Fireworks of a different kind rocked the security world this Fourth of July weekend, when news surfaced that hackers breachedHacking Team, an Italy-based firm that develops malware for sale to governments and law enforcement. The attackers exposed 400 GB of data stolen from its servers, including sales records, according to reports.
“It appears [Hacking Team] were compromised through social engineering, and data was exfiltrated via a system administrator’s laptop,” said Jonathan Cran, VP of Operations at Bugcrowd.
This type of breach “is a common scenario — and, as an Internet-connected company, they too are potentially vulnerable to attackers,” he told the E-Commerce Times.
What Was Stolen
Hacking Team makes spyware to infiltrate desktops and mobile devices, and to seize instant messages, text messages, phone call records and other data, while evading most antivirus products.
The stolen data, which was posted on the Internet, reportedly includes executive emails, customer invoices and source code.
The hackers also hijacked Hacking Team’s Twitter feed for 12 hours and used it to distribute samples of the stolen files.
One document reportedly suggests Hacking Team has been stonewalling a year-long United Nations investigation into its sales to various governments.
“What is alarming is that this sophisticated malware developer couldn’t protect this type of high-tech intellectual property,” Darren Hayes, director of cybersecurity at Pace University’s Seidenberg School of CSIS, told the E-Commerce Times.
Hacking Team used weak passwords, including the word “password,” some reports claimed.
A Black Bag Job?
“It could be that some government agency who’s a customer of Hacking Team decided to discredit them and force them to close their doors,” said Sorin Mustaca, founder of Sorin Mustaca IT Security Consulting.
“These special customers don’t like to leave traces of their acquisitions,” he told the E-Commerce Times.
Selling to Repressive Regimes, Oh My!
Eva Galperin of the Electronic Frontier Foundation, tweeted a list of Hacking Team’s customer base — which includes oppressive regimes with little regard for human rights, such as the government of Sudan.
The authenticity of the list needs to be verified, but “what I find amusing is the reaction to the type of clients on the list,” remarked Igor Baikalov, chief scientist at Securonix.
“Sudan and Kazakhstan caused a righteous uproar because they’re considered repressive regimes, [but] the revelation that the United States, Germany and Australia buy the products to spy on their own citizens is accepted as a matter of fact,” he told the E-Commerce Times.
Still, Hacking Team “is not in any way an example of the cybersecurity industry as a whole,” pointed out Richard Blech, CEO at Secure Channels.
“Cybersecurity companies are for profit as much as any other, but the industry as a whole has integrity and cares about defending against cybercrime,” he told the E-Commerce Times.
Fallout in the United States
“Hacking Team is the Blackwater of the cyberwarfare era,” said John Gunn, VP at Vasco Data Security.
“Third parties who provide the tools and training to conduct illegal activities must be held to the same level of accountability as those using the tools,” he told the E-Commerce Times.
Grassley also asked the Federal Bureau of Investigation for details about its spyware programs.
In a move possibly related to the Hacking Team revelation, FBI director James Comey on Monday argued in the Lawfare blog that it’s necessary for governments to monitor citizens’ communications under appropriate circumstances and with appropriate oversight.
However, the FBI, the NSA, and other government agencies repeatedly have conducted such surveillance without warrants — or in some cases, have lied to obtain them.
Let There Be Light
“The details disclosed … provide insight into a previously difficult-to-characterize economy around custom exploit development,” Tim Erlin, director of IT security and risk strategy at Tripwire, told the E-Commerce Times. This data will provide fuel to privacy organizations to ask difficult questions of government agencies around the world.”