Attackers have compromised the network of Italian intrusion software vendor Hacking Team and released a large cache of the company’s private documents, including customer invoices that show sales to oppressive governments.

The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network. Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.

Hacking Team, based in Milan, Italy, is one of a small but growing number of companies that sell surveillance and intrusion software, products designed to help law enforcement agencies and other customers perform remote penetration and control of target systems. Hacking Team, Gamma Group and the others in this niche have come under intense scrutiny from security researchers, privacy advocates, and human rights activists, who say that the applications are used to target activists, journalists, and others.

Much already is known about the Remote Control System software that Hacking Team sells. Researchers have found samples of the application in a number of places in recent years and complete reverse-engineering analyses of the software have been published. Researchers working with the Citizen Lab at the University of Toronto have published evidence of Hacking Team’s software being used to target Ethiopian journalists, as well as other controversial targets. In an open letter sent to Hacking Team executives in March, Citizen Lab researchers asked why journalists from the Ethiopian Satellite Television Service are being targeted by a user of the company’s software, in apparent violation of Hacking Team’s own customer policy.

“Quite simply put, after all of the prior reporting surrounding the use of RCS against ESAT journalists in December 2013 and its human rights implications, how has it come to pass that RCS is again linked in late 2014 to the same activity? What steps will Hacking Team take to control such apparent misuse of its technology and prevent the continued targeting of ESAT journalists?” the letter says.

The release of Hacking Team’s internal documents, emails, and invoices could have serious effects for the company. But researchers say that they don’t necessarily expect the incident to have major long-term effects on the sale and use of intrusion software.

“Hacking Team is just one player in a big market. I suspect others will continue just fine, and probably Hacking Team itself will resurface in a while,” said Claudio Guarnieri, an independent security researcher who participated in Citizen Lab’s work on Hacking Team’s software.

“An investigation on the hack has most certainly already started, which I hope won’t be used as an instrument to pressure those who have been vocal about the company’s actions in the past. Rather, I hope that at least now the European Union, United Nations and Italian authorities will be bound to take action and conduct a proper investigation into the legitimacy of that business and the serious human rights concerns we always had, and that are now undeniable.”

Hacking Team officials have not released any official public statements about the attack yet.

As researchers and others have begun to look through the documents, they have found a number of significant things, aside from the invoices. Among the discoveries is the fact that Hacking Team has a legitimate Apple iOS developer certificate that expires next year. Another researcher found a handful of files that listed the VPS (virtual private server) servers used by Hacking Team, and published a list of the IP addresses for the servers.

Image from Flickr photos of Alexandre Dulaunoy

 

Categories: Hacks, Malware, Web Security