A controversial cyber espionage company called Hacking Team is reeling this morning after hackers gave it a taste of its own medicine by breaking into its systems, downloading hundreds of gigabytes of data and throwing it all on the open Internet.
Hacking Team has not said whether the leaked documents are legitimate, but NPR verified that at least the hacked personal passwords do check out.
Without a doubt a hack of this kind would be terribly problematic for a company that secretly sells spyware to governments — including repressive ones — across the world.
Here's how one Twitter user put the news into context:
Hacking Team has been controversial for years. Reporters Without Borders, for example, lists the company as an enemy of the Internet. Over the years, Citizen Lab, a lab that studies surveillance at the Munk School of Global Affairs at the University of Toronto, has found Hacking Team's spyware in 21 countries, including Sudan, Egypt, Ethiopia, Turkey and Malaysia.
On two occasions, the Lab has written open letters to Hacking Team, urging them to stop the use of their software to quash human rights in repressive countries. Hacking Team has always maintained that it complies with the Wassenaar Arrangement, which limits the kind of dual-use technology that can be sold to certain regimes.
CSOOnline, which covers cybersecurity issues, reports that one of the leaked documents — an invoice for services to Sudan — is especially telling:
"The link to Sudan is especially newsworthy as the company previously stated they've never done business with the nation. There is a UN arms embargo on the Sudan, which is covered by EU and UK law. If they were doing business with the Sudanese government, Hacking Team could be in hot water.
"In 2014, a Citizen Lab report revealed evidence that Hacking Team's RCS (Remote Control System) was being used by the Sudanese government, something the Italian company flat-out denied.
"However, on Sunday a contract with Sudan, valued at 480,000 Euro, and dated July 2, 2012, was published as part of the 400GB cache. In addition, a maintenance list named Sudan as a customer, but one that was 'not officially supported.' Interestingly, Russia has the same designation."
Christopher Soghian, a privacy activist with the ACLU tells NPR's Elise Hu that this trove of documents is a "smoking gun" that shows that "HackingTeam has in fact sold its technology to a number of governments with truly atrocious human rights records."
He added: "What this shows us is that surveillance software, advanced surveillance capabilities, are now available to the largest and smallest governments in the world. We really need to have a bigger conversation about whether these tools should be used in democracies."
Elise called Hacking Team's office in Italy, but the person who answered the phone directed any questions to an email address.
One of Hacking Team's employees apparently tweeted about the incident. Before the account was deleted, Christian Pozzi, a senior security engineer at the company, said they were working with police to catch the hackers.
"A lot of what the attackers are claiming regarding our company is not true," he tweeted. "Please stop spreading false lies about the services we offer."
A cached version of Pozzi's Twitter timeline can be found here.
Bad day? Could be worse. It's now someone at @hackingteam's job to call up the Russian secret police and inform them there's been a breach— Liam (@liamosaur) July 6, 2015
Copyright NPR. View this article on npr.org.