Earlier this month a deluge of emails was uploaded to Wikileaks via, as always, an anonymous source. This leak is particularly noteworthy as the “victim” is one of the internets most notorious surveillance providers and proliferators of hacking technology. Gigabytes of emails and source code revealed an insight into one of the world’s shadiest organisations, unapologetically called, the Hacking Team and their clientele includes top Australian agencies.
Who are the Hacking Team?
The Hacking Team produce and facilitate the use of malware to exploit gaps in security and sell their wares to law enforcement and security agencies all over the world. Their services are billed as offensive security services meaning proactive monitoring and data collection. The Hacking Team’s specialty is zero-day flaws; finding flaws which companies have missed, or spent zero-days fixing. This is a much cheaper and efficient way of accessing devices as it is exploiting flaws the producer is unaware of as opposed to known weaknesses. A popular product they provide is Remote Control Systems which they describe as “A Stealth, Spyware-Based System for Attacking, Infecting and Monitoring Computers and Smartphones. Full intelligence on target users even for encrypted communications (Skype, PGP, secure web mail, etc.)”. RCS allows the infiltrator to completely clone a device and engage in live monitoring through hosting a live version of the device on a server.
The Hacking Team are based in Italy and were founded in 2003 and have offices in Milan, Washington DC and Singapore. They are a surprisingly lean operation with only a handful of employees operating under the philosophy that interesting data doesn’t make it to the internet, and stays on the device requiring stealth, untraceable access. They purchase the codes for the flaws and market their services to law enforcement and security agencies through a range of systems including some more outlandish ones such as developing the ability to hack systems from a wi-fi emitting drone.
The leaker could have made a tonne of money from the codes but instead uploaded it, indicating that it was probably someone looking to expose the activities of the organisation and the reach of their technology all over the world. The current theory is that it is an ex-employee was responsible prompting Italian prosecutors to begin an investigation.
“you say terrorist, I say freedom fighter, nothing matters lol.”
Gleamed from the leak was information about the company’s clients, revealing that The Hacking Team peddle powerful surveillance technology to some of the words most repressive regimes to an extent that would usually be enough to have a company awarded a seat at the SPECTRE table in a Bond flick.
Human Rights Watch describes Bahrain’s record on human rights as “Dismal” including a violent crackdown on democracy protestors in 2011…but they’re good enough for the Hacking Team.
The US State Department considers Mongolia major violators of human rights including police abuse of detainees, wide-spread corruption and a lack of transparency, particularly in the legislative and judicial branches….but they’re good enough for the Hacking Team.
Ethiopia just wanted to do their bit in the war on terror for the good of all man-kind. The only problem is that Ethiopia considers journalists to be terrorists...but they’re good enough for the Hacking Team.
On selling to Libya, the Hacking Team debated the ethics briefly. The CEO wrote “I’m skeptical, it’s a failed state, we can ask for authorization but I really don’t know if it is a blacklisted country.”
Perhaps most egregiously, the Hacking Team was forced to halt sales to Sudan after pressure from the UN over concerns that the sale appeared to violate a UN ban on selling weapons to the Government which extended to digital weapons.
The Hacking Team apparently wanted to make sure it hit all the number one tourist destinations including Egypt, Kazakhstan, Morocco, Russia, Saudi Arabia, Azerbaijan, Turkey.
“Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)”
Boy, talk about foreshadowing.
Just for good measure the Hacking Team also sold its wares to several US agencies including the FBI, NSA and Department of Defence. As well as other powerhouses like Israeli law enforcement annnnddddd Australian law enforcement and private companies.
There’s no adequate narrative I can provide in this format to highlight the extent of the Australian involvement so let’s just resort to our old friend known as dotpoints:
- Australian company Miltect sought their services for its clients including the Indonesian National Police, Bureau National Intelligence, Bureau National Narcotics and Military.
- The Australian Federal Police canned them for not responding quickly enough to their urgent servicing enquiries prompting the Hacking Team to improve its service capabilities for Australian and Asian customers.
- On behalf of the ADF Special Forces, security intelligence company Providence, which specialises in UAVs and Robotics sought the services of the Hacking Team.
- Criterion Solutions from Kingston in Canberra desired their services claiming to hold amongst its clients “a number of government agencies”.
- IBAC, the Victorian Independent Broad-Based Anti-Corruption Commission, used services they provided to seek to access private devices including enquiring about hosting Virtual Private Systems, used to run their own copy of a mirror operating system remotely. Mirror operating systems can provide live access to how any device is being used, key-stroke by key-stroke.
We even barely missed a couple of their reps in Canberra trawling for business at a security intelligence event at the QT hotel in May 2015.
So What’s the Big Deal?
Well frankly, I’m not sure there is a big deal. On the face of it this is a legal company selling its capabilities to law enforcement agencies and private providers. Government agencies constantly align with private companies to provide capabilities they are not able to provide themselves for whatever reason.
For me though, the issues this revelation raises are four-fold.
What capabilities does the Hacking Team have that Australian Government agencies don’t have that they need? Organisations like the AFP and IBAC can already access information held on private systems and phones through warrants. Presumably then the issue is a technological one. This implies that there is a shortfall in our technological capabilities that requires us to hire an Italian company to assist them in hacking private devices. Telecommunication companies complying with warrants are not usually able to provide access to exchanges that occur on secure web-based networks such as Viber, Facebook Messenger, Skype or even my pun-eriffic favourite Snapchat. Warrants have the power to provide this information but that doesn’t necessarily address the tech or practical shortfall, given that these companies are all based overseas. With all the legal power in the world, even more so thanks to the panicked legislative response to the Sydney siege, our agencies still apparently don’t have the capabilities without outsourcing. Whether this means that our agencies need more powers or more funding…or less is a conclusion I’ll leave to the reader.
Is there an inherent security risk? Once again, not necessarily. The Hacking Team supply capabilities to tens of law enforcement agencies and from the material leaked appear to have no interest in breaching their commitment to their clients. But the emails display a concerning amount of interest in providing services to 5-eyes nations; a reference to the powerful intelligence sharing agreement between Australia, Canada, the US, Great Britain and New Zealand.
Thirdly, I take issue with these capabilities being provided to private companies and not just law enforcement agencies. It is apparent from the emails that the Hacking Team have no qualms about servicing private companies. The obvious question here is why do private companies need access to the same capabilities as our govt agencies, even if they are claiming to on-sell these services. Our systems of law-enforcement apparently need to access intrusive “offensive intelligence gathering capabilities” via two degrees of private companies to be able to provide the defences we expect and require of them.
Lastly and for me the most important. Let me start with a story. Last year the ANU was forced by student action and the resulting negative public sentiment to divest itself of holdings in companies that negatively affected the environment such as coal and fracking companies. You know where I’m going with this. In the wake of the Snowden, Assange, Schwartz, Greenwald, Manning etc. why are taxpayer dollars supporting a company that supplies capabilities to such nefarious regimes…see above.
If my computer and phone are hacked as a result of this please forgive any late responses…ladies.
None of the companies mentioned were approached for comment and all of the information in this article is compiled from publicly and widely available information.