A highly secretive firm, Hacking Team is known for developing some pretty frightening surveillance technology. Its spyware, known as Remote Control System, allows customers to (you guessed it) remotely control computer webcams and cellphone mics, as well as monitor the keystrokes of any target in the world.
The company sells its technology to governments around the world, including the US. Documents released on Sunday prove what was already strongly suspected: that the FBI, DEA, and US Army all purchased the controversial software. The company was also in negotiations with the CIA, the New York Police Department, and Immigrations and Customs Enforcement.
But the documents also reveal something even more surprising: Hacking Team wasn’t as secure as it believed.
"Lol our wannabe competitor got hacked, hope that doesn’t happen to us," Hacking Team CEO David Vincenzetti wrote of FinFisher, a rival company which lost 40 gigabytes worth of internal data in 2014.
Hacking Team, by comparison, lost nearly 400 gigabytes worth of data Sunday night. According to inside sources speaking to Motherboard, the company is now rapidly warning customers to shut down all computer systems running the Remote Control System.
"They’re in full on emergency mode," the source said, adding that whoever hacked the company is believed to have gotten "everything."
"The hacker seems to have downloaded everything that there was in the company’s servers," the source said. "There’s pretty much everything here."
That includes, for one, the company’s client list, but the breach also means the hackers could have remote access to the individual systems bought by those clients.
"With access to this data it is possible to link a certain backdoor to a specific customer," the source said. "Also there appears to be a backdoor in the way the anonymization proxies are managed that allows Hacking Team to shut them off independently from the customer and to retrieve the final IP address that they need to contact."
Given Vincenzetti’s faux concern for FinFisher, one would think that Hacking Team would have a robust security apparatus. But insiders note that the company had appallingly low regard for cyber protection, even failing to encrypt confidential information.
A particularly surprising setup for a company whose products are designed to bypass encryption.
"I did not expect a breach to be this big, but I’m not surprised they got hacked because they don’t take security seriously," the source told Motherboard.
At this time, the company believes hackers broke into the system through the computers of two systems administrators, Christian Pozzi and Mauro Romeo. Inexplicably, both of these individuals had unfettered access to Hacking Team’s entire system. Pozzi, for one, had only been with the company for slightly over a year.
"How can you give all the keys to your infrastructure to a 20-something who just joined the company?" the source added.
The reaction from Hacking Team’s customers is likely to be swift. The leaked emails show that the FBI has been using Remote Control System since 2011, but the Bureau has tried to keep its use of malware under the radar, and the data breach will likely make officials uneasy about continued cooperation.
Leaked emails also detail the purchase of the spyware by the US Drug Enforcement Agency, which bought the Remote Control System to use in conjunction with the Colombian government.
"[The DEA] will be administrator of the system, while the locals will be collecting the data," an email reads. "They are saying if this works out, they will bring it to other countries around the world. Already they are speaking of El Salvador and Chile."
The use of surveillance spyware by US law enforcement has also left many concerned about privacy.
"As with so many other surveillance technologies that were originally created for the military and intelligence community, they eventually trickle down to local law enforcement who start using them without seeking the approval of legislators," Christopher Soghoian, principal technologist of the American Civil Liberties Union, told the Intercept.
"…and, in many cases, keeping the courts in the dark too," he added.
With Hacking Team’s slack security, private information may have trickled even further down, and is in the hands of an as-yet-unidentified hacker. The company has promised a swift investigation into who compromised its systems, but the damage may have already been done.