The Biter Bit: the Hacking Team Hacked

Photo credit U.S. Navy via Ars Technica

Photo credit U.S. Navy via Ars Technica

There’s a company in Italy whose business plan is selling computer network hacking tools. It calls itself “Hacking Team.” Generally it sells its malware to governments. Including a lot of pretty despicable governments. Countries like Egypt, Russia, Saudi Arabia, Bahrain, the United Arab Emirates, Azerbaijan, Kazakhstan, and Uzbekistan. But it makes sales to private companies, too. Pretty much anyone who can pony up the dough, on the evidence.

Oh, and to the United States. That’s right, the United States is a steady customer of an organization whose activities would be a felony if conducted in the U.S. Because, you know, hypocrisy. And exceptional.

And now the Hacking Team has itself been hacked. Some 400 gigabytes of Hacking Team data, files, financial records, passwords and products have been posted. The Hacking Team has been PWNed. As the data trove stolen from The Hacking Team is explored, there’s been a steady stream of stories revealing the embarrassing, felonious details of corporate criminal’s business activities.

The hacktivists posted invoices from The Hacking Team to the Drug Enforcement Agency and the U.S. Army, among other branches of the federal government. Ars Technica reports,

The Drug Enforcement Administration (DEA) and the United States Army have almost certainly been buying questionable remote access hacking tools for years from an Italian company called Hacking Team, via an obscure American reseller called Cicom USA.

Hacking Team openly advertises what it calls its “Remote Control System,” (RCS) a piece of malware remotely installed on a target’s computer or smartphone. As the company touts: “Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.”

The same sources report the FBI paid Hacking Team more than $773,226.64 since 2011 for services related to the Hacking Team product known as “Remote Control Service,” which is also marketed under the name “Galileo.”

If you or WC were to use this malware, we’d be staring at a sentence of 5-10 years in the federal pen. But, apparently, it’s okay of the government does it. Want to make a side bet whether or not the Feds are consistently obtaining search warrants before inflicting the malware on American Citizens?

One of the officers of the Hacking Team had all of his passwords exposed in the data trove. Remember, The Hacking Team is in the business of hacking; you’d expect their people to have sophisticated passwords. Only not so much. Pozzi’s password was “Password.” Seriously.

Where does Hacking Team obtain the criminal tools it repackages and sells to governments like the United States? From Russians, among others. The 400GBdata trove includes the email chain between Hacking Team CEO David Vincenzetti and 33-year old Vitaliy Toropov of Moscow. Those emails detail the negotiations, including the purchase price, US$45,000. There’s even an invoice.

As hackers explore the 400GB data trove, it’s likely still more embarrassing details will come out. There are already frantic efforts by companies like Adobe to patch its Flash software to close holes that Hacking Team used for its exploits. But the picture that emerges is a group of marginally clever Italian hackers – admittedly less than clever if password selection – whose business model is serving as a middle man between seriously evil hackers and governments. It would be nice if Italy would indict the entire organization. But maybe that’s hoping for too much.

Hacking Team itself has released a statement deploring that it has been hacked.1 The statement says, in part:

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Let WC translate that for you: “We deplore that our criminal tool is being given way to anybody instead of us selling it to them.” Hacking Team sold its malware to anyone who ponied up the money, including some of the most reprehensible governments on the planet. And the stuff has been in the wilds of the internet for years. WC isn’t gong to bother to try and work up any sympathy for clowns who complain when they are bitten by their own strategic plan.

The message for the United States government is clearer: do business with crooks and you hang your credibility on the skills of the crooks. And it’s a bad bet.


  1. Irony is completely wasted on these guys. A hacking organization is hacked and they complain? Seriously?