It is just now being reported on Twitter and by CSO Online that Italian security firm Hacking Team has been compromised by parties unknown.
The attack, which took place during the Women's World Cup, resulted in a Torrent file with over 400GB of of internal documents, source code, and email communications being made available to the public. Meanwhile, the attackers have also seized control of Hacking Team's Twitter, defacing it and posting images of the stolen data.
Christopher Soghoian, principal technologist of the ACLU, says that a preliminary analyst of the Torrent's contents suggests that Hacking Team included among their customers nations such as South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Hacking Team, which specializes in intrusion and surveillance, has always maintained that they do not do business with oppressive governments.
The tools developed by Hacking Team have been linked to several cases of privacy invasion in the past, by researches and the media.
n1 writes:
Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
[...] Hacking Team officials have not released any official public statements about the attack yet.
As researchers and others have begun to look through the documents, they have found a number of significant things, aside from the invoices. Among the discoveries is the fact that Hacking Team has a legitimate Apple iOS developer certificate that expires next year. Another researcher found a handful of files that listed the VPS (virtual private server) servers used by Hacking Team, and published a list of the IP addresses for the servers.
Original Submission 1
Original Submission 2
Related Stories
Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:
It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.
Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.
The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."
Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.
Original Submission
A South Korean National Intelligence Service (NIS) employee, only known so far as "Lim", has been found dead in his car after an apparent suicide. He left a will confirming details of the use of software from Italian firm Hacking Team. However, he denied that the software was used to spy domestically, as opposition legislators believe. The man admitted to deleting important information about the hacking.
It has emerged that mobile phones were tracked and monitored just before the presidential election in 2012. Government and NIS officials have denied opposition claims that the spyware — bought from an Italian company — was used to monitor South Koreans in general. They insist that its purpose was to boost the country's cyber-warfare capabilities against North Korea.
The BBC's Stephen Evans, in South Korea, says that the note left by the dead man implies that phones were monitored only to keep tabs on people connected to North Korea and not to besmirch opponents of the right-of-centre president. The spy agency had a scandalous reputation in the years before South Korea embraced democracy in the 1980s, and was involved in abductions and killings. The modern NIS is not accused of such serious offences but has nevertheless been embroiled in several scandals, including election meddling. Opposition politicians allege that it is not politically neutral, breaks the law and is a political tool for sitting presidents. Last week the Supreme Court ordered a review of the conviction of former NIS head Won Sei-hoon, who was sentenced to three years in jail in February for trying to influence the results of the 2012 presidential election.
South Korean NIS chief Lee Byoung Ho recently admitted to "exploring" the purchase of Hacking Team software to intercept communications using the popular Kakao Talk smartphone chat app, but didn't confirm making a purchase and claimed the agency only intended to monitor North Korean agents. The Korea Observer has described leaked Hacking Team emails with a Korean client interested in purchasing Remote Control System (RCS) software from the company.
The attacker who broke into the computers of Hacking Team has written a narrative of the event, detailing the methods used. The write-up is available on pastebin in English (mirror) and in Spanish. (mirror).
Coverage:
In other news about Hacking Team, the Financial Times reports (semi-paywalled) that Italy's ministry of economic development, citing "changed political circumstances" that may be related to Italian-Egyption relations in the wake of the murder of Giulio Regeni, has revoked the company's licence to export outside the EU.
Related stories:
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Spanish police have arrested three people they linked to the hacking of Gamma Group and Hacking Team:
Spanish police have arrested three people over a data breach linked to a series of dramatic intrusions at European spy software companies — feeding speculation that the net has closed on an online Robin Hood figure known as Phineas Fisher.
A spokesman with Mossos d'Esquadra, Catalonia's regional police, said a man was arrested Tuesday in Salamanca on suspicion of breaking into the website of the Mossos labor union, hijacking its Twitter feed and leaking the personal data of more than 5,500 officers in May of last year. Another man and a woman were arrested in Barcelona in connection to the same breach, he said. No more arrests are expected, he added, speaking on condition of anonymity in line with force policy.
May's breach was claimed by Phineas Fisher, who first won notoriety in 2014 for publishing data from Britain's Gamma Group — responsible at the time for spyware known as FinFisher. The hacker cemented their reputation by claiming responsibility for a breach at Italy's Hacking Team in 2015 — a spectacular dump which exposed the inner workings of government espionage campaigns — and appearing as a hand puppet in an unusual interview for a 2016 documentary on cybermercenaries .
Also at Motherboard and The Hill.
Previously: Gamma FinFisher Hacked - 40 GB of Code and Docs Available
WikiLeaks Releases German Surveillance Malware
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Hacking Team Break-in Explained
(Score: 0) by Anonymous Coward on Monday July 06 2015, @05:29PM
Anybody here taking up this torrent?
(Score: 5, Informative) by _NSAKEY on Monday July 06 2015, @05:42PM
You don't need to get it all if you don't want. Mirrors of the data can be found here [thecthulhu.com] and here [musalbas.com]. HackingTeam's Twitter timeline [archive.is] from just after the breach announcement is packed full of comedy for those of you who are into that sort of thing.
(Score: 5, Informative) by Marneus68 on Monday July 06 2015, @05:52PM
https://github.com/hackedteam [github.com]
(Score: 2, Touché) by Anonymous Coward on Monday July 06 2015, @05:42PM
I guess they didn't use their own products, which is bad, or they did use their products and got hacked anyway, which is worse. Based on their client list of oppressive regimes they got what they deserved.
(Score: 5, Insightful) by MrGuy on Monday July 06 2015, @05:59PM
You misunderstand their products.
Hacking Team sells intrusion products - products that exploit weaknesses and introduce backdoors on targeted machines to enable surveillance. This is materially different from selling products/being experts in the field of PREVENTING companies from hacking your OWN machines. The fields are related, but they differ significantly - one is offense and the other is defense.
To have a successful hacking product, you need knowledge of only a small number (as little as one) exploitable problems as a way in. Your main expertise needs to be in making benign-looking exploit tools that can run on the target machine and enable surveillance without alerting the user, so that you can stay undetected for a long time. To protect a company, you need to know ALL the possible exploits that can be used to find a way in to your machines.
(Score: 5, Funny) by The Archon V2.0 on Monday July 06 2015, @06:53PM
And for further proof that you don't need to have good security to build intrusion tools, the managing director thinks "passw0rd" is a password that should be used.
Repeatedly.
Across multiple systems.
http://www.computing.co.uk/ctg/news/2416369/hacking-team-md-used-passw0rd-as-password-for-every-system [computing.co.uk]
(Score: 2) by edIII on Tuesday July 07 2015, @12:01AM
I've always thought the best password was just a single space. I mean seriously, who would ever think you would be that stupid right? ;)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Tuesday July 07 2015, @12:24AM
I do understand their products. And if they did they would have patched or otherwise mitigated those know (to them) vulnerabilities. If they can penetrate their own networks with their own products then they are foolish.
(Score: 2) by JNCF on Monday July 06 2015, @07:45PM
Based on their client list of oppressive regimes they got what they deserved.
'Chickens coming home to roost,' as The Man said.
(Score: 3, Touché) by Runaway1956 on Monday July 06 2015, @06:02PM
They need something more to their name, like Federal.
http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/ [krebsonsecurity.com]
(Score: 4, Funny) by MrGuy on Monday July 06 2015, @06:15PM
Or maybe something about Equations. [wikipedia.org]
(Score: 0) by Anonymous Coward on Monday July 06 2015, @11:54PM
How about Karma?
(Score: 3, Funny) by Runaway1956 on Tuesday July 07 2015, @01:28AM
Karma? That's when a script kiddie is reincarnated as a Game Boy, and a real hacker gets reincarnated as a data center.
(Score: 0) by Anonymous Coward on Tuesday July 07 2015, @02:15AM
I prefer to reincarnate into a Gameboy
(Score: 3, Touché) by MrGuy on Monday July 06 2015, @06:12PM
I am particularly amused by the wording of their denial.
According to Salted Hash, [csoonline.com] Christian Pozzi of Hacking Group responded to the hack as follows:
Given the apparent smoking gun of his company's ties to oppressive regimes and defiance of UN embargoes, one wonders if he realizes the irony in his claim that "The people responsible for this will be arrested."
Note: per the article I quote, the statement attributed to Christian Pozzi was apparently posted on his personal twitter account, which was subsequently hacked and later taken down. Given a reputable news source attributes the quote to Pozzi, I am doing the same, but apply your own amount of salt.
(Score: 2) by Marneus68 on Monday July 06 2015, @06:26PM
I saw the quote when his twitter was still live bfore it was hacked this morning. I know this doesn't mean anything but I can confirm it was real.
As for the threat itself I don't think there's any weight to it yet, it's more like a "you dun goofed, you've been reported to the state police and the cyber police" kind of threat.
(Score: 3, Funny) by Dunbal on Monday July 06 2015, @06:32PM
Because Italians have been at the forefront of security since Julius Caesar.
(Score: 2) by aristarchus on Monday July 06 2015, @10:26PM
Gallic Wars! "Veni, visi, hacked!"
(Score: 0) by Anonymous Coward on Monday July 06 2015, @11:57PM
Blame it on the French.
(Score: 2) by aristarchus on Tuesday July 07 2015, @12:14AM
But the Franks would not even be there for six or seven centuries. Gauls! Celtic people. On the other hand, the Lombards would not migrate into Italia till about the same time. So what have the Romans ever done for us?