[liberationtech] Mapping Hacking Team's "Untraceable" Spyware

Mon Feb 17 05:08:56 PST 2014

Thank you Ron. Looks like a pretty thorough and important research.

On Mon, Feb 17, 2014 at 7:39 AM, Ronald Deibert <r.deibert at utoronto.ca> wrote:
> Dear LibTech
>
> On behalf of the Citizen Lab I am pleased to announce the second in a series
> of posts about Hacking Team,
> authored by Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John
> Scott-Railton.  The summary
> is pasted below.
>
> Here is the link to the full report:
>
> https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/
>
> Cheers
> Ron
>
>
>
> Mapping Hacking Team's "Untraceable" Spyware
>
> February 17, 2014
>
> Categories: Reports and Briefings, Research News
>
> Authors: Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John
> Scott-Railton.
>
> This post is the second in a series of posts that focus on the global
> proliferation and use of Hacking Team's RCS spyware, which is sold
> exclusively to governments.
>
> Summary
>
> Remote Control System (RCS) is sophisticated computer spyware marketed and
> sold exclusively to governments by Milan-based Hacking Team.1  Hacking Team
> was first thrust into the public spotlight in 2012 when RCS was used against
> award-winning Moroccan media outlet Mamfakinch,2 and United Arab Emirates
> (UAE) human rights activist Ahmed Mansoor.3 Most recently, Citizen Lab
> research found that RCS was used to target Ethiopian journalists in the
> Washington DC area.4
>
> In this post, we map out covert networks of "proxy servers" used to launder
> data that RCS exfiltrates from infected computers, through third countries,
> to an "endpoint," which we believe represents the spyware's government
> operator; this process is designed to obscure the identity of the government
> conducting the spying.  For example, data destined for an endpoint in Mexico
> appears to be routed through four different proxies, each in a different
> country.  This so-called "collection infrastructure" appears to be provided
> by one or more commercial vendors -- perhaps including Hacking Team itself.
>
> Hacking Team advertises that their RCS spyware is "untraceable" to a
> specific government operator.  However, we claim to identify a number of
> current or former government users of the spyware by pinpointing endpoints,
> and studying instances of RCS that we have observed.  We suspect that
> agencies of these 21 governments are current or former users of RCS:
> Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea,
> Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia,
> Sudan, Thailand, Turkey, UAE, and Uzbekistan.  Nine of these countries
> receive the lowest ranking, "authoritarian," in The Economist's 2012
> Democracy Index.5  Additionally, two current users (Egypt and Turkey) have
> brutally repressed recent protest movements.
>
> We also study how governments infect a target with the RCS spyware.  We find
> that this is often through the use of "exploits" -- code that takes advantage
> of bugs in popular software.  Exploits help to minimize user interaction and
> awareness when implanting RCS on a target device.  We show evidence that a
> single commercial vendor may have supplied Hacking Team customers with
> exploits for at least the past two years, and consider this vendor's
> relationship with French exploit provider VUPEN.
>
>
> Ronald Deibert
> Director, the Citizen Lab
> and the Canada Centre for Global Security Studies
> Munk School of Global Affairs
> University of Toronto
> (416) 946-8916
> PGP: http://deibert.citizenlab.org/pubkey.txt
> http://deibert.citizenlab.org/
> twitter.com/citizenlab
> r.deibert at utoronto.ca
>
>
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations of
> list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.