Hacking Team hacked, 400GB+ of company documents and emails leaked

Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world, has been hacked.

The unknown attackers have not only managed to steal the company’s data, but they have also decided to share it with the world. After hijacking Hacking Team’s official Twitter account (and changing its name into “Hacked Team”), they tweeted a link to a 400GB+ torrent file containing the company’s internal emails, files and source code.

Hacking Team is considered to be a “corporate enemy of the Internet” by French-based international NGO Reporters Without Borders, who believe that the company provided its remote control system called DaVinci to authoritarian regimes and governments that don’t have a good track record at respecting human rights and freedom of the press.

The company has always maintained that they have a rigorous vetting program that prevents just that.

Researchers from Russian AV company Kaspersky Labs and the Citizen Lab of the University of Toronto also found evidence that points to Hacking Team’s surveillance tools being used by a number of governments to target political targets. And other instances of the DaVinci tool being used to spy on dissidents have been recorded.

The leaked data is already being analyzed by Eva Galperin, global policy analyst at the Electronic Frontier Foundation, Christopher Soghoian, principal technologist at the American Civil Liberties Union, and others, and they are publishing their findings on Twitter – as are the hackers who hit the company.

According to the documents, the company has been selling their surveillance software to governments of Ethiopia, Sudan, Russia, Saudi Arabia, and so on, to spy on journalists and activists.

“Hacking Team’s Christian Pozzi was personally exposed by the incident, as the security engineer’s password store from Firefox was published as part of the massive data dump,” reports Steve Ragan. “The passwords in the file are of poor quality, using a mix of easily guessed patterns or passwords that are commonly known to security engineers and criminal hackers. The websites indexed include social media (Live, Facebook, LinkedIn), financial (banks, PayPal), and network related (routers with default credentials).”

Pozzi’s Twitter account has also been hijacked just a few hours ago, after he wrote that “a lot of what the attackers are claiming regarding our company is not true” and asked to public to stop spreading “false lies” about the services the company offers.

According to Ragan, he also threatened security researchers with jail for revealing his passwords that were leaked along with the company’s documents, and claimed that the torrent file leaked by the hackers contains a virus (it doesn’t).

“Hacking Team appears to have committed two of the classic mistakes in security: Never use simple passwords and never reuse passwords. For a security company that’s this high profile, there’s no excuse for these sins. We don’t know yet how the attackers got into HT’s systems, but given the poor passwords that have been revealed in the documents, it could have been as simple as brute-forcing the passwords on a few system,” Martin McKeay, Akamai senior security advocate, commented for Help Net Security.

“The other major mistake made by HT was not noticing that 400Gb of data was leaving their systems. Extrusion detection for an organization that specializes in malware and monitoring should be one of the defenses they concentrate on, because it’s what other people would use to detect their tools. Expect your tools to be used against you is a basic warfare tenet.”

“The politics of who is a client of HT should make for some interesting fallout. For an organization that continually stated they didn’t deal with oppressive governments, there’s an amazing number of exactly that type of government in their client list. How other governments react will make for interesting reading,” he concluded.

UPDATE: Hacking Team’s Twitter account is back in the company’s hands, the hackers’ tweets have been deleted. The company’s website is currently offline. Pozzi’s Twitter account no longer exists.

We have a roundup of reactions live here.