Hacking Team asks customers to stop operations and don’t use its malware

Following the clamorous Hacking Team hack the company asked all its customers to shut down all the operations and don’t use its solutions in this phase.

Hacking Team has been hacked and its social media account hijacked, the news is shocking the IT security industry because privacy advocated have always accused the company to sell surveillance products and hacking tools to repressive regimes. The unknown attackers have exfiltrated some 400Gbs of data that have been uploaded to BitTorrent, the stolen information includes a huge number of directories containing source code, emails, list of clients (including the FBI), and also audio recordings.

The Hacking Team restored the control of its Twitter account late on Monday morning, meanwhile the website is offline at the time I’m writing.

The representative for the Hacking Team firm Christian Pozzi claims the leak of sensitive internal material contains a virus, inviting people to avoid downloading the disconcerting material that seems to prove the business relationship of the Italian firm with regimes and repressive governments worldwide.

 

Pozzi of course has denied Hacking Team has never sold surveillance malware to “bad states”, instead it described its products as “custom software solutions”.

“No, the torrent contains all of your viruses, which you sell, and which will get patched,” said John Adams, former security worker at Twitter.

A similar incidents occurred last year, when the hacking crew “PhineasFisher” hacked the controversial surveillance tech company Gamma International, the attackers claimed to have successfully infiltrated the network Gamma Internationa and leaked 40GB of internal data which includes details on the diffusion of the surveillance system FinFisher.

The same hacker has now claimed responsibility for Hacking Team hack, according to MotherBoard. “On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to @hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about the company’s CEO claiming to be able to crack the dark web. ” wrote Lorenzo Franceschi Bicchierai. “He then went on to reference the story publicly on Twitter, posting a screenshot of an internal email which included the link to my story. Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.” 

“I am the same person behind that hack,” he told me before coming out publicly.”

As reported by MotherBoard, the leak of 400GB of internal files contains “everything,” citing as a source a person close to the company, who has spoken on condition of anonymity. In this phase, the Hacking Team is trying to limit the damage and investigate how the hackers have breached the company. The Hacking Team company asked all its customers to shut down all the operations and don’t use its solution in this phase.

“They’re in full on emergency mode,” reported a source of MotherBoard who has inside knowledge of Hacking Team’s operations. “Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.” reported MotherBoard.

One of the leaked files described the “crisis procedure,” a process that include kill switch for malware operations remotely. The company has the ability to suspend its backdoors or shut it down remotely. 

Another embarrassing thing related to the hack is that every copy of Hacking Team’s Galileo software is watermarked, this means that the hackers that have stolen data can link every instance of the software to a specific account.

“With access to this data it is possible to link a certain backdoor to a specific customer. Also there appears to be a backdoor in the way the anonymization proxies are managed that allows Hacking Team to shut them off independently from the customer and to retrieve the final IP address that they need to contact,” the source told Motherboard.

Stay Tuned.

Pierluigi Paganini

(Security Affairs – Hacking team, surveillance)