Hacking Team, a surveillance company known for selling spyware to governments around the world, got hacked. On Sunday night an unidentified attacker released what appears to be a massive trove of internal documents from the Italian company online -- even taking over its Twitter account to share the files.
Hacking Team is one of a number of companies that have started selling commercial surveillance tools to law enforcement and intelligence agencies, making capabilities once reserved for the most technically advanced intelligence agencies available to governments worldwide.
"Hacking Team has been the victim of an online attack, and we believe documents have been stolen from the company," Hacking Team spokesperson Eric Rabe told The Washington Post in a statement.
Hundreds of gigabytes of files are being circulated online, including what appears to be the underlying code for the company's spying tools and the e-mail inboxes of its employees. However, Rabe declined to comment on the validity of those documents and called some of the information being reported about their contents "inaccurate."
The company has long been criticized by civil liberties groups and some security researchers who have accused it of selling surveillance tools to any government that can pay -- regardless of their human rights record. If authentic, the cache released online seems to support those claims: Among the documents is a list of Hacking Team customers featuring countries including Azerbaijan, Ethiopia, Egypt, Kazakhstan, Sudan and Saudi Arabia, along with others, according to multiple media reports.
For Sudan, the subject of a United Nations arms embargo, the documents include a $480,000 invoice for Hacking Team's Remote Control System -- the company's signature spyware tool, which it says allows governments to "take control" of their target's devices -- according to Wired.
"The list of customers overlaps with a lot of what we found," said Bill Marczack, a researcher who has worked on reports about Hacking Team's products for Citizen Lab at University of Toronto's Munk School of Global Affairs. One Citizen Lab report from earlier this year appeared to show that the company continued to provide service to Ethiopia even after reports that its tools were being used by that government to target U.S.-based journalists.
Hacking Team has historically declined to identify its clients and will continue to abide by that policy in the wake of the hack, Rabe said.
Hacking Team has said it has internal procedures to address human rights concerns about prospective customers. But researchers say that if the documents floating around online now are authentic, that claim appears dubious.
"There doesn't seem to be any sort of human rights due diligence in what we've seen right now," said Collin Anderson, an independent researcher who has investigated the commercial surveillance market.
The documents also reportedly show several U.S. agencies among the company's clientele. That lines up with previous reporting by Motherboard that appeared to show the company using shell companies to sell its products to the the Drug Enforcement Administration.
The leak comes amid an ongoing debate in the United States about how to enforce an international arms control agreement that places new rules on the export of hacking tools. The revelations about Hacking Team may bring new urgency to the discussion and raise questions about U.S. reliance on companies like that, said Christopher Soghoian, a technologist with the American Civil Liberties Union and a critic of the commercial surveillance industry.
The release is the second breach at a company that sells commercial surveillance tools in recent years. Last August, a separate attack against Gamma International resulted in 40 gigabytes of internal company data being leaked online. The same hacker behind that incident is claiming responsibility for the Hacking Team attack, according to Motherboard.
Hacking Team's surveillance tools are likely to be far easier to detect if the code for the software leaked in this breach is authentic, said Anderson. With the code available, digital security companies will be able to flag them as malicious in their scanning tools, he explained.
"I think Hacking Team is going to have to scramble to maintain the invisibility they claim they sell as a commercial service to their customers," Anderson said.