[liberationtech] Mapping Hacking Team’s “Untraceable” Spyware

Mon Feb 17 04:39:35 PST 2014

Dear LibTech

On behalf of the Citizen Lab I am pleased to announce the second in a series of posts about Hacking Team,
authored by Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton.  The summary
is pasted below.

Here is the link to the full report:

https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/

Cheers
Ron

Mapping Hacking Team’s “Untraceable” Spyware

February 17, 2014

Categories: Reports and Briefings, Research News
Authors: Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton.

This post is the second in a series of posts that focus on the global proliferation and use of Hacking Team’s RCS spyware, which is sold exclusively to governments.

Summary

Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.1  Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch,2 and United Arab Emirates (UAE) human rights activist Ahmed Mansoor.3 Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area.4
In this post, we map out covert networks of “proxy servers” used to launder data that RCS exfiltrates from infected computers, through third countries, to an “endpoint,” which we believe represents the spyware’s government operator; this process is designed to obscure the identity of the government conducting the spying.  For example, data destined for an endpoint in Mexico appears to be routed through four different proxies, each in a different country.  This so-called “collection infrastructure” appears to be provided by one or more commercial vendors — perhaps including Hacking Team itself.
Hacking Team advertises that their RCS spyware is “untraceable” to a specific government operator.  However, we claim to identify a number of current or former government users of the spyware by pinpointing endpoints, and studying instances of RCS that we have observed.  We suspect that agencies of these 21 governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.  Nine of these countries receive the lowest ranking, “authoritarian,” in The Economist’s 2012 Democracy Index.5  Additionally, two current users (Egypt and Turkey) have brutally repressed recent protest movements.
We also study how governments infect a target with the RCS spyware.  We find that this is often through the use of “exploits” — code that takes advantage of bugs in popular software.  Exploits help to minimize user interaction and awareness when implanting RCS on a target device.  We show evidence that a single commercial vendor may have supplied Hacking Team customers with exploits for at least the past two years, and consider this vendor’s relationship with French exploit provider VUPEN.

Ronald Deibert
Director, the Citizen Lab 
and the Canada Centre for Global Security Studies
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deibert at utoronto.ca

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140217/19454af6/attachment.html>