A dramatic breach at an Italian surveillance company has laid bare the details of government cyberattacks worldwide, putting intelligence chiefs in the hot seat from Cyprus to South Korea.
The massive leak has already led to one spymaster's resignation and pulled back the curtain on espionage in the iPhone age.
- Hackers break into network of snooping-software maker
- Adobe Flash exploit revealed by attack on Hacking Team
More than one million emails released online in the wake of the July 5 breach show that the Milan-based company Hacking Team sold its spy software to the FBI and to Russian intelligence. It also worked with authoritarian governments in the Middle East and pitched to police departments in the American suburbs.
It even tried to sell to the Vatican — all while devising a malicious Bible app to infect religiously minded targets.
"It's a mini-Snowden event," said Israel-based security researcher Tal Be'ery, likening the impact of the leak to the publication of top secret NSA documents by former intelligence worker Edward Snowden.
Be'ery said he, like others, had long suspected the world's security agencies of hacking but was struck by "the ubiquity of it — used on all continents, by both democracies and dictatorships."
Hacking Team's spyware was used by a total of 97 intelligence or investigative agencies in 35 countries, according to South Korean National Intelligence Service chief Lee Byoung Ho, who briefed legislators Tuesday after it became clear his organization used the technology.
Eric Rabe, the Hacking Team spokesman, said Thursday the company had about 50 clients, but it's not clear whether those include resellers. Rabe acknowledged doing business with Russia and Sudan but said its sales were "in accordance with regulations that were in effect at the time."
Bills from Hacking Team to Sudan's intelligence service and a Russian arms conglomerate have critics — including a European parliamentarian — asking whether the company flouted international sanctions. A client list that includes Uzbekistan, Egypt and Azerbaijan has reinforced worries from groups such as Privacy International that the spyware is being used to silence dissidents.
And "we-love-your-stuff" emails from sheriffs, police and prosecutors suggest local law enforcement is eager to give the program a test drive.
CEO David Vincenzetti told La Stampa newspaper that his spyware is used to fight terror and "root out lone wolves."
Hacking Team's spyware is called Remote Control System and is delivered to targets through a mix of malicious links, poisoned documents and pornography, the emails show. Booby-trapped programs could be tailored to targets of any persuasion. Some messages appear to show Hacking Team working on apps named "Quran" and "DailyBible."
Once secretly installed, the spyware acts as a track-anything surveillance tool.
The emails show Kazakhstan's spy agency trying to suck chat histories from a target's Samsung smartphone and Saudi Arabia's Interior Ministry using an infected handset as a tracking beacon. They also show Mongolia's anti-corruption authority trying to steal a target's Facebook password by logging his keystrokes and Czech police at work turning a BlackBerry's microphone into an ad-hoc listening device.
Vincenzetti told La Stampa the spyware even had the ability to automatically take pictures of people's faces as they picked up their phones.
Mexico is a particularly aggressive user of the technology, according to a leaked client list. In Ecuador, evidence that Hacking Team's spyware was used by the country's SENAIN spy agency has caused an uproar.
Senior police and intelligence figures have been quizzed about Hacking Team by lawmakers in Italy and the Czech Republic. Revelations that the Cyprus Intelligence Service has been secretly using the spyware prompted the resignation of the agency's boss, Andreas Pentaras, over the weekend.
Exact methods secret
The targets of all this spying are rarely made explicit. But in one of the leaked emails, dated last Dec. 15, Vincenzetti suggested he sometimes has a pretty good idea who is being hacked.
"I usually get a call from, say, the head of Italian Police's deputy and he tells me: 'Congratulations, Mr. Vincenzetti!' I tell him: 'Thank you, sir, may I ask you what are you referring to?' 'I am talking to what you will read tomorrow morning on the front pages of all the newspapers!' he laughs. And he hangs up. And the day after I read that a Mafia boss has been finally arrested, that an apparently impossible investigation mystery on a savage assassination has been finally solved and the murderer arrested, etc."
Authorities "never disclose how they did it because they want to protect our technology and they want to protect us," Vincenzetti said.
For researchers like Be'ery, the leak has provided unprecedented insight into how governments hack. For human rights workers, it has confirmed their fears about state surveillance.
And for past victims of Hacking Team's software — people like prominent Emirati blogger Ahmed Mansoor — the leak has provided a dose of schadenfreude.
"They can at least understand how it feels to encroach into somebody's privacy," he said.