Boeing subsidiary wants to use drones to infect PCs with Hacking Team spyware

Leaked Hacking Team emails revealed that Boeing subsidiary Insitu asked about using its drones to deliver Hacking Team malware and infect targets' PCs.

After attending IDEX 2015 (International Defense Exhibition), Boeing subsidiary Insitu become interested in using its surveillance drones to deliver Hacking Team malware for even more surveillance.

In April, an Insitu mechanical engineer intern sent an email to the Hacking Team, which stated:

We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System.

An internal Hacking Team email said Insitu was interested in infecting a target through Wi-Fi via an airborne drone. Before giving Insitu any information, the Hacking Team asked the company to first "sign and stamp the NDA."

While reporting on the Hacking Team's intention to infect computers via drone, The Intercept specifically mentioned Insitu's ScanEagle surveillance drone which is used by militaries; the company also has drones marketed for law enforcement.

ScanEagle USMC

Field service representative for The Insitu Group holding ScanEagle while on aerial surveillance service contract for the Marines.

Computers displaying ScanEagle data U.S. Marine Corps photo by Cpl. Michael P. Snody

Computers displaying ScanEagle data almost a decade ago in 2006.

The Hacking Team was developing mini and micro versions of a TNI (Tactical Network Injector) which was to be "ruggedized" and "transportable by drone," according to an internal email dated July 1 with a subject of "roadmap." A "new set of external antennas for the TNI" was marked as "done." There was no mention of a range capability to know how far away a drone could infect a target's PC with Hacking Team's Remote Control System, aka Galileo.

Regarding Hacking Team's TNI, The Intercept explained:

A TNI is a portable, often laptop-based, physical device, which an operator would use to plug into a network the target is using — such as an open Wi-Fi network in a hotel or coffee shop. When the targeted person uses the Internet for some ordinary activity, like watching a video or downloading an app, the device intercepts that traffic (so long as it is unencrypted) and injects the malicious code that secretly installs Hacking Team's spyware.

After "thinking outside the box" about Hacking Team's spyware delivered via drone or more traditional methods, Bitcoinist suggested that the malware could be used to "as a way to track online payment behavior. For example, if someone would be using a Bitcoin client on their computer – or mobile device – that kind of activity could technically be monitored as well. As a result, government officials can start linking a person's ID to a Bitcoin address."

Hacking Team and Windows 10

It was previously reported that Hacking Team provided services like "social engineering exploits, public exploits, private exploits and zero-day exploits" to help its buyers infect victims. In the same email dated July 1 that discussed using a drone to inject malware on a target's computer, the Hacking Team talked about Windows 10 and Microsoft's Edge browser. The plan was to release a new "smaller version" of its RCS to coincide with Microsoft's release of Windows 10 this month.

According to Bing and Google translations of the email written in Italian, that remote control system for Windows 10 would include:

  • Support for Offline on infection Win10
  • "Social" Support for Edge browser
  • New set of certificates that expired after the release of RCS10

Additionally, Windows 10 was discussed under "desktop:"

  • Monitor the spread of Skype (which is the default on Windows 10?)
  • Insert Windows machines 10 in RITE

Other "desktop" features developed for Hacking Team's RCS10 for Windows include: "creation of a new elite;" a "version 'AV friendly' might replace the soldier;" "video encryption key device-related modules" and an "introduction of anti-memory scan" or "support for UniversalApp."

If v10 is "easy to implement and very widespread," then v 10.1 would "support OneDrive."

Hacking Team noted its release of RCS10 is expected around ISS USA in October. That is likely a reference to ISS World America (Intelligence Support Systems for Lawful Intercept) where Hacking Team is scheduled to present:

  • Zero in On Your Target: Advanced Social Engineering Techniques
  • Solving the Impossible: A Live Demonstration of Unconventional Surveillance Tools from Hacking Team
  • New Cutting-Edge Surveillance Tools from Hacking Team

There's so much more to uncover about Hacking Teams' software and methods to infect computers and smartphones for surveillance. It might be wise to check out translations of Hacking Team's "roadmap" email, as it includes interesting tidbits about active and passive attack vectors as well as the company's spyware capabilities for Android, iOS, BlackBerry, OSX and Windows.

Additionally, when searching through WikiLeaks dump of Hacking Team emails, there are 11,561 hits when searching for "Microsoft," as well as 125 results when searching for "Win10."

Copyright © 2015 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations