Hacking Team hacked - bad news for firm that helps governments spy on their citizens

Hacking TeamHacking Team, an Italian company which specialises in helping governments and intelligence agencies spy on their citizens, has found itself hacked - and its internal emails and documents published on the net.

The first public clue that Hacking Team had a serious problem came when the firm's Twitter account was compromised, and its name changed to "Hacked Team".

An out-of-character tweet posted on the hacked account contained a link to what the attackers claimed was a 400 GB dump of the company's internal files, source code and communications:

Hacking Team Tweet

Since we have nothing to hide, we're publishing all our e-mails, files and source code [LINK]

No one has yet claimed responsibility for the hack, but the company's primary surveillance tool (known as Da Vinci), helped it earn a spot on an "Enemies of the Internet" list compiled by Reporters without Borders.

In short, this Milan-based company has no shortage of online enemies around the world.

Hacked Hacking Team

Hacked Team
@hackingteam
Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.

Internal documents stolen by the hackers reveals the location of the company's customers, including Australia, Azerbaijan, Bahrain, Chile, Colombia, Cyprus, Czech Republic, Ecuador, Egypt, Ethiopia, Germany, Honduras, Hungary, Italy, Kazakhstan, Luxembourg, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sudan, Switzerland, Thailand, UAE, United States, Uzbekistan, and Vietnam.

Furthermore, observers who have seen documents released by the hackers say that it includes passwords used by both Hacking Team staff and its customers. Sadly the passwords appear to prove that even those you would hope understand the importance of good password security still make very bad choices:

HTPassw0rd

Passw0rd!81

Passw0rd

Passw0rd!

Pas$w0rd

Rite1.!!

A YouTube video acts as an advertisement for Hacking Team's services - although it's questionable just how many intelligence agencies would want to use the services the firm now it has been so seriously breached.

The Hacking Team website, which does not appear to have been breached, currently says it is hiring new staff. However, you have to wonder if there will be much of a company left to join following the repercussions of this hack.

Hacking Team website

Further reading:

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

6 Responses

  1. Bob

    July 6, 2015 at 11:23 am #

    Timely news – just as we've seen that the top VPNs have failed in security tests:

    http://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/
    http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

  2. Jim

    July 6, 2015 at 11:38 am #

    Website's down now … http://www.hackingteam.it/
    Well at least for me …

  3. John H

    July 6, 2015 at 11:52 am #

    GOOD! Do these people really think that the community won't fight back particularly after what Mr Snowden revealed.
    Now they & their clients know its not a one-way street. Incidentally look at those clients none of them are a byword for democracy are they!

  4. David L

    July 6, 2015 at 5:50 pm #

    The problem remains,because the vast majority of those being servaled will never know it. But I would hope that all the major AV venders are busily writing new definitions to cover this discovery. I for one,can't wait to read all the reports when they come out. Security junky that I am (-:

  5. Coyote

    July 6, 2015 at 6:40 pm #

    "…reveals the location of the company's customers, including…"

    That list is absolutely pathetic. Never mind the hypocrisy it shows, the list shows just how petty governments can be; they have to pay a company to break the law because why? Inability? Too lazy? Want to add to the list of things they hide? Other reasons? All of the above? Ah, that is it.

    But good. This company was asking for trouble based on what they do. Also, since it is supposedly legal for them to do what they do (…) then one would like to believe (…) that those who compromised them would also not be breaking the law by doing so.

    As for the password list. What to say? There isn't much to say on the passwords themselves. What there is to say is questioning why they have them plaintext …

  6. Anonymous

    July 6, 2015 at 11:27 pm #

    It will be interesting to watch the revelations that continue to follow from this.

Leave a Reply