HackingTeam, new revelations on the surveillance network

Kaspersky Lab and Citizen Lab have released the results of their analysis on the global C2 infrastructure used by the Italian firm HackingTeam.

Security experts from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto have released the results of their analysis on the  global command and control infrastructure used by the Italian firm HackingTeam to manage its spyware instances all over the world.

Many times security experts accused HackingTeam to provide its spyware to authoritarian regimes and law enforcement for the purpose of surveillance.

According the researchers that presented their findings during an event in London, the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is composed by 326 servers distributed in more than 40 countries. The majority of the C&C servers were hosted in the United States, Kazakhstan, Ecuador and UK.

“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Within the the products under analysis by experts, there is Galileo RCS, a solution capable of monitor communications and data transmission even if over a secure channel. The experts for the first time detailed the control network for the spyware used on victims’ mobile, malicious code used are custom built for each target and loaded onto a device.

“It was a well-known fact for quite some time that the HackingTeam products included malware for mobile phones. However, these were rarely seen,” “In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.” reported Kaspersky Lab experts on the Securelist blog.

The RCS mobile components for every device, including Apple iOS, Android OS, Windows mobile and BlackBerry, allow customers of the HackingTeam company to monitor victims, spy on conversations through principal VOIP and instant messaging applications (e.g. WhatsApp, Skype), steal data from their devices and use them as spy bugs enabling the microphone.

“The RCS mobile modules are meticulously designed to operate in a discreet manner, for instance by paying close attention to the mobile device’s battery life,” “This is implemented through carefully customized spying capabilities, or special triggers: for example, an audio recording may start only when a victim is connected to a particular Wi-Fi network (for example, the network of a media house), or when he/she changes the SIM card, or while device is charging.” Kaspersky Lab said.

The Android spyware was characterized by the presence of a sophisticated obfuscator dubbed DexGuard that made hard the analysis of the malicious code.

The malware developer at HackingTeam also used zero-days for their exploits that served with classic spear phishing scheme and also through local infections via USB cables while synchronizing mobile devices.

The findings proposed by the experts are very important because demonstrate the high level of sophistication of the spyware designed by the HackingTeam and the scale of the surveillance operated through its tools. 

These tools in the wrong hands are a dangerous weapon.

Pierluigi Paganini

(Security Affairs –  HackingTeam,  Galileo RCS)