A Company That Sells Surveillance Software to Authoritarian Regimes Got Hacked Itself

Dark web meets dark web.

Hacking Team is an Italian company that sells surveillance tools and vulnerability exploits to governments. It is notorious for allegedly doing business with repressive regimes, though the company denies this. On Sunday, though, Hacking Team itself was hacked, and now 400 gigabytes of internal communications and documents are floating around the Web.

CSO Online reports that the hackers renamed the company’s Twitter account “Hacked Team,” started posting about specific documents, and generally made it known that the company had been pwned. One document indicates that Hacking Team made a deal with a middleman to export spyware to Nigeria. Another is a $532,000 contract from July 2, 2012, with Sudan’s national intelligence service. The Guardian reports that Hacking Team told the Italian U.N. representative in January 2015 that it didn’t have current ties to Sudan. (It’s unclear what the company said when asked about past dealings.) A 2014 Citizen Lab report had also shown that the Sudanese government was using Hacking Team’s “Remote Control System.”

CSO has created a long list of associations between Hacking Team and various governments based on the leaked documents. It includes: Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, the United States, Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Russia, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary, Italy, Luxemburg, Poland, Spain, Switzerland, Bahrain, Oman, Saudi Arabia, and the United Arab Emirates.

In 2013, Reporters Without Borders named five companies “Corporate Enemies of the Internet,” including Hacking Team. The report called the five “digital era mercenaries,” and said, “They all sell products that are liable to be used by governments to violate human rights and freedom of information.” And in 2014 the Intercept published manuals for Hacking Team’s Remote Control System software. Intercept reporters Cora Currier and Morgan Marquis-Boire wrote, “With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data … all without leaving a trace.”

Now the company is getting a taste of its own medicine. Hacking Team employee Christian Pozzi commented to CSO on Monday morning:

We are awake. The people responsible for this will be arrested. We are working with the police at the moment. … Don’t believe everything you see. Most of what the attackers are claiming is simply not true. … The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus.

Pozzi reiterated many of these points on his Twitter account before it was hacked and then deleted.

The documents haven’t been definitively verified, but the trove the hackers shared is extensive and even includes screencaps that appear to be of employees’ computer screens. Four hundred gigabytes of data might not even sound like a lot to if your computer has a 500-gigabyte hard drive and you have a 1 terabyte external drive (plus a PlayStation 4 and on and on). After all, North Korea gathered roughly 100 terabytes worth of documents in the Sony hack. But the “Guardians of Peace” only actually released a few hundred gigabytes, and that was plenty—just ask Sony employees.

For Hacking Team, 400 gigabytes would be more than enough to shed some light on the spyware and exploits the company sells … and to whom.