Tags

, , , , , , , , , ,

twitter-account-owned

The Twitter page was restored around six hours later, but Hacking Team were well and truly owned by then, and roughly 370GB of the company’s data was being circulated and copied by millions. At the time of posting this, over 53 million requests were made to the FTP mirrors hosting the exfiltrated material. DDoS attacks, threats and PR aren’t going to fix this for them.

hacked-team-dump-filestructure

As we can see, it seems everything was dumped – admin files, client lists, email archives, RCS source code, exploits… everything. Even though Hacking Team are most likely finished, I think the information has long-term value for fighting commercial malware vendors, knowing which organisations were using the malware, and understanding the ‘ecosystem’ Hacking Team were operating in.

For several years Hacking Team had a reputation for providing remote access malware (that’s basically what it is) to bad men, and empowering regimes with dodgy human rights records. In-depth investigations were countered with PR, but we knew the malware had somehow found its way onto the computers of journalists and human rights groups. It’s quite possible, though not proven, that Hacking Team was complicit in the torture, imprisonment and deaths of innocent people. I tried to give Hacking Team the benefit of the doubt while skimming through the material, played Devil’s advocate in places, but the evidence is damning whichever way we look at it. There’s no getting around the fact Hacking Team provided backward regimes ‘offensive security’ capabilities they wouldn’t otherwise have. What the fuck were they thinking?

Hacking Team is one more addition to the growing list of Internet surveillance firms that got owned, and clearly the exposure of injustice is now a common motive for hackers and insiders. Any organisation involved in something objectionable should therefore expect to be exposed sooner or later. Not even the NSA and GCHQ were immune to this. Not all disclosures will be mediated by celebrity gatekeepers like Glenn Greenwad either.

Clients
So who were the clients? There are a couple of spreadsheets listing them for the ‘offensive security’ services. The Ethiopian and Sudanese governments were prominent among the clients, and the most commented on. I went digging through the material for connections to Saudi Arabia, as that country is known to have an atrocious human rights record, and it transpired Hacking Team were indeed trading with Saudi Arabia’s defence and intelligence organisations:

client-renewal-list

According to its own marketing material, Hacking Team’s remote access malware was designed to be deployable against large numbers of people, and invoices can be found for Technology Control Group ISP and the General Intelligence Presidency in Saudi Arabia.

video-mass-hacking

It also appears, from references in the archive, that Hacking Team were pushing the malware at various marketing events for surveillance technologies. One of these is ISS World, which I covered here before. Unlike your typical security conference, these are off limits to the public.

The RCS Malware
The source code for the ‘Remote Control System’ was posted on GitHub, but removed the next day. I’ll comment on the screenshot below, as it’s caused a bit of controversy on Twitter and Hacker News:

RCS-evidence-test

It led some to believe Hacking Team were planting dodgy material on targets’ computers, but it looks more like they were testing their ‘evidence management system’ on dummy files. It probably doesn’t need pointing out that the installation and subsequent discovery of malware that could be used to plant evidence would seriously undermine the prosecution in a properly conducted trial.
The repo was taken off GitHub before I could take a proper look at the source, but thankfully we have all the documentation, plus the source code for the ancilliary components (exploits, droppers, etc.).

GeoTrust Certificates
One of the more interesting aspects of this is in the shared dev directory. It looks as if they were using GeoTrust certificates to sign kernel-level code, perhaps as Windows ‘drivers’. I wonder how they came across these, but it looks as if GeoTrust provided Hacking Team with the signing certificates.

hacked-team-certs-found

Gamma International
For anyone who wants more material on the FinFisher products, there’s a stash of files
in /rcs-dev/share/Documentation.

United Nations and the Sudan Issue
Following the Citizen Lab report, the United Nations started taking an interest in Hacking Team’s business, in particular their dealings with Sudan. Correspondance relating to this can be found in the /SUDAN directory. Some United Nations group made the argument that Hacking Team’s malware violated the restrictions on the sale of arms to the country, especially given the human rights concerns. According to our own government’s Foreign Office, arbitrary arrests, some torture and police corruption is routine in that region.
The United Nations group didn’t receive a direct reply from Hacking Team, but we know Hacking Team were at least aware of the concerns because the fax was in their file system.

un-rcs-sudan

We know know the malware was supplied to a Sudanese entity known as the ‘National Intelligence Security Service’ at the end of December 2014, and a 2012 invoice for the ‘Remote Control System’ can be found.

sudan-rcs-invoice

This aspect is very important. Although the malware in this case might be defined as ‘arms’, because there’s little ambiguity about its intended usage, this could have set a precedent for regulating legimate security testing tools.

Advertisements