So the Internet has been blowing up for the last few days about an Italian information security company called Hacking Team getting pwned – they were already pretty famous for their software RCS (Remote Control Software) also known as Galileo.
In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security. Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.
They’ve been selling RCS, exploit kits and more shady darkweb tools exclusively to governments, and have done some pretty shady deals – including selling to Sudan who are basically committing genocide and Saudi Arabia. Reports Without Borders lists them as an enemy of the Internet – https://surveillance.rsf.org/en/
The other is a list of five “Corporate Enemies of the Internet,” five private-sector companies that are “digital era mercenaries.” The five companies chosen are Gamma, Trovicor, Hacking Team, Amesys and Blue Coat, but the list is not exhaustive and will be expanded in the coming months. They all sell products that are liable to be used by governments to violate human rights and freedom of information.
The countries it’s known to have sold to include Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan…and probably others as well.
There’s an in-depth report here from 2014 on the usage of RCS – Mapping Hacking Team’s “Untraceable” Spyware.
Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team. Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch, and United Arab Emirates (UAE) human rights activist Ahmed Mansoor. Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area.
And more here including RCS manuals and analysis – Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide.
We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”
So they’ve been known about, and in the limelight for quite some time – but why this blew is up is they actually got hacked. From some initial analysis, it looks like they’ve been compromised since January or so but just this week whoever penetrated them released what they’d collected.
A mammoth 415GB cache of goodies including source code, customer lists, documents, confidential e-mails, password lists, private keys and MUCH more was unleashed and set the infosec community on fire. Mirror here – https://ht.transparencytoolkit.org/
It’s also causing some security fall-out panic as an Adobe Flash 0-day leaked during the dump has gone into the wild, already integrated into common exploit kits.
The vulnerability is cataloged as CVE-2015-5119 and is active in Flash versions 184.108.40.206 and earlier. According to security firm Rapid 7, it stems from a use-after-free bug that can be exploited while Flash is handling ByteArray objects. The update is available for Windows, Mac OS X, and Linux systems. Adobe has credited Google’s Project Zero and Morgan Marquis-Boire, director of security, First Look Media, for reporting the critical bug and working to protect Flash users.
Coined by many now as ‘Hacked Team’ there is a Github repo of the same name with all the source code from the leak: https://github.com/hackedteam
I don’t know if anyone else noticed, but some of the imported repos actually link to an active Github account called ‘alor‘ – which is Hacking Team employee Alberto Ornaghi (an active Software Architect at Hacking Team according to his LinkedIn).
Another fascinating part of the leak is the price list of their software, you view the full RCS price list here: Remote Control System – Price Scheme
And also the FULL RCS 9 admin guide here – RCS 9 Administrator’s Guide
There’s an almost non-stop stream of chatter about this on Twitter too, where you can see various people exploring various parts of the dump: #hackingteam
More from Wired: Hacking Team Breach Shows a Global Spying Firm Run Amok
Few news events can unleash more schadenfreude within the security community than watching a notorious firm of hackers-for-hire become a hack target themselves. In the case of the freshly disemboweled Italian surveillance firm Hacking Team, the company may also serve as a dark example of a global surveillance industry that often sells to any government willing to pay, with little regard for that regime’s human rights record.
The cybersecurity firm Hacking Team appears to have itself been the victim of a hack, with documents that purport to show it sold software to repressive regimes being posted to the company’s own Twitter feed.
The Italy-based company offers security services to law enforcement and national security organisations. It offers legal offensive security services, using malware and vulnerabilities to gain access to target’s networks.
And well anywhere you search now basically will be shouting about Hacking Team Hacked, Google News for example – just search “Hacking Team”:
Currently the front page + 192 more articles are available. So go read some more!
It’ll be interesting to see what else is uncovered from this treasure trove of illicit software and governmental communications. I’d personally be scared if I had some really pissed clients that have their own personal armies..