[liberationtech] New Citizen Lab Report

Tue Mar 4 11:37:56 PST 2014

Dear LibTech

I am pleased to announce a new Citizen Lab report, authored by Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, John Scott-Railton, and Sarah McKune, called "Hacking Team's US Nexus." This report is the third in a series on Hacking Team's global proliferation, this time focusing on US data hosting services being employed as part of foreign espionage campaigns.

The full report is here:
https://citizenlab.org/2014/02/hacking-teams-us-nexus/

And the Washington Post story on the report is here:
http://www.washingtonpost.com/world/national-security/italian-spyware-firm-relies-on-us-internet-servers/2014/03/03/25f94f12-9f00-11e3-b8d8-94577ff66b28_print.html

A high level summary is posted below.

Cheers
Ron

Hacking Team’s US Nexus

Authors: Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, John Scott-Railton, and Sarah McKune

This post is the third in a series of posts that focus on the global proliferation and use of Hacking Team’s RCS spyware, which is sold exclusively to governments.

Summary

Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.  RCS can record Skype calls, copy passwords, e-mails, files and instant messages, and turn on a computer or phone’s webcam and microphone to spy on nearby activity.  An earlier Citizen Lab report showed how one RCS user -- believed to be the Ethiopian Government -- targeted journalists in the Washington DC area with the spyware.  Previously, governments have used RCS to target journalists in Morocco, activists in the UAE, and a US-based critic of Turkish charter schools.

Two weeks ago, the present authors released a report Mapping Hacking Team’s “Untraceable” Spyware, which identifies 21 governments that we suspect are current or former users of RCS.  The report showed that computers infected with RCS send surveillance data back to the government operator through a series of servers in multiple third countries, called a proxy chain or circuit.  This is to prevent someone who discovers a copy of the spyware or an infected computer from tracing it back to the government.  For example, an infected target may discover that his computer is sending information to a server in Fremont, California, but would not be able to trace the ultimate destination of this information to Uzbekistan.

In this post, we delve deeper into these proxy chains, and find that in at least 12 cases, US-based data centers are part of this dedicated foreign espionage infrastructure.  Our analysis traces these proxy chains, and finds that US-based servers appear to assist the governments of Azerbaijan, Colombia, Ethiopia, Korea, Mexico, Morocco, Poland, Thailand, Uzbekistan, and the United Arab Emirates in their espionage and/or law enforcement operations.  Azerbaijan, Ethiopia, and Uzbekistan receive the lowest ranking, “authoritarian,” in The Economist’’s 2012 Democracy Index.

The extensive and deliberate use of dedicated US hosting companies by foreign countries’ wiretapping activities raises a number of pressing legal and policy concerns. These include whether RCS client countries violate US law and longstanding international legal principles on sovereignty and nonintervention through use of this spyware. Moreover, RCS client countries, by exposing wiretap data to US and other jurisdictions, may have violated internal laws governing the safeguarding of wiretapped material.  

We also identify several cases where US-based spyware servers were disguised as the websites of US companies, including a small New York-based financial services firm related to an SEC investigation, a small Oregon newspaper, and ABC News.  We believe that the disguises were designed to mislead targets if they discovered that their systems were communicating with these servers.  Thus, we believe that the targets of the the spyware in these instances had some familiarity with these companies.

Ronald Deibert
Director, the Citizen Lab 
and the Canada Centre for Global Security Studies
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deibert at utoronto.ca

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140304/5c2a442c/attachment.html>