Four cyber sleuths claim to have found evidence of "untraceable," government-grade surveillance software in use in 21 countries, some of which have records dubious practices when it comes to human rights and Internet freedom.
The report marks the first time that researchers have been able to map the worldwide proliferation of the spyware that Hacking Team, an Italian company, sells to governments and law enforcement agencies.
See also: The Mask Is Off: Cyber Spy Operation Uncovered After 7 Years
The company claims it doesn't sell its products to "repressive regimes," but some of the 21 governments linked to its software, like those of Azerbaijan, Kazakhstan, Saudi Arabia, or Sudan, have questionable human rights records. It also claims its Remote Control System (RCS) spyware, which allows law enforcement to record and monitor just about everything that happens on a target's computer, is untraceable.
"Hacking Team has made a number of statements that seem intended to reassure the public, as well as potential regulators, that they conduct effective due diligence and self-regulation regarding their clients, and the human rights impact of their products," the four researchers wrote in the report, published by the surveillance watchdog Citizen Lab on Monday. "They also market their RCS product as untraceable. Our research suggests that both of these claims ring hollow."
While it's "difficult" to "conclusively" link spyware to a government user, as the researchers warn in the report, they were able to identify a series of IP addresses belonging to servers, some still active, some now inactive, in 21 different countries.
To do so, they looked at the samples of RCS spyware that they have collected over the years and detected which servers the samples connected to. Some of the servers they found, moreover, had certificates belonging to Hacking Team.
"The wizardry there isn't too crazy," Morgan Marquis-Boire, one of the four researchers, told Mashable, explaining that they started mapping the network last summer, scanning the whole Internet for traces of the RCS spyware.
The researchers identified 21 countries linked to the spyware: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.
The four researchers, Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, have been investigating surveillance technology for years, exposing Western companies that sell spyware to governments around the world. In this particular case, they've come to believe official agencies in the countries identified are using Hacking Team's surveillance software because the company claims it only sells to governments.
While the researchers admit that it's possible that most of these countries use RCS for legitimate criminal investigations, some cases indicate it's been used for political purposes. Last year, the four found that RCS was used against Moroccan journalists, and Ahmed Mansoor, a human rights activist in the United Arab Emirates.
Hacking Team didn't respond to Mashable's requests for comment. In the past, however, it has declined to comment on whether specific countries were customers of its technology citing confidentiality agreements.
In their investigation, the researchers found that the RCS surveillance infrastructure uses a network of multiple servers to siphon data from a target's computer to the alleged law enforcement server. The data travels through multiple hops, a technique presumably used to make it harder to identify who's receiving the data. This is much the same way Tor encryption software uses multiple hops to anonymize its users when navigating the Internet, according to the report.
For example, the researchers saw that to reach a server identified as the endpoint of RCS spyware in Mexico, data went through four proxies in Hong Kong, London, Amsterdam and Atlanta.
The researchers also found that the users (likely associated with governments, if the circumstantial evidence is to be trusted), infect targets with Hacking Team's RCS by using so-called "exploits" or "0-days" — vulnerabilities that allow an attacker to covertly install malware on a target's computer. Other times, like in the alleged case of the Ethiopian government's hacking of journalists in the U.S. and Europe, the infection is attempted with phishing attacks.
By studying some samples of RCS, the researchers suggested the exploits they saw might have been provided by a third party, perhaps Vupen, a French company that sells exploits or vulnerabilities to governments around the world, or FinFisher, a German company which sells products similar to Hacking Team's.
Vupen, which sold its products to the NSA in 2012, denied any connection.
"The report is inconsistent and based on false theories about exploits without any evidence or proof," said Vupen's CEO Chaouki Bekrar in an email to Mashable. "And we do not have any relationship with Hacking Team as we only work with end-user government agencies."
At the time of publication, FinFisher didn't respond to Mashable's request for comment.
Have something to add to this story? Share it in the comments.