Updated: Hackers blow the doors off Hacking Team, expose 400GB confidential data

Italy's Hacking Team, an alleged practitioner in the dark art of citizen surveillance, has reportedly been subjected to a severe hack itself.

Hackers
Hackers

It's not quite the Italian Job (“You were only supposed to blow the bloody doors off!”), but the attackers got away with the company's gold in the form of 400GB of confidential data, including source code, internal documents and emails.

According to the hackers, the data reveals lists of Hacking Team's customers, including a number of governments, and is available to anyone who wants to download the 400GB of data. Hacking Team has tweeted that the torrent link contains malware but other security experts have dismissed this claim as bogus.

Hacking Team was featured in Reporters without Borders' special edition, The Enemies of the Internet. “Hacking Team's ‘DaVinci' Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target's location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide,” it wrote.

A spokesman for Hacking Team told CNET in 2013 that the Reporters without Borders' claims were flawed. “We work to help make the Internet a safer place by providing tools to police organizations and other government agencies that can prevent crimes or terrorism,” the spokesman said. “On the issue of repressive regimes, Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the EU, the USA, NATO and similar international organizations or any ‘repressive' regime. Furthermore, we have created an external board to review potential HT sales, and this board has a veto over sales it deems illegal or unwise.”

Schadenfreude

The incident has left many commentators scratching their heads, wondering how a cyber-security company with a very prestigious client list that includes national governments and brand name corporations could itself become a victim like this.

Meanwhile, there's been waves of glee and celebration about the internet today, first when the news broke that 400GB of data had been exfiltrated from the company and then subsequent waves as various revelations emerged from an examination of the files and emails.

Countries that have been revealed as customers of Hacking Team include Australia, Azerbaijan, Bahrain, Chile, Colombia, Cyprus, Czech Republic, Ecuador, Egypt, Ethiopia, Germany, Honduras, Hungary, Italy, Kazakhstan, Luxembourg, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sudan, Switzerland, Thailand, UAE, United States, Uzbekistan and Vietnam.

In a folder labelled “clienti" which one researcher found in the leaked files was a list of 109 brand-name companies including Vodafone, Barclays Bank, Coca-Cola, Gucci and Agfa.

Other revelations have included the company's authentication procedures. Industry experts have been quick to criticise Hacking Team for its poor password management practices, including the use of easily guessed passwords and storing user logins and passwords in spreadsheets. Examples of passwords allegedly used by the company staff include HTPassw0rd, Passw0rd!81, Passw0rd, Passw0rd!, Pas$w0rd, Rite1.!!.

The company has also been in correspondence with the United Nations which is investigating the sale of its software and services to Sudan which is subject to a UN arms embargo.

Meanwhile, Motherboard reported in April that the US Drug Enforcement Agency was a client of Hacking Team, buying spyware since 2012. According to USA Today, the DEA has been collecting phone records on Americans for more than 20 years, predating the NSA's bulk collection programme.

Graham Cluley commented: “It's questionable just how many intelligence agencies would want to use the services the firm now it has been so seriously breached.”

And he added: “The Hacking Team website, which does not appear to have been breached, currently says it is hiring new staff. However, you have to wonder if there will be much of a company left to join following the repercussions of this hack.”

Tod Beardsley security engineering manager, Rapid7, told SCMagazineUK.com, "I expect the next hours and days of independent researchers poring over the breach data will provide plenty of examples of what went wrong at Hacking Team. In these first hours, we're already seeing instances of where Hacking mismanaged the storage of customer data, including spreadsheets of per-user logins and passwords.”

Gavin Reid, VP of threat intelligence at Lancope, said: “If you play with fire you need your organisation to be flameproof. Given the nature of Hacking Team's business, it is not surprising they face concerted attacks. More surprising is that they fell victim to the compromise and then the data collection and exfiltration.

“It is strange no-one has taken credit to what looks like a hactivism event which normally the hactivist group use to further their agenda and the groups' publicity – leading to more speculation as to who may be behind it,” Reid said.