)

"Sudan is one of the most strictly embargoed countries in the world," says Chris Soghoian, a privacy activist and lead technologist for the American Civil Liberties Union who first spotted the UN correspondence in the Hacking Team data dump. "If Hacking Team believes they can lawfully sell to Sudan, they believe they can sell to anyone."

That issue of whether hacking tools are defined as weapons in the terms of arms control agreements couldn't be more timely: An arms control pact called the Wassenaar Arrangement has been hotly debated in recent weeks over its measures that would control the international export of intrusion software. The US Department of Commerce has opened the process to public comment, a window that ends on July 20.

The Wassenaar Arrangement has been criticized by the hacker community as limiting security research and preventing the sharing of penetration testing tools. But Privacy International's Eric King argues that the practices of Hacking Team demonstrate why the pact is necessary, along with what he describes as "carve-outs" to protect security research. "What’s clear is that these companies can’t be left to their own devices," says King. "Some form of regulation is needed to prevent these companies from selling to human rights abusers. That’s a hard policy question, and one tool won’t be a silver bullet. But regulation and export controls should be part of the policy response."

Despite Hacking Team being based in Italy, the US Department of Commerce's still-evolving export control regulations may still apply to the company, says the ACLU's Chris Soghoian. He points to two firms he spotted in Hacking Team's breached files who appeared to be reselling the company's tools: Cyber Point International in Maryland and Horizon Global Group in California.

The hacked documents are far from the first evidence that Hacking Team has sold its tools to authoritarian governments. Researchers at Citizen Lab have accused Hacking Team of selling to countries including Sudan and the United Arab Emirates, who used it to spy on a political dissident who was later beaten by thugs. WIRED reported in 2013 on an American activist who was apparently targeted by Turkey using Hacking Team tools. But Hacking Team has responded with denials, criticisms of Citizen Lab's methods, and claims that it doesn't sell to "repressive regimes."

"Hacking Team has continuously thrown mud, obfuscated, tried to confuse the truth," says Privacy International's King. "This release helps set the record straight on that, and shows their deviousness and duplicity in responding to what are legitimate criticisms."