Nettime mailing list archives

Re: <nettime> Fwd: Hacked Team [getting off-topic...]
Jaromil on Thu, 5 Nov 2015 15:03:42 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> Fwd: Hacked Team [getting off-topic...]

back on the HT case 4 months later

On Mon, 27 Jul 2015, Radovan Misovic wrote:

> I found an interesting article related to this topic.

> Hacking Team: a zero-day market case study


A new article finally tells more of the story behind the scenes and shows
better the connection between "market" dynamics and the ethics of those involved

I simply second the definition of a fascist (with plenty of italian effing
acquaintances) ruling the company. When looking at the rest of the booming tech
security industry, I believe what really went wrong in HT is going wrong in any
other company with dreams of grandeur and obsession of scaling up operations in
the military industrial complex. Software embargos can't help at all here,
since software is probably the easiest thing to smuggle, ever.

Now, good luck with startups and zilicon falleys

                           The Hacking Team Defectors

  Written by Lorenzo Franceschi-Bicchierai

   November 2, 2015 // 09:00 AM EST
   Copy This URL

   I am sitting in a nondescript all-white office room in Sliema, a touristy,
   commercial town that faces Malta's capital of Valletta. I'm staring at my
   computer, typing commands into the terminal, and I have no idea what I'm

   Sitting across the room there's a hacker who looks nothing like the image
   of a hacker that popular culture has ingrained in our minds. He has a
   buzz-cut, he's clean-shaven, has an earnest smile, and is wearing a dark
   blue polo shirt and cargo shorts. He looks more like a tourist than
   someone who used to develop spyware for the infamous Italian surveillance
   tech company Hacking Team.

   He is sending me a bunch of commands written in the Python programming
   language, trying to exploit a flaw in my MacBook's operating system, so
   that I can get administrative privileges on my work computer.

   "Let me write another backdoor," he says.

   After a few failed attempts, and a couple more Python scripts, it finally

   "Fuck yeah, you're root," he says, using the technical term for a user who
   has full privileges on a computer. "We just exploited your computer!" he
   adds, laughing.

   I laugh too, and then I realize that, technically, a guy that used to work
   at Hacking Team, the surveillance technology vendor that sold its products
   to almost 40 law enforcement and intelligence agencies from across the
   world, according to data dumped online this summer, just hacked my


   His name is Alberto Pelliccione. Until last year, he was the man
   responsible for developing Hacking Team's Android spyware, and one of the
   employees who had worked on the company's marquee product, the
   surveillance suite known as Remote Control System or RCS, since its early

   In February of last year, Pelliccione resigned. Since then, the company's
   top brass, particularly the CEO David Vincenzetti, has gone after him for
   leaving, and later sued him for allegedly using Hacking Team's code to
   create an antidote to the company's spyware, a defensive system called

   Now, after a mysterious hacker only known as PhineasFisher breached the
   company in July, exposing its most guarded secrets, such as internal
   emails, list of clients, and even the spyware's source code, Pelliccione
   was fingered by Vincenzetti as a potential suspect.

   But he's not the only one who's faced the wrath of his old company.

   A small group of high-level former employees, who all left after
   Pelliccione, are also suspected of being behind the hack, and have been
   called "infidels" and "traitors" by the Italian press. Their departure, as
   well as what happened to them after they left, shows that even internally,
   some were not happy about the direction the company took in the last few
   years; there have been multiple reports that Hacking Team's products were
   being abused by some of its customers, such as Morocco, the United Arab
   Emirates, Ethiopia, or Saudi Arabia.

  "Hacking Team shouldn't be a fucking religion that if you wanna leave you're
  an infidel or a traitor."

   The group of former employees was accused of having played part in the
   hack after months of separate lawsuits against five of them. Two of them
   even received visits from the Italian intelligence -- all ploys that seem to
   be a way to intimidate and punish them for having left the company.

   A Hacking Team former employee asked not to be named because Vincenzetti,
   "with his ongoing lawsuits, is at least a little bit effective in his
   terrorist tactics aimed at forcing people not to talk."

   Guido Landi, who worked as a developer at Hacking Team focusing on
   Windows, is one of the former employees that the company is going after.
   For him, Hacking Team is a "madhouse," led by a "fascist" who won't
   forgive anyone who dares to leave.

   Another former employee said that ever since Pelliccione left, the ones
   that followed him were immediately "categorized as enemies, criminals,
   people of dubious reputation."

   This past summer, before the breach, another developer announced that he
   wanted to resign. Immediately, according to internal emails, Vincenzetti
   worried that he might leave for a competitor and wrote in an email to
   other executives that he was considering "legal actions."

   Intimidating people wanting to leave was "routine procedure," according to
   a former employee. Landi confirms, saying that he heard of various cases.
   "As soon as you resigned, you became the enemy," he says.

   "Hacking Team shouldn't be a fucking religion that if you wanna leave
   you're an infidel or a traitor, Pelliccione tells me. "It's just a company
   and if you're sick of it, you should have the right to leave."


   Hacking Team's former Android developer Alberto Pelliccione. Photo:
   Lorenzo Franceschi-Bicchierai/Motherboard

   At the end of 2007, Pelliccione was researching robotics and artificial
   intelligence at the National Research Council in Rome. That's when he got
   a call from an old friend who was working at Hacking Team. At the time,
   the company was a small firm focused mostly on consulting and helping
   companies, such as big banks, to protect themselves. The year prior, the
   company had just started working on its offensive hacking solution, which
   would later be known as DaVinci, the first version of RCS. When he joined,
   Pelliccione says there were less than four people working on the project.

   "We were doing stuff the world had never seen," Pelliccione tells me.

   Slowly, RCS became the company's main, and eventually only business, and
   Pelliccione became the lead developer of the mobile team, first focusing
   on Windows mobile, and then Android.

   Initially, the company only sold to the Italian government, but thanks to
   aggressive marketing, and a rising global demand for tools to break into
   criminals' computers and cellphones, Hacking Team quickly went global,
   selling all over the world. Despite the booming business, the company was
   able to keep a low profile until late 2012.

   On October 10, 2012, researchers at the Citizen Lab, a digital watchdog at
   the University of Toronto's Munk School of Global Affairs, revealed that
   the Moroccan government had used a sophisticated spy software to target
   the local citizen journalist group Mamfakinch. The researchers found that
   the malware used against the journalists was called "DaVinci," and traced
   it back to Hacking Team.

   It was the first time the company's products had been linked to human
   rights abuses. Hacking Team's top brass called for an emergency meeting,
   as the Citizen Lab report had also exposed the company's tools, which
   relied on being invisible to antivirus software to be effective. The
   management asked the developers to go back to the drawing board, and make
   DaVinci stealth again.

   Publicly, Hacking Team brushed off the report, saying its policy was not
   to discuss its customers, and that the company's goal was to provide tools
   to investigate crimes. Internally, the top brass told its employees that
   there was no way for them to know how the customers used the tools, and
   that there was no way for them to know whether the targets in Morocco were
   really activists or criminals.

  "You shouldn't sell to Sudan. Period. Same goes for Ethiopia. And even in
  other less evil countries, there were abuses."

   But the developers, as well as other employees, were taken aback,
   according to Pelliccione. They started asking questions, and debating
   whether the tools they were creating were being used to fight crime and
   terrorism, or quash dissent.

   "That debate lit up internally on that day, and never subsided,"
   Pelliccione tells me.

   The executives also decided to compartmentalize and separate the sales and
   field application engineers teams, who had the most visibility into the
   customers, from the developers -- "a separation aimed at avoiding internal
   discontent," Pelliccione says.

   The compartmentalization became even physical. The developers were working
   on the ground floor of Via Moscova 13, Hacking Team's headquarters in
   Milan, while the management was placed on the first floor, and the sales
   and field application engineers, who travelled around the world demoing
   the products, worked on the fifth floor.

   At that point the employees had a harder time knowing what was going on,
   and how some of the tools were being used, or whom the company was selling
   to. But Citizen Lab researchers kept revealing more cases of abuse, and
   Pelliccione says there probably are many more that nobody will ever know

   Landi, who says he had little visibility into the customers, admits that
   he could have asked friends at the higher floors, but he decided not to,
   preferring not to know. Looking back, however, he says Hacking Team sold
   to countries it shouldn't have sold to.

   "You shouldn't sell to Sudan. Period. Same goes for Ethiopia," Landi says.
   "And even in other less evil countries, there were abuses."


   For his six years at Hacking Team, despite being the lead of the Android
   development team, Pelliccione says that he was never hired full time, and
   never felt really valued by the company. For that reason, and because of
   the internal debate over the legitimacy of Hacking Team's tools, he
   decided to leave.

   "Nobody likes to know that what you make is used for evil," he says. "No
   matter how much you regulate these tools, you'll never effectively know
   how they could be used. You can hope they will be used for good, but you
   never know who really ends up using them."

   Hacking Team declined to comment for this story, but the company has long
   maintained that it doesn't sell to countries where there are "credible
   concerns" that its products "will be used to facilitate human rights
   violations." Yet, after Citizen Lab reported a first suspected case of
   abuse by the Ethiopian government, the company didn't stop selling to the
   country, which was later caught again targeting the same journalists using
   Hacking Team's spyware.

   The company even used to have an external review board that was supposed
   to make sure the Hacking Team didn't sell to repressive regimes. Despite
   this panel, which turned out to be formed by lawyers at the international
   firm Bird & Bird, the company sold to Sudan, when the UN had put the
   country on an embargo blacklist.

     Exhibit A: Italy

     John Adams July 6, 2015

   The company has also always claimed that it had no visibility into how the
   customers were using its products. But in reality, whenever a client
   wanted to infect a target with a booby-trapped document, it would send the
   document to Hacking Team's technicians, who were tasked with weaponizing
   it. While this didn't necessarily mean that the company knew whom the
   documents would be sent to, they could have an idea, depending on the
   content of the document.

   In 2013, Reporters Without Borders named Hacking Team one of the "Enemies
   of the Internet" for selling tools to repressive regimes. A year later, on
   February 12, 2014, Citizen Lab revealed that the Ethiopian government had
   used Hacking Team's spyware to hack into the computers of several
   journalists in the diaspora, in what activists saw as yet another clear
   attack on freedom of speech.

   For Pelliccione, that was the final straw. Two days later, he told his
   bosses that he wanted to resign. On Feb. 21, the company announced in an
   internal email that he was leaving to launch his own security company in

   "I wish Alberto all the best," Hacking Team's Chief Operation Officer,
   Giancarlo Russo, wrote in the email, in which he described Pelliccione's
   decision as "bold and courageous."

   But Vincenzetti, the CEO, didn't take it that well.

   "Alberto was one of the top guys," Vincenzetti wrote in an email sent only
   to other executives. "This has NEVER happened."

  "No matter how much you regulate these tools, you'll never effectively know
  how they could be used."

   The CEO immediately doubted Pelliccione's real motives, wondering if he'd
   take other people with him to create a "spin-off" company or a
   "competitor." In the following weeks, another employee, a field
   applications engineer, left the company too. In an email discussing her
   departure, Vincenzetti talked about "serious cracks" in the company, and
   the risk of more "defections" that could end up "destroying" the company.

   In May, Vincenzetti shared more bad news, another "serious loss," this
   time it was Landi, another key developer.

   "Guido [Landi] is the right arm of [Chief Technology Officer] Marco
   Valleri," Vincenzetti writes. "Without him, we can't guarantee the
   invisibility of our product."

   Vincenzetti added that he had involved Hacking Team's "highest contacts"
   with the Italian government to figure out where Landi was going. He was
   likely referring to two agents at the Italian secret service, the
   country's intelligence arm: Coronel Riccardo Russi, and General Antonello

   When another key employee named Mostapha Maanna resigned a few days later,
   Vincenzetti started to see a "conspiracy," as Pelliccione puts it, and was
   worried the former employees wanted to compete with Hacking Team.

   In the following months, Vincenzetti launched a full on probe into their
   activities, according to leaked emails and documents. Russi played a
   fundamental role in it, personally meeting with Landi and Maanna, and even
   paying them a "visit," as he himself put it in an email, sent from his
   personal account in August of 2014.

   Meanwhile, Pelliccione founded ReaQta and set up shop in Malta to create a
   new system that uses artificial intelligence to detect cyberattacks.
   Worried about Pelliccione, Hacking Team hired private investigators from
   the US firm Kroll to figure out what he was up to, according to a leaked
   internal report.

   In the following months, Kroll posed as a potential buyer to learn more
   about ReaQta. The investigators met with Pelliccione, as well as with one
   of his collaborators, Alberto Velasco. At the time, Velasco was also an
   Hacking Team freelance contractor who represented the company in the
   United States. It was Velasco's American-based company, Cicom USA, that
   acted as middle man when the Drug Enforcement Administration bought
   Hacking Team's software in 2012.

   In a meeting in Annapolis, Maryland, on January 16, 2015, Kroll
   investigators asked Velasco and Pelliccione, who was connected via Skype,
   whether ReaQta could block Hacking Team's malware. The two, according to
   the firm's report, "laughed nervously." Pelliccione then said that indeed,
   ReaQta could neutralize Hacking Team's tools.

   For Hacking Team's brass, that was an admission of guilt. Four months
   later, on May 5, Vincenzetti filed a lawsuit in Italy against Pelliccione,
   Velasco, Landi, Maanna, and Serge Woon, another former employee who went
   to work with ReaQta, for conspiring to create an "antidote" against
   Hacking Team, using stolen code.

  "These accusations are just an act of retaliation."

   In the lawsuit Vincenzetti wrote that ReaQta's ability to block Hacking
   Team's RCS can only be due to the "subtraction of RCS source code from
   Hacking Team's systems." Vincenzetti accused Maanna and Landi of leaving
   Hacking Team with the purpose of helping Pelliccione commercialize ReaQta.
   The company also sued Velasco in the United States, as well as Woon in

   The former employees deny all the accusations. Pelliccione tells me that
   the lawsuit is nonsense, given that ReaQta is a defensive product, while
   Hacking Team is an offensive tool. And it wouldn't make sense for him to
   market ReaQta as an antidote given that Hacking Team is used by a small
   number of customers for targeted surveillance. In other words, it wouldn't
   make business sense, he says.

   Hacking Team spokesperson Eric Rabe declined to comment on the lawsuits,
   saying these are "internal matters."

   Since going to court, the company has kept the pressure on the former
   employees. Last summer, before getting hacked, it hired private
   investigators to tail Maanna, according to leaked emails and reports from
   the detectives. In an email, a Hacking Team lawyer told the detectives
   that company was looking for "evidence" of Maanna's "participation in an
   Islamic group." The detectives' report, however, is nothing but mundane,
   as they didn't find any evidence of affiliation with any groups, but just
   witnessed Maanna go play tennis and to the grocery store.

   A picture of Mostapha Maanna, another former employee of Hacking Team,
   taken by detectives hired by the company to tail him.

   A few weeks after the devastating hack, in which PhineasPhiser siphoned
   off 400 gigabytes of internal data, Italian prosecutors started
   investigating the former employees. (Pelliccione and Landi declined to
   comment about the investigation).

   Alessandro Gobbis, the lead prosecutor, confirmed to me in a phone call in
   August that the former employees were being investigated after someone
   "outside" of the prosecution signalled them as potential suspects. Gobbis
   declined to reveal the names of all the former employees who are under
   investigation, as well as who fingered them as potential suspects.
   Sources, however, told me it was Vincenzetti who implicated them. The
   prosecutor also declined to reveal any other details of the investigation,
   given that it was still ongoing.

   "We're looking into all the possibilities," he told me over the phone.

   Hacking Team's spokesperson Rabe said in an email that the company "has
   not named or accused anyone of the attack since the perpetrators are
   simply unknown," and that Hacking Team "can only speculate about who or
   even why the company was targeted this attack."

   In the weeks after the hack, Vincenzetti said that the attack was a
   "vicious and reckless crime," perpetrated with the goal of destroying the
   company. But Vincenzetti also promised not to back down, saying the
   company will emerge with "new and better tools."

   The group of former employees strongly deny their alleged involvement in
   the attack.

   "We had nothing to do with it," Pelliccione says. "I feel like these
   accusations are just an act of retaliation."


   Hacking Team's official twitter account on the day of PhineasFisher's

   It's a scorching hot summer day in Malta. Pelliccione and I are sitting at
   a table, eating a chicken shawarma. After six years developing tools to
   hack into people's computers, Pelliccione has switched sides, and is now
   using his skills and experience to keep the hackers out.

   It's been more than a year since he left Hacking Team. During that time,
   the hacker has been working with a small team of developers to create a
   next generation defensive solution called ReaQta-Core. Pelliccione says
   ReaQta-Core uses artificial intelligence and machine learning to protect
   against malware, and lives at the CPU level, so it's able to provide
   better protection than traditional antiviruses. The company hasn't
   received venture capital yet, but it's now actively looking for investors.

   During our lunch, Pelliccione looks into the void for a second.

   "Do you remember when that security firm analyzed Hacking Team's Android
   implant?" he asks.

   He's referring to an analysis by Trend Micro, which called the company's
   Android spyware "the most professionally developed and sophisticated
   Android malware ever exposed."

   I nod. He stares at me, and quotes the analysis, smiling.

   "When I read that," he says, pretending to tip his nonexistent hat, "I
   shook my own hand. I wrote that malware!"

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org