An Italian cybersecurity firm was hacked on a grand scale late on Sunday evening. While the full extent of the hack is not yet known, the company has seen over 400 gigabytes of company information shared online over the weekend.
The Milan-based company, ironically named Hacking Team, sells intrusion and surveillance tools to governments and law enforcement agencies around the world. The company is best known for developing the surveillance software Remote Control System (also known as RCS or daVinci).
The hack is alleged to have released internal company documents, email correspondence, personal passwords of employees and clients, and the underlying and the source code for some company products. The company also found its Twitter account hijacked today, publishing a link to the hacked file on BitTorrent, along with messages containing images of the compromised data.
“Since we have nothing to hide, we’re publishing all our emails, files and source code,” said posts on the company's Twitter account. The posts have since been deleted.
The company has clients around the world, but its lawful interception tools have also been linked with multiple cases of privacy invasion.
Numerous reports from Citizen Lab, a digital rights research group loosely affiliated with the University of Toronto, link Hacking Team software to the repression of minority and dissident groups, as well as journalists, in countries across the Middle East and Africa. A 2012 report found that Hacking Team software had been used against a group of journalists in Morocco, and in 2014 the Ethiopian government reportedly used the software to monitor Ethiopian journalists in the US and Europe.
The group Reporters Without Borders has listed the company on its “Enemies of the Internet” index.
One US privacy rights activist described the publication of the documents to Reuters as the “best transparency report ever.”
Among the documents released in the hack was a spreadsheet purporting to show the company’s active and inactive clients at the end of 2014. The list included the FBI and US Drug Enforcement Administration, as well as police and state security organizations in countries that include Egypt, Kazakhstan, Nigeria, and Sudan – all countries with records of human rights abuses.
Hacking Team has repeatedly denied that it has ever done business with Sudan, and Sudan’s National Intelligence Security Service was one of two customers described as “not officially supported” in the spreadsheet. However, among the leaked documents is an invoice for 480,000 Euros to the same security service.
Other documents include an invoice for 58,000 Euros to Egypt for the company’s RCS Exploit Portal, according to CSO, and an invoice showing Ethiopia paid $1 million Birr (ETB) for the RCS, professional services, and communications equipment. The total value of the invoices is over 4.3 million Euros, according to CSO.
Company founder Christian Pozzi responded to the hack on Twitter early Monday morning. In a string of messages, Mr. Pozzi wrote that the company is working with police to find the perpetrators.
“Most of what the attackers are claiming is simply not true,” he wrote. “The attackers are spreading lies about our company.”
This report includes material from Reuters.