The founder of cyber-security firm Hacking Team has finally spoken out over the attack that saw 400GB of its data dumped on the internet, insisting: “We’re the good guys”.In contrast to many of the private companies performing outsourced aggressive surveillance work for the world’s spy agencies, Hacking Team doesn’t try to hide behind a generic corporate identity. David Vincenzetti, 47, founder of the Milan-based company, told Italian newspaper La Stampa that the cyber attack – which saw the code for companies hacking tools and its email archive published online – was not enabled by poor security or weak passwords and that it could have only been an organisation “at the governmental level”.
Unknown hackers last week downloaded 400GB of data from the firm, which makes surveillance software that allows law enforcement and intelligence agencies to tap into the phones and computers of suspects. Gamma International, Academi and QintetiQ could be companies doing anything, but Hacking Team – well, it doesn’t take a genius to guess what line of work they are in. Vincenzetti said: “This is not an impromptu initiative: the attack was planned for months, with significant resources, the extraction of data took a long time.” But he did not explain how Hacking Team apparently failed to notice the attack while it was taking place.
In response to concerns that Hacking Team supplied tools to repressive states which could be used to hack into and spy on almost anyone, Vincenzetti said: “We did (sell tools to Libya) when suddenly it seemed that the Libyans had become our best friends.” He also admitted providing tools to Egypt, Ethiopia, Morocco and Sudan, as exposed by the company’s email archive, though denied dealing with Syria. The source code of a number of its top secret programmes has also been published online. “Given its complexity, I think that the attack must have been carried out at a government level, or by someone who has huge funds at their disposal,” David Vincenzetti, the chief executive officer of Hacking Team, told Sunday’s La Stampa newspaper. The company has advised clients to halt their use of its programmes until they can upgrade the compromised software, but warned that all computer systems might now be vulnerable. “Hacking Team’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice,” the company said in a statement on its Internet site. It doesn’t provide security at all, really; none of their software will help clients avoid cyberattacks, tighten up their internal networks, or patch flaws in their software.
But we do not trade in weapons, we do not sell guns that can be used for years.” He said that without regular updates its tools are rapidly blocked by cyber security countermeasures. A further two vulnerabilities within Adobe’s Flash plugin have been exposed and are actively being exploited as a result of the attack, Adobe has confirmed.
Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move. Remote Control System: the hacking suite for governmental interception. The leaked e-mails show that the Hacking Team worked with numerous state institutions in an array of countries, including Italy, the United States and Australia. It also had dealings with countries criticised for their human rights records, such as Libya, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Saudi Arabia and Sudan.
It didn’t disclose its clients, the technology behind its software, or the sort of work it was contracted to do, citing the need for privacy and security. Breaking his silence almost a week after the hack was uncovered, Vincenzetti defended his choice of clients, saying he had never broken international trade law. Reporters Without Borders (RSF) published an extensive report into “digital mercenaries” such as Hacking Team, who provide the technical expertise which underpins Snowden-era electronic surveillance. In it, the group named five “corporate enemies of the internet”: Hacking Team, Britain’s Gamma Group, Germany’s Trovicor, France’s Amesys, and America’s Blue Coat Systems. And if they didn’t directly sell to authoritarian regimes, they were almost as guilty, of letting dangerous tools fall into the hands of malicious actors.
If that happened, “their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights,” the report said. Following the RSF report, it said that “Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the EU, the US, Nato and similar international organisations or any ‘repressive’ regime”. “We also go to some lengths to monitor reports of use of our software in ways that might be inappropriate or illegal. Most recently, in March 2015, Hacking Team was accused of providing the tools used by the Ethiopian government to spy on journalists and activists based overseas. A report from CitizenLab, based at the University of Toronto, found that several journalists based in Washington DC, working for an Ethiopian diaspora news channel called ESAT, had been infected with what appeared to be Hacking Team’s RCS spyware. Despite Hacking Team’s assurance that “we will refuse to provide or we will stop supporting our technologies to governments or government agencies that … we believe have used HT technology to facilitate gross human rights abuses”, it appears that it continued to provide the software to Ethiopia, even after CitizenLab unveiled abuses over a year earlier.
The company, which accepted that documents had been stolen in the attack, refused to comment on the validity of the dump as a whole, and a spokesman told the Guardian that “interpreting even valid documents without complete picture of why they were created or how they were used can easily lead to misunderstandings and even false conclusions”. Part of the proposed response leant on the evidence that its RCS was involved: “The Citizen Lab report … also asserts that HT [Hacking Team] software was involved, but bases this assertion on speculation by Citizen Lab investigators, on other press accounts and the presence of three letters ‘rcs’ in the code. A year ago, the same hacker made a public dump of documents belonging to Gamma International, another of the five firms highlighted by RSF in its report. The tortured mess of regulations around the provision and export of spyware means it’s difficult to hold these companies to account, but slowly, public opinion seems to be turning against them. It puts it in the same category as nuclear reactors and rocket fuel, and means it will become significantly harder to legally export to repressive regimes.
And the company is now warning that its own software is being used: “Before the attack, Hacking Team could control who had access to the technology that was sold exclusively to governments and government agencies. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.” The data dump is clearly not an unalloyed good.