Hacking Team, a notorious Italian based company that develops and sells surveillance technology to governments worldwide, has been breached. The attackers have leaked over 400 gigabytes of emails, files and source code allegedly taken from Hacking Team. It contains sensitive information allegedly obtained from the company’s systems.
Hacking Team offers lawful interception services tools, which the company calls “offensive technology,” to law enforcement and intelligence agencies from all over the world including Australia.
Given the amount of data leaked it appears the attackers has access to their systems for quite some time. Some of the emails show that the United Nations has been investigating the reported sale of Hacking Team’s surveillance tools to Sudan. It also shows they have customers in Saudi Arabia, Lebanon, Egypt and Mongolia. The company denies any involvement with Sudan and has long asserted that it does not sell to oppressive governments , however the leaked emails seem to suggest otherwise.
Spreadsheets contained in the data dump also show the AFP paid for unspecified, offensive-use products from Hacking Team twice: once in November 2009 (A$126,525) and again in February 2010 (A$234,980) at a total of A$361,505.
The breach came to light early on Monday 6th Jul when someone hijacked Hacking Team’s Twitter account and started publishing screenshots apparently representing emails sent and received by the company’s employees. The screenshots show emails regarding DNS issues suffered by Hacking Team in March 2014 due to its service provider, commentary on reports from Citizen Lab and other researchers, and communications related to human rights investigations.
Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), analyzed some of the leaked files and identified a document that apparently shows every one of Hacking Team’s customers and the revenue they have generated. The document reveals that Ethiopia paid $1 million for surveillance software, while the government of Chile signed the largest contract to date, worth $2.85 million.
The company’s Twitter account still appears to be controlled by the attackers at the time of publishing. Hacking Team’s Christian Pozzi said on Twitter that the breach has been reported to law enforcement authorities and that the people responsible for the attack will be arrested.
The Hacking Team representative says they are in the process of notifying all customers about the breach. Pozzi’s Twitter account was also hijacked minutes before this article was published.
This incident should serve as a warning to everyone that attention to detail in the IT security business are mandatory, not optional.