“Here in HackingTeam we believe that fighting crime should be easy,” promises the Italian company that offers surveillance services to national governments and law enforcement.
HackingTeam assured its clients that its services were untraceable. They also assured everyone else that their client list did not include repressive regimes. Now it appears that neither of those claims may be true.
On Sunday, HackingTeam found itself on the receiving end of an attack. A whopping 400GB of data purported to have been stolen from the company includes a client list featuring some of the countries with the lowest World Bank rankings for freedom of expression, transparency, and the rule of law—countries such as Kazakhstan, Uzbekistan, and Saudi Arabia. That alone would be troublesome for HackingTeam, but then there’s the little matter of how 20 of the nation clients were already known because security researchers were in fact able to trace the supposedly “untraceable” surveillance activities of HackingTeam’s clients more than a year ago.
As further insult, HackingTeam’s own Twitter account was commandeered to send out links to torrents for downloading the stolen data. (The company subsequently deleted the tweets.) It’s still unknown who got the data, and how, but other documents show some rookie-level security goofs by HackingTeam’s staff, like using the same generic username and password–“admin” and “Passw0rd”–for several online accounts. One of the engineers using the weak security measures, engineer Christian Pozzi, had his own Twitter account hacked to read, “We are closing down. Bye Saudi Arabia. You paid us well. Allahuhakbah.”
How did things go so wrong for a company that had the trust, and money, of some of the most powerful players in the world? The answer, in part, is that nothing is really untraceable on the web, if you look hard enough for it.
That’s what the Citizen Lab at the University of Toronto’s Munk School of Global Affairs did. The organization describes its mission as “focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security.” And it’s been going after Hacking Team for years. The watershed moment was a report from February 2014 called “Mapping Hacking Team’s ‘Untraceable’ Spyware.” In it, researchers probed the intricacies of how computers talk to each other on the Internet in order to find their perp.
HackingTeam claimed that its spyware, called Remote Control System (RCS), was untraceable because it sent data through a series of proxy servers, located in different countries, to obscure the final destination in the country doing the surveillance. That’s the same general principle used by The Onion Router, or Tor–technology developed by the U.S. Navy but now also used for anonymous communication by anyone from dissidents living under repressive regimes to drug peddlers on Darknet sites like Ross Ulbricht’s Silk Road.
“Of course becoming entirely untraceable in any meaningful sense is a myth, but it also misses the most important point of why people like to believe in the ‘magic bullets’ such as Tor,” said Thomas White, a security expert and privacy activist who tweets under @CthulhuSec. “Threat modeling is very important, if you do not know who your enemy is then you have no real hope of being untraceable at least to them.” (White recently published the IP addresses of servers for sites on the Darknet that were supposed to be untraceable but had configuration flaws that gave them away.)
HackingTeam certainly should have known it had an “enemy” in Citizen Labs, which has been dogging it for years. Hacking Team has even sent letters to Citizen Lab challenging some of its reports.
Citizen Lab’s sleuthing work was meticulous and rather technical, but this is gist of it is: Data sent over the Internet carries clues and leaves traces. The researchers started with Hacking Team’s spyware, which was loaded mainly into Microsoft Word files (with the ubiquitous .doc extension) that were infected with an Adobe Flash-based malware. They then download the more-complex RCS spyware, which is full of clues in the form of server addresses.
Citizen Lab then found linkage among servers that used the same SSL certificates—a technology commonly used to encrypt anything on the Internet, such as Gmail logins or online banking. Researchers guessed that servers with the same SSL certificate were links in the same proxy chain funneling stolen data to a particular country. Further analyzing the traffic allowed them to figure out how data traveled between the servers and which one was the endpoint. Whatever country the endpoint resides in was likely the country that was a Hacking Team client.
“The key is to know what you are up against, and to never trust anyone,” White told us by email. “People will always be the weakest point of security.”
If what Citizen Lab found is true–and strong evidence shows it is—that’s both good and bad news for the rest of us. A spying government using proxy servers can get caught in the act, but it can also catch other people who are using proxy servers, too. On the Internet, most people might not know you are a dog, but someone who’s determined to sniff you out can.
In their first official statement since the incident, HackingTeam warns against drawing false conclusions based on the leaked material:
HackingTeam has been the victim of an online attack, and documents have been stolen from the company. We are investigating to determine the extent of this attack and specifically what has been taken. We are working with several appropriate law enforcement to determine who is responsible.
Various documents attributed to our company and employees are being provided to the news media and may be published on line.
We do not disclose the names or locations of our clients and will continue to abide by this policy and our contracts which include a confidentiality clause
We cannot comment on the validity of documents purportedly from our company. However, interpreting even valid documents without complete picture of why they were created or how they were used can easily lead to misunderstandings and even false conclusions.
We are continuing our investigation.