On Sunday evening, someone hijacked the Hacking Team account on Twitter and used it to announce that the company known for developing hacking tools was itself a victim of a devastating hack.
Note: This story is a follow-up to the previous Hacking Team story. You should read both if you want to see things from the beginning. Also, a curated slideshow of contracts and other visuals is also available.
The hackers released a 400GB Torrent file with internal documents, source code, and email communications to the public at large. As researchers started to examine the leaked documents, the story developed and the public got its first real look into the inner workings of an exploit development firm.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. However, their business has earned them a black mark from privacy and human rights organizations, as the company has been accused of selling tools and services to nations known for violent oppression.
Reporters Without Borders has listed the company on its Enemies of the Internet index due largely to Hacking Teams' business practices and their primary surveillance tool Da Vinci.
Sunday evening, documents circulating online, and documents shared by @SynAckPwn with Salted Hash, have linked Hacking Team to Egypt, Lebanon, Ethiopia, and Sudan.
The link to Sudan is especially newsworthy as the company previously stated they've never done business with the nation. There is a UN arms embargo on the Sudan, which is covered by EU and UK law. If they were doing business with the Sudanese government, Hacking Team could be in hot water.
In 2014, a Citizen Lab report revealed evidence that Hacking Team's RCS (Remote Control System) was being used by the Sudanese government, something the Italian company flat-out denied.
However, on Sunday a contract with Sudan, valued at 480,000 Euro, and dated July 2, 2012, was published as part of the 400GB cache. In addition, a maintenance list named Sudan as a customer, but one that was "not officially supported." Interestingly, Russia has the same designation.
Along with Russia and Sudan, there were other customers exposed by the breach including:
Egypt, Ethiopia, Morocco, Nigeria, Chile, Colombia
Ecuador, Honduras, Mexico, Panama, United States
Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea
Thailand, Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic
Germany, Hungary, Italy, Luxemburg, Poland, Spain
Switzerland, Bahrain, Oman, Saudi Arabia, UAE
Newly published documents from the cache include invoices for services with Italian law enforcement, Oman, South Korea, UAE, Kazakhstan, Mongolia, Lebanon, Germany, Saudi Arabia, Mexico, Brazil, Singapore, Egypt, and Vietnam. The total value of the invoices is €4,324,350 Euro.
The hack went without comment for several hours, until members of Hacking Team woke on Monday morning. One of the company's staffers, Christian Pozzi, offered several comments on the breach, despite his statement that he couldn't comment.
"We are awake. The people responsible for this will be arrested. We are working with the police at the moment," Pozzi wrote.
"Don't believe everything you see. Most of what the attackers are claiming is simply not true...The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus..."
Pozzi took to Twitter to repeat the same message for the most part, the key points being that Hacking Team is working with law enforcement on this matter, that the massive torrent file has malware in it (it doesn't), customers are being notified, and that his company has done nothing illegal:
"... We simply provide custom software solutions tailored to our customers needs..."
[Pozzi either deleted or disabled his Twitter account. An archive is available here.]
It's also worth noting that he threatened security researchers with jail for discussing his poorly selected passwords, which were leaked as part of the 400GB cache. Additional details on that, including examples of the poorly crafted passwords that were exposed, can be found in the previous Hacking Team story.
One new update is that a list of VPN logins was discovered in the cache, and like the other leaked VPN details, Hacking Team has assigned customers access to accounts in the U.S. and Europe, depending on their location. However, all of those accounts are burned, so they're of little value.
The Hacking Team hack is a developing story. Salted Hash will follow it, and provide updates as needed. Stay tuned.
Update 1: As this post was being added to the CMS, Christian Pozzi's Twitter account was hacked. It looks as if the hackers who targeted Hacking Team have started to go after the staff too. However, Pozzi's Twitter details, along with other social media accounts were part of the leaked Firefox password store.
Update 2: Readers have asked about additional countries under maintenance contract. The list below was leaked along with the rest of the Hacking Team cache on Sunday.
Update 3: Sources have told Motherboard that Hacking Team has emailed all of their customers and urged them to stop using their Remote Control System (RCS), sold under the name Galileo. The source also states the company hasn't been able to regain access to their email systems.