A controversial Italian company that sells hacking tools to governments is warning that terrorists and extortionists could use their products because of data leaked online over the weekend.
The company, HackingTeam, was the victim of a cyberattack that resulted in the posting of hundreds of gigabytes of what appeared to be internal documents online -- including the computer code for their products and internal e-mails. A company spokesperson previously declined to verify the authenticity of the trove, but its latest statement appears to confirm that at least part of the dump was real.
"HackingTeam’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice," company spokesperson Eric Rabe said in a statement. The company was able to limit who had access to its products before the attack, he said, but now they've lost that control.
"Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so," Rabe said. The company has asked its clients to stop using their software, according to the statement.
HackingTeam is part of a burgeoning commercial surveillance market that sells off-the-shelf versions of digital spying tools once only in the hands of the most sophisticated intelligence agencies -- sometimes to nations with questionable human rights records, civil liberties groups and security researchers have alleged. Documents from the cache appear to support that claim, reportedly showing Azerbaijan, Ethiopia, Egypt, Kazakhstan, Sudan and Saudi Arabia among HackingTeam's clients -- along with several U.S. government agencies.
The company does not disclose the identities of its clients and has responded to earlier reports of abuse by saying it has internal procedures to address human rights concerns about potential customers. But one report, released this year by Citizen Lab at University of Toronto's Munk School of Global Affairs, appeared to show that the HackingTeam continued to provide service to Ethiopia even after reports that its tools were likely being used by that government to target U.S.-based journalists.
But the HackingTeam leak may ultimately result in greater overall online security. Hacking tools work by relying on using so-called "zero day" bugs -- vulnerabilities unknown to software makers. According a blog post from cybersecurity firm TrendMicro, the cache has so far revealed the company's tools relied on least two problems in Adobe's Flash Player and in Windows itself. One of the Flash bugs was already known, but the other two appear to be zero-days, according to the blog.
Now that they've been disclosed, the companies can fix them and anti-virus companies can update their software to block HackingTeam's tools.
Rabe said that the company is "working around the clock" to get spying capabilities up and running for its clients so they can resume criminal and intelligence investigations.
But HackingTeam may find it hard to recover from the breach. The size of the data dump suggests a massive compromise at the company. And the leaked documents appear to show lax security practices inside the company, including storing sensitive customer data without encryption, said Collin Anderson, an independent security researcher who has previously investigated the commercial surveillance market.
"If you're a law enforcement agency or intelligence agency, your ability to trust companies like this is going to be lower," he said.