Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called “Hacking Team” was hacked itself.
Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide.
The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits.
But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more.
Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here’s a look at what he’s been telling them
1) What is your opinion about the Hacking Team story?
This is a big story.
Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There’s lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement.
Was what Hacking Team was doing legal? Beats me. I’m not a lawyer.
Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights.
List of Hacking Team customers:
Australia – Australian Federal Police
Azerbaijan – Ministry of National Defence
Bahrain – Bahrain
Chile – Policia de Investigation
Colombia – Policia Nacional Intelligencia
Cyprus – Cyprus Intelligence Service
Czech Republic – UZC Cezch Police
Ecuador – Seg. National de intelligencia
Egypt – Min. Of Defence
Ethiopia – Information Network Security Agency Honduras – Hera Project – NICE
Hungary – Special Service National Security
Kazakstan – National Security Office
Luxembourg – Luxembourg Tax Authority
Malaysia – Malaysia Intelligene
Mexico – Police
Mongolia – Ind. Authoirty Anti Corruption
Morocco – Intelligence Agency
Nigeria – Bayelsa Government
Oman – Excellence Tech group Oman
Panama – President Security Office
Poland – Central Anticorruption Bureau
Russia – Intelligence Kvant Research
Saudi Arabia – General Intelligence Presidency
Singapore – Infocomm Development Agency
South Korea – The Army South Korea
Spain – Centro Nacional de Intelligencia
Sudan – National Intelligence Security Service
Thailand – Thai Police – Dep. Of Correction
Tunisia – Tunisia
Turkey – Turkish Police
USA – FBI
Uzbekistan – National Security Service
2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?
This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team.
When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers.
In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there’s been a breach and that their customership was now public knowledge.
The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it’s good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn’t happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones.
3) Is it possible to be protected from malware provided by companies like Hacking Team?
We’ve added detection for dozens of Hacking Team trojans over the years.
Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs.
However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection:
[Image by William Grootonk | Flickr]
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017