Hacking Team hacked, attackers claim 400GB in dumped data

On Sunday, while most of Twitter was watching the Women’s World Cup – an amazing game from start to finish – one of the world’s most notorious security firms was being hacked.

Note: This story is the first of two on the Hacking Team incident. A follow-up has been posted here. In addition, a curated slideshow of visuals from the hack is also available.

Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

The lawful interception tools developed by this company have been linked to several cases of privacy invasion by researchers and the media.

Reporters Without Borders has listed the company on its Enemies of the Internet index due largely to Hacking Teams’ business practices and their primary surveillance tool Da Vinci.

It isn’t known who hacked Hacking Team; however, the attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large.

In addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data.

Salted Hash will continue to follow developments and update as needed.

Update 1: Christopher Soghoian says that based on the Torrent’s file listing, Hacking Team’s customers include South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Yet, the company maintains that it does not do business with oppressive governments.

Update 2: Researchers have started to post items from the released Torrent file. One such item is this invoice for 58,000 Euro to Egypt for Hacking Team’s RCS Exploit Portal.

Update 3: The video below is a commercial for Hacking Team’s top tool Da Vinci.

Update 4:

An email from a person linked to several domains allegedly tied to the Meles Zenawi Foundation (MZF), Ethiopia’s Prime Minister until his death in 2012, was published Sunday evening as part of the cache of files taken from Hacking Team.

In the email, Biniam Tewolde offers his thanks to Hacking Team for their help in getting a high value target.

Around the time the email was sent, which was eight months after the Prime Minister’s death, Tewolde had registered eight different MZF related domains. Given the context of the email and the sudden appearance (and disappearance) of the domains, it’s possible all of them were part of a Phishing campaign to access the target. Who the high value target is, remains unknown.

An invoice leaked with the Hacking Team cache shows that Ethiopia paid $1,000,000 Birr (ETB) for Hacking Team’s Remote Control System, professional services, and communications equipment.

Update 5:

Hacking Team currently has, based on internal documents leaked by the attackers on Sunday evening, customers in the following locations:

Egypt, Ethiopia, Morocco, Nigeria, Sudan

Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States

Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand

Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary

Italy, Luxemburg, Poland, Russia, Spain, Switzerland, Bahrain, Oman

Saudi Arabia, UAE

The list, and subsequent invoice for 480,000 Euro, disproves Hacking Team’s claims that they have never done business with Sudan. According to Human Rights Watch, Sudanese security forces have repeatedly and violently suppressed protestors demonstrating against the government, with more than 170 killed in 2013.

Update 6: Is Hacking Team awake yet?

It’s 0100 EST, so sometime soon, as Krypton Security’s Khalil Sehnaoui put it, someone in Italy is about to have very a bad day.

Late Sunday evening, the Twitter account used by Hacking Team was defaced, and a link to a 400GB Torrent file was posted. The file contains a number of newsworthy items, particularly when it comes to the questionable business relationships between Hacking Team and nations that aren’t known for their positive outlook on basic human rights.

New developments in the Hacking Team incident include the release of a document outlining the maintenance agreement status of various customers. The document, shared by SynAckPwn with Salted Hash, lists Russia and Sudan as clients, but instead of an ‘active’ or ‘expired’ flag on their account, the two nations are listed as “Not officially supported”

–

–

The list of clients in the maintenance tracker is similar to the client list provided in the previous update. It’s worth mentioning that the Department of Defense is listed as not active, while the Drug Enforcement Agency (DEA) has a renewal in progress. The document notes that the FBI had an active maintenance contract with Hacking Team until June 30, 2015.

The 2010 contact between Hacking Team and the National Intelligence Centre (CNI) of Spain was released as part of the cache. According to records, they are listed as an active EU customer with a maintenance contract until 31 January 2016. At the time the contract was signed, the total financial consideration to Hacking Team is listed at 3.4 million Euros.

Hacking Team’s Christian Pozzi was personally exposed by the incident, as the security engineer’s password store from Firefox was published as part of the massive data dump. The passwords in the file are of poor quality, using a mix of easily guessed patterns or passwords that are commonly known to security engineers and criminal hackers. The websites indexed include social media (Live, Facebook, LinkedIn), financial (banks, PayPal), and network related (routers with default credentials).

However, Pozzi wasn’t the only one to have passwords leaked. Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online. Unfortunately, the passwords that are circulating are just as bad as the ones observed in the Firefox file.

Here are some examples:

HTPassw0rd

Passw0rd!81

Passw0rd

Passw0rd!

Pas$w0rd

Rite1.!!

Update 7:

Among the leaked documents shared by @SynAckPwn are client details, including a number of configuration and access documents. Based on the data, it appears that Hacking Team told clients in Egypt and Lebanon to use VPN services based in the United States and Germany.

–

–