When Hackers Got Hacked !

Posted on by

the dark SecretS of Hacking Team THAT REACHED THE SMALL ISLAND OF Cyprus 
Hacking Team Logo

Anything is ‘hackable’ and so the irony becomes even more apparent nd the title hackers got hacked. This week’s news were dominated by the leaks of Hacking Team, the aftermath of a total compromise of their internal network by unknown hackers more than 400GB of sensitive raw data are now publicly available on the internet. A quick glance on the material showed source code of their exploits, receipts, client communication and company’s spreadsheets exposing the company’s lovely guarded skeletons to anyone is techie enough to just Google the right words!

Cyprus Delivery Report

Delivery Report on the equipment sold to Cyprus Intelligence Service

Hacking Team Controversy

The Hacking Team has been on the centre of bad publicity since early 2014 when CitizenLab accused the Italian company for selling surveillance equipment to oppressive regimes [3]. At the time HT denied any involvement, however today’s leaks show that Nigerian government was in their list along with Saudi Arabia, Uzbekistan, Sudan, Morocco and Turkey classified as the worst human right violators in the international community. The infamous company was openly marketing for government agencies and law enforcement by offering them customised solutions to bypass encryption and intercept data; often stepping into a grey area.

One of their latest products was branded as “Remote Control System Galileo” and gave the power to the adversary to exploit at least 2 different 0-day vulnerabilities in Flash (CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123) to compromise and potentially take over Windows, Linux and OS X machines. According to the latest updates, their most common attack vector was a Microsoft Word (.doc) format file that silently loads an Adobe Flash in the background compromising the victim’s computer.

HT team Advertisement for Remote Control System, Galileo targeting state agencies

Angry Agents all over the World

As Business Insider reported Hacking Team has been advising its customers to disable their software stop any activities immediately as their exposed to a risk [2]. Moreover to add more confusion, sources report that their equipment was purposely backdoored and watermarked which means not they could remotely control the customer’s target machine but they could also access the outcome of any ongoing surveillance [2]. I am almost certain that this kind of ‘features’ were not communicated to their customers and as Bruce Scheiner said it’s not very pleasant to make international secret agencies upset [1]!

Cyprus, the Island for all Seasons !  <— shameless advertisment!

Among the thousands of files leaked, a client list containing the Cyprus Intelligence Service as a client, purchasing services from the Italian hackers since 2012. Financial statements record a total amount of 375,000 euros were paid by the Cypriot government to acquire state of the art surveillance malware for surveillance purposes. A licence for 5 instances of Remote Control System Galileo seems to be sold to CIS for Windows and Android targets along with maintenance and customisation services.

HT Spreadsheet

The 1st instalment of €70,000 from a total of €375,000 contract with HT

As a result of a few published articles and media coverage on the topic, citizens became concerned about two specific issues. I would try to give my view on the issue without trying to pretend I am a legal expert and focusing more on the technical aspect of the issue.

Q: Is surveillance conducted by Cyprus Intelligence Service legal?

The country’s constitution is based to the Common English Law and since 1960’s independence, it went through minimal ratifications over the years. In 2010, the 6th amendment substituted Paragraph 2 of article 17 gave the power to the law enforcement to intercept any communication after asking the permission of the attorney-general. However since 2010 no laws were voted from parliament to describe in detail how the surveillance should take place and what safeguards should be enforced to prohibit the excessive use of that right from the state.

2. Paragraph 2 of Article 17 of the Constitution is hereby substituted with the following new paragraph:

«2. There shall be no interference with the exercise of this right, unless such interference is permitted in accordance with the law, in the following cases:

A. Of convicted or unconvicted prisoners.

B. Following a court order issued pursuant to the provisions of the law, upon an application by the Attorney-General of the Republic, and interference shall constitute a measure which is necessary in a democratic society only in the interests of the security of the Republic or for the prevention, investigation or prosecution of the following serious criminal offences:

(a) Premeditated murder or homicide,

(b) trafficking in adult or minor human beings and offences relating to child pornography,

(c) trade, supply, cultivation or production of narcotic drugs, psychotropic substances or dangerous drugs,

(d) offences relating to coin or bank note of the Republic,

(e) and offences relating to corruption in respect of which, in case of conviction, a sentence of imprisonment of five years or more is provided.

C. Following a court order issued in accordance with the provisions of the law, for the investigation or prosecution of a serious criminal offence in respect of which, in case of conviction, a sentence of imprisonment of five years or more is provided and the interference concerns access to relevant electronic communication data of movement and position and to relevant data which are necessary for the identification of the subscriber or and the user».

The Sixth Amendment of the Constitution Law of 2010

Q: Is the state conducting mass surveillance on Cypriot people?

Going through the recent revealations, I haven’t found any evidence that shows that this specific type of malware is used or can be used to do mass surveillance in the context that NSA or GCHQ operations are taking place. Moreover, Cyprus Intelligence Service does not have the resources and knowledge to conduct large scale of operations in that magnitude. In contrast, the attack vector used and the way it was deployed in the field demonstrates that targets were valuable individuals. All attack vectors have to be combined with social engineering techniques and require some or at least little user interaction such as browsing an evil website, opening a malicious document or email. In the case however where field agents could actually approach the target and obtain physical access to the device then the attack can occur through an infected USB device. Nevertheless, there is no evidence until now that indicate a mass surveillance operation being conducted.

Cyprus Intelligence Service most probably utilised this weaponised exploits against high profile targets to gather information in the context of anti-terrorist, anti-drug trafficking and national security operations.

IMPACT ON Cyprus Intelligence Service

  • Head of Intelligence, Mr. Andreas Pentaras resigned.
  • A significant amount of funding, for buying surveillance equipment is lost.
  • Details on surveillance operations and infrastructure including a list of hardware is published.
  • Employee’s Names, Phone numbers, Postal Addresses and emails are burned.
  • HT’s software was watermarked which allowed the Italians to remotely switch off the connection and even snoop on the data collected. It was risk that th

Concluding, I would like emphasise that is a common practice for state agencies to acquire such tools and the recent news is no surprise in the InfoSec community. Moreover I would urge the authorities to invest more in such technologies and employ them wisely and lawfully only to protect their citizens and never against them. National Security should be their highest priority and since Republic of Cyprus has a critical geostratigic position in eastern Mediterranean it would be foolish to ignore the evolution of technologies and the advantage which offensive security has to offer.

 

*** Although the Files are publicly available on the internet, sensitive information were deducted from all documents presented here to protect the interest of all the parties involved. 

 

References:

[1]   “More on Hacking Team”, Schneier Bruce, Schneier.com, July 2015 – https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html

[2]   “The hacked surveillance company with alleged ties to Russia and the Sudan is reportedly in crisis mode”, Cale Gutherie Weissman, Business Insider, July 2015 – http://uk.businessinsider.com/hacking-team-reportedly-in-crisis-mode-telling-clients-to-stop-using-its-software-2015-7?r=US

[3] “Mapping Hacking Team’s “Untraceable” Spyware”,Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, CitizenLab ,Feb 2014 – https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/

[4] “Briefing for the Italian Government on Hacking Team’s surveillance exports”, PrivacyInternational.org, Edin Omanovic, April 2015 – https://www.privacyinternational.org/sites/default/files/Briefing%20for%20the%20Italian%20Government%20on%20Hacking%20Team%27s%20surveillance%20exports.pdf