Download press release [PDF]

Toronto, Canada (February 17, 2014) – Hacking Team, also known as HT S.r.l., is a Milan-based purveyor of “offensive technology” to governments around the world. One of their products, Remote Control System (RCS), is a trojan that is sold exclusively to intelligence and law enforcement agencies worldwide.

This report, entitled “Mapping Hacking Team’s “Untraceable” Spyware,” is the second in a series of reports that focus on the global proliferation and use of RCS spyware. Read the first report, “Hacking Team and the Targeting of Ethiopian Journalists” and its coverage in the Washington Post.

This report maps out covert networks of “proxy servers” used to launder data that RCS exfiltrates from infected computers, through third countries, to an “endpoint,” which we believe represents the spyware’s government operator; this process is designed to obscure the identity of the government conducting the spying. For example, data destined for an endpoint in Mexico appears to be routed through four different proxies, each in a different country. This so-called “collection infrastructure” appears to be provided by one or more commercial vendors — perhaps including Hacking Team itself.

Hacking Team advertises that their RCS spyware is “untraceable” to a specific government operator. However, we claim to identify a number of current or former government users of the spyware by pinpointing endpoints, and studying instances of RCS that we have observed.

We suspect that agencies of these 21 governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan. Nine of these countries receive the lowest ranking, “authoritarian,” in The Economist’s 2012 Democracy Index. Additionally, two current users (Egypt and Turkey) have brutally repressed recent protest movements.

We also study how governments infect a target with the RCS spyware. We find that this is often through the use of “exploits” — code that takes advantage of bugs in popular software. Exploits help to minimize user interaction and awareness when implanting RCS on a target device. We show evidence that a single commercial vendor may have supplied Hacking Team customers with exploits for at least the past two years, and consider this vendor’s relationship with French exploit provider VUPEN.