Behind the curtain of the Hacking Team hack

The world watched on as Hacking Team was publicly stripped and flogged—virtually at least—over the last couple days. My colleague Steve Ragan covered the unfolding events in exquisite detail and today the dust continues to settle as we sift through the 400GB of leaked data and find the salacious, juicy tidbits.

It does seem like Hacking Team has some explaining to do regarding its client list. The leaked data lists a number of oppressive nations as customers despite Hacking Team’s very vocal claims that it does not do business with such governments. Aside from the obvious discrepancy between Hacking Team’s assertions and the list of clients leaked from this hack, though, is there really anything to “hang” Hacking Team for?

For example, just because Saudi Arabia is listed as a client does that mean the Saudi Arabian government itself is the client? If so, which department or office? Or, is it possible that it just means Hacking Team has customers in that country, which may or may not be the actual government itself? I have not studied the leaked data personally, so perhaps those questions answer themselves if you just review the data.

The software itself isn’t the problem. This type of surveillance / monitoring tool is widely used. According to Craig Young, security researcher at Tripwire, “These tools could be used by a private corporation to monitor employees. For example, a company concerned about employees stealing trade secrets may pre-load employee computing devices with monitoring software. It could also be the case that some companies would like to glean information from competitors. In some cases the software may also be used to gain intelligence on customers like a bank validating whether funds are coming from an illegal enterprise.”

“It could be just as simple as a client of a company that delivers network monitoring software for internal use. Whether that’s for internal use or to warn of a potential hack, all the hype around the Hacking Team is to do with “bad” software that put them on the map. They had to start somewhere and this client list makes no indication of exactly what does and does not make them a client for,” explained Mark James, security specialist at ESET.

Ultimately, if Hacking Team is dealing with shady governments or customers it’s certainly not unique or alone. If it wasn’t Hacking Team then some other developer would step in to fill the void. We’ve entered into an era of unbridled cyber espionage, bordering on cyberwar, and security vendors like Hacking Team seem to have emerged as the mercenary arms dealers of the digital battlefield.

“One important take away from all of this is that governments around the world are focusing their resources on offensive techniques,” notes Mark Kraynak, chief product officer at Imperva. “Ironically, this means they are doing many of the same things — building malware and surveillance tools similar to spyware — that the “bad” guys are doing but for different purposes. Also ironically, it means that the incremental exposure represented by this breach might not actually be so big, as the “bad” guys already are doing many of the same things.”

Kraynak points out that in the end it really means that businesses and individuals are left to their own devices to defend themselves. Unfortunately the only place to turn is to the same developers and security vendors that are selling the surveillance tools in the first place.