Researchers at The Citizen Lab, an interdisciplinary laboratory based out of the University of Toronto in Canada, have been investigating the spyware for months, but have mapped out where exactly this spyware strikes.
Detailing its findings in its second report on the matter, the group reveals that the spyware has been marketed and sold exclusively to governments by Milan-based Hacking Team for over two years, and adds that the product – which has been used to attack Moroccan media outfit Mamfakinch, UAE human rights activist Ahmed Mansoor and Ethiopian journalists more recently – is advertised as being “untraceable” to a specific government operator.
The Hacking Group promotes its flagship product, RCS7, as being a “hacking suite for governmental interception”, while the follow-up RCS8 is billed as a “suite of remote monitoring implants” sold to governmental agencies. Both of these are able to capture data locally from devices, from copying files from the hard drive and recording Skype calls and instant messages to recording browser passwords and turning on the device's webcam and microphone. The user doesn't even need to connect to the internet.
RCS prays on exploits – researchers even claims that commercial suppliers, including Vupen from France, may have supplied Hacking Team customers with exploit details since 2012 – and avoids detection by re-routing data to four different proxy servers across the world. Despite all this, researchers say that the spyware is traceable after all.
“Our research reveals that the RCS collection infrastructure uses a proxy-chaining technique, roughly analogous to that used by general-purpose anonymity solutions like Tor, in that multiple hops are used to anonymize the destination of information,” reads the report. “Despite this technique, we are still able to map out many of these chains and their endpoints using a specialized analysis.”
The Citizen Lab has found that 21 governments are past or present users of RCS with these countries comprising Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.
As researchers point out, nine of these countries received the lowest ranking – “authoritarian” – in The Economist's Democracy Index two years ago, while current users Egypt and Turkey are troubled by domestic protests.
Since the report, the Hacking Team - perhaps taking PR tips from the NSA - has been keen to stress that its software is only for fighting crime and terrorism, and not sold to repressive regimes or those blacklisted by EU, USA and NATO.
“We have established an outside panel of technical experts and legal advisers, unique in our industry, that reviews potential sales. This panel reports directly to the board of directors regarding proposed sales,” said the firm in a statement recently.
However, the Citizen Lab has contested this and points to numerous examples.
It notes activity from an RCS endpoint in Azerbaijan between June and November last year, and tentatively suggests that similar techniques to those mentioned above could have been used to compromise investigative reporter Khadija Ismayilova in the lead-up to the national election. In addition, Human Rights Watch reportedly saw Kazakhstan government critics fade away on anti-torture measures as an RCS endpoint was active in the country. Activity has been strong in Italy, the home country of Hacking Team.
Summarising its findings, researchers from the Citizen Lab admitted that most of this hacking may be legally-sanctioned, and noted some alignment between the companies that sell exploit kits and those that sell surveillance Trojans. But it added that some of this hacking is most likely “abusive” and “unaccountable”.
“Hacking Team has made a number of statements that seem intended to reassure the public, as well as potential regulators, that they conduct effective due diligence and self-regulation regarding their clients, and the human rights impact of their products,” said the research team in a statement.
“They also market their RCS product as untraceable. Our research suggests that both of these claims ring hollow.”