Unveiled network of surveillance based on RCS of Hacking Team

Pierluigi Paganini February 26, 2014

Citizen Lab published detailed information on the surveillance network based on RCS spyware designed by the Italian firm Hacking Team.

The nonprofit research team Citizen Lab has discovered the presence of a spyware developed by the Italian Hacking Team in 21 countries. The news doesn’t surprise security community, despite Hacking Team firm always denies any involvement in cyber espionage and surveillance campaigns conducted by authoritarist governments.

Senior Counsel of Hacking Team, Eric Rabe stated that the company does not provide its products to ‘repressive regimes.’

On the issue of repressive regimes, Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the EU, the US, NATO, and similar international organizations or any “repressive regime.

The list of countries includes Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan. In many places, human life has no value and where regimes persecute any opponents.
According to the analysis conducted by Citizen Lab in some cases the Governments are spying for political advantage instead to use RCS for legitimate law enforcement operations.

“First, with respect to human rights, we have encountered a number of cases where bait content and other material are suggestive of targeting for political advantage, rather than legitimate law enforcement operations. Moreover, in an earlier post in this series, we identified the targeting of a US-based news organization. In other cases, however, the material did appear to be indicative of possible criminal investigations. Similarly, we have also found Hacking Team endpoints in regimes with both high and very low rankings in governance, rule of law, and freedom of expression.” states the post.

Hacking Team designed a powerful surveillance malware known as Remote Code System (RCS) that is officially sold to Governments and law enforcement agencies.

Nonprofit organizations sustain that there is a sensible increase in the use of surveillance tools operated by governments, another problem that must be seriously considered is that in many cases, these tools could be used for illicit purposes by private companies that intend to spy on employees and competitors.

Hacking Team RCS alleged clients

In the cases of government “abuse” for such tools, the side effect of the spread of similar spyware is known as Surveillance and repression.
Remote Control System (RCS) is a powerful malware that is able to infect also mobile devices for covert surveillance, it is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype). The mobile version, available for all the OSs (AppleAndroid, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.
Hacking Team company sustains that its RCS malware is “untraceable”, it is the ideal choice for government and intelligence entities. They say that it can scale up to monitor “hundreds of thousands of targets” and is capable of being deployed to AppleAndroid, Symbian, and Blackberry mobile devices.

Hacking Team has made a number of statements that seem intended to reassure the public, as well as potential regulators, that they conduct effective due diligence and self-regulation regarding their clients, and the human rights impact of their products,” the Citizen Lab researchers report on Monday. “They also market their RCS product as untraceable. Our research suggests that both of these claims ring hollow.

The researchers Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton published a very interesting post to provide evidence for the presence of RCS spyware in the above countries, Citizen Lab mapped the network of proxy servers used by the software produced by the Hacking Team. Believe me, it is an impressive effort spent by the researchers, that motivated by their passion produced so interesting results.

Our research reveals that the RCS collection infrastructure uses a proxy-chaining technique, roughly analogous to that used by general-purpose anonymity solutions like Tor, in that multiple hops are used to anonymize the destination of information,” reads the report. “Despite this technique, we are still able to map out many of these chains and their endpoints using a specialized analysis.” Citizen Lab researchers explained.

RCS spyware was used also to target journalists, researchers at Citizen Lab revealed in fact, that the Ethiopian Government used it to spy on Ethiopian journalists in the United States and Europe. 
The activist at the Electronic Frontier Foundation (EFF) and an expert in surveillance technology, Eva Galperin commented the Ethiopian case with the following statement:

If the Ethiopian government is not a Hacking Team customer, then I would sure like to know how their tools wound up being used to spy on Ethiopian journalists.

The Hacking Team refuses any accusation and remarks its legal conduct that is also monitored by a panel of technical experts

We have established an outside panel of technical experts and legal advisors, unique in our industry, that reviews potential sales. This panel reports directly to the board of directors regarding proposed sales.

The researchers at Citizen Lab remarked that they have found “Hacking Team endpoints in regimes with both high and very low rankings in governance, rule of law, and freedom of expression“.

“It is equally reasonable, however, to conclude that some uses are abusive, partisan, or unaccountable. Our findings of the global proliferation of Hacking Team belies their claims of high-quality due diligence. While they claim to rely on an outside panel for guidance on potential sales, little information is available about its members, processes, or the grounds under which a sale might be rejected.”

In the following table, the list of endpoints traced.

Endpoint IP Country First Seen Last Seen Azerbaijan 6/2/2013 11/26/2013 Colombia 10/21/2013 1/7/2014 Egypt 3/10/2013 10/29/2013
216.118.232.xxx Ethiopia 11/18/2013 2/3/2014
81.183.229.xxx Hungary 6/16/2012 Active Italy 10/26/2012 Active Italy 9/17/2012 12/2/2013
88.33.54.xxx Italy 6/4/2012 Active
95.228.202.xxx Italy 9/18/2012 Active
95.228.202.xxx Italy 9/17/2012 Active
95.228.202.xxx Italy 9/18/2012 Active
95.228.202.xxx Italy 9/18/2012 Active
95.228.202.xxx Italy 9/17/2012 Active
95.228.202.xxx Italy 9/15/2012 Active
89.218.88.xxx Kazakhstan 8/21/2013 Active Korea 8/26/2012 1/7/2014
203.217.178.xxx Malaysia 5/28/2012 Active
189.177.47.xxx Mexico 1/30/2014 Active Mexico 11/13/2013 12/10/2013 Mexico 11/1/2013 11/1/2013 Mexico 10/13/2013 1/7/2014 Mexico 5/25/2012 Active
41.248.248.xxx Morocco 6/3/2012 Active
41.248.248.xxx Morocco 7/25/2012 Active
41.248.248.xxx Morocco 6/12/2012 Active
41.248.248.xxx Morocco 5/27/2012 Active
81.192.5.xxx Morocco 7/25/2012 Active
62.251.188.xxx Morocco 5/31/2012 Active Nigeria 9/15/2013 10/21/2013
Poland 8/10/2012 Active Saudi Arabia 1/7/2014 1/7/2014 Saudi Arabia 6/5/2012 7/2/2013 Sudan 12/14/2012 1/12/2014
203.149.47.xxx Thailand 10/4/2013 Active Turkey 11/13/2013 11/19/2013 Uzbekistan 8/7/2013 9/2/2013 Uzbekistan 1/22/2013 1/26/2013 Uzbekistan 7/21/2013 9/16/2013

We cannot ignore that the market of spyware is very flourishing, and there are many companies that produce malware similar to RCS of the Hacking Team. I want to close this post with the same phrase used by researchers, which summarizes all my concerns

“In conclusion, the combination of global proliferation, as well as dubious promises about “stealth” feature points to the dangers-to-many stakeholders of an unregulated marketplace defined by lack of transparency and accountability.”


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Hacking Team, Surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment