Hacking Team Spy Software Identified on U.S. Servers


Two U.S. companies - Linode of New Jersey and Rackspace of Texas - have been hosting surveillance software designed by Hacking Team of Italy, according to a new report. The software was allegedly been used by governments in Ethiopia, Morocco, Turkey and the United Arab Emirates to track dissidents.

"What we've tried to do here is unravel Hacking Team's labyrinthine hidden collection structure that they use to hide government spying globally," Morgan Marquis-Boire, a co-author of the report published by Citizen Lab at the University of Toronto, told the Washington Post.

According to research conducted by the Kaspersky Lab, an anti-virus company, Hacking Team sells technology that can be used to create emails to target suspects by inviting them to click on a link or attachment that then installs a spy tool called Remote Control System (RCS) on the target's computer.

RCS (also known as DaVinci) can then copy the Web browsing history of its targets, turn on their computer microphone and webcam to eavesdrop on them, as well record their conversations on computer applications like Skype.

Citizen Lab identified 555 servers that have hosted RCS software since 2012 - 80 were hosted by Linode and 19 by Rackspace. Other companies that ranked high on the list were Telecom Italia with 32 servers and Santrex of the United Kingdom with 26. (The latter company shut down last September after being cited to be among the top three hosts of malicious software)

The researchers note that such hosting likely violates international law. "We doubt foreign governments using Hacking Team's RCS spyware seek permission from the US government to engage in surveillance of US-based targets, or to transmit surveilled data obtained elsewhere through US-based services," wrote the authors. "Without that consent, foreign governments using the RCS spyware in this manner wilfully flout the international legal principles of sovereignty and nonintervention."

Hacking Team has not denied the allegations. "Our clients do not use our tools to attack U.S. systems, but rather to perform surveillance on subjects of criminal investigations," Eric Rabe, the firm's chief communications executive, told the media in an email statement. "Much of the world's Internet traffic transits the United States, so it is no surprise that Citizen Lab would find servers in this country carrying all manner of Internet traffic including that of various criminals and terrorists."

Rackspace told the Washington Post that if the allegations were true that they "would definitely violate our policies" while Linode has promised to investigate.

Hacking Team has come previously come under fire for the alleged use of its software in Ethiopia, Morocco, Turkey and the UAE.

The most recent incident was the targeting of Ethiopian Satellite Television Service (ESAT), an independent news outlet that broadcasts reports critical of the Ethiopian government, mostly from its offices in Alexandria, Virginia.

On December 20, 2013, an attacker who used the name Yalfalkenu allegedly made several attempts to steal files and passwords as well as to intercept Skype calls and instant messages from two ESAT journalists by asking them to open a fake document that contained a virus designed by Hacking Team.

In Morocco, Mamfakinch, a citizen journalist group that was created during the 2011 Arab Spring, believes that it was targeted with a "backdoor" attack by software that is identical to Hacking Team's RCS system, according to an analysis by Dr. Web, an anti-virus company. Slate Magazine described how the organization's computers were infected by spy software after members opening an email titled "Dénonciation" (denunciation) that contained a link to what appeared to be a Microsoft Word document labeled "scandale (2).doc" alongside a single line of text in French, which translates as: "Please do not mention my name or anything else, I don't want any problems."

And Wired magazine recently published details of an attack on a U.S. activist who was sent an email about Turkey that appeared to come from a trusted colleague at Harvard that "referenced a subject that was a hot-button issue for the recipient, including a link to a website where she could obtain more information about it." Although she did not click on the email, Arsenal Consulting, a digital forensics company, analyzed the link and discovered that it too contained RCS attack software.

Citizen Lab has also identified emails sent to Ahmed Mansoor, a UAE human rights activist, that was also allegedly designed with Hacking Team software. Mansoor was a member of a group of activists who were imprisoned from April to November 2011 on charges of insulting an Emirati royal family. He told Bloomberg that he was identified and then beaten after he clicked on an email that contained a Microsoft attachment that infected him with the spy software.

Hacking Team has previously informed CorpWatch that the company strictly follows applicable export laws and other regulations and only sell their products to governments or government agencies.

"The point that is generally missed in discussions like this is that the world is a dangerous place, with plenty of criminals and terrorists using modern Internet and mobil technologies to do their business, and that threatens us all," Eric Rabe, the general counsel of Hacking Team, wrote. "We firmly believe that the technology we make available to government and law enforcement makes it harder for those criminals and terrorists to operate."

Rabe said that his company also understands the potential for abuse of their products, so they review customers before a sale to determine whether or not there is "objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations."

The company also notes that their products have an auditing feature that cannot be turned off so that agencies can check how and when surveillance occurs. "Of course, HT cannot monitor the use of our software directly since clients must have the ability to conduct confidential investigations," Rabe adds. "Should we suspect that abuse has occurred, we investigate. If we find our contracts have been violated or other abuse has occurred, we have the option to suspend support for the software. Without support, the software is quickly rendered ineffective."

Rabe says that Hacking Team did investigate "the Morocco and UAE assertions" but he was not able to comment since the company "does not share the results of such investigations nor do we publish whatever actions we may subsequently take."

AMP Section Name:War & Disaster Profiteering
  • 116 Human Rights
* indicates required