From Ars: "Spyware service provider Hacking Team orchestrated the hijacking of IP addresses it didn't own to help Italian police regain control over several computers that were being monitored in an investigation"
Over a six day period in August 2013, Italian Web host Aruba S.p.A. fraudulently announced its ownership of 256 IP addresses into the global routing system known as border gateway protocol, the messages document. Aruba's move came under the direction of Hacking Team and the Special Operations Group of the Italian National Military Police, which was using Hacking Team's Remote Control System malware to monitor the computers of unidentified targets. The hijacking came after the IP addresses became unreachable under its rightful owner Santrex, the "bullet-proof" Web hosting provider that catered to criminals and went out of business in October 2013, according to KrebsOnSecurity.
It's not clear from the e-mails, but they appear to suggest Hacking Team and the Italian police were also relying on Santrex. The emails were included in some 400 gigabytes of proprietary data taken during last weekend's breach of Hacking Team and then made public on the Internet.
With the sudden loss of the block of IP addresses, Italy's Special Operations Group was unable to communicate with several computers that were infected with the Hacking Team malware. The e-mails show Hacking Team support workers discussing how the law enforcement agency could regain control. Eventually, Italian police worked with Aruba to get the block—which was known as 46.166.163.0/24 in Internet routing parlance—announced in the BGP system as belonging to Aruba. It's the first known case of an ISP fraudulently announcing another provider's address space, said Doug Madory, director of Internet analysis at Dyn Research, which performs research on Internet performance.
Also covered by Brian Krebs:
http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-resurrect-spy-network/
(Score: 2) by sjames on Tuesday July 14 2015, @12:39PM
The machines they were monitoring had trojans on them phoning home. The ISP housing 'home' went away. Since the trojans were contacting a fixed IP{ address, the only way to restore monitoring was to grab those IPs and route them to an active server somewhere.
(Score: 2) by jasassin on Wednesday July 15 2015, @02:51AM
Ah ha! Thanks man.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by jasassin on Wednesday July 15 2015, @03:43AM
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by sjames on Wednesday July 15 2015, @10:11AM
Typically when you colo a server, you use IPs assigned by the colo provider (ISP). That provider went belly up.
(Score: 2) by jasassin on Wednesday July 15 2015, @11:19PM
Gotcha. Thanks to everyone who helped explain!
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A