A global industry has turned email hacking into a weapon for sale, writes Mattathias Schwartz.
Violeta Lagunes was perplexed by a series of strange messages that appeared in her Gmail inbox.
It was election day in May 2014 to choose the leadership of Mexico’s right-wing Partido Acción Nacional, or PAN, and Lagunes, a former federal congresswoman, was holding a strategy meeting in her office in Puebla City.
The emails seemed harmless, at least at first. One appeared to come from the account of a trusted colleague. It asked her to download and review a document.
Lagunes clicked on the link, but it seemed to be broken, so she wrote back to her colleague and asked him to send it again. Elsewhere in her inbox was an email from Google warning her that someone had tried to log in to her account.
Meanwhile, she began to receive phone calls from PAN allies, who claimed that they had received emails from Lagunes’s account that she did not remember sending.
Now Lagunes was worried. Around 1 o’clock, she called the colleague who appeared to have emailed her. She reached him at a restaurant, where he was finishing lunch with other campaign allies.
“I did not send you an email,” he insisted.
A consultant with the campaign — who asked to remain anonymous in order to preserve his relationships with other candidates — overheard the conversation. He knew of other campaign workers who had been receiving similar messages: Emails with vague subject lines, asking the recipient to review a document or click a link. The campaign, he realized, had been hacked.
In the vote for party leader, Lagunes and her allies in Puebla — a two-hour drive southeast from Mexico City — were supporting the challenger, a senator who promised to return the party to its conservative roots.
But the incumbent was backed by Puebla’s powerful governor, Rafael Moreno Valle. Since winning the governorship in 2010, Moreno Valle’s opponents say, his ambitions have grown, and he has resorted to increasingly harsh measures to keep Puebla state — including members of his own party — under control.
After Lagunes’s call on election day, her colleagues rushed from the restaurant back to their local headquarters. All morning, they had been trying to reach their field network, a group of 40 Cordero canvassers who were working to get out the vote in Puebla state.
But the field network seemed to have gone dark. Few of the canvassers were even answering their phones. Hackers, the team concluded, must have found the list of the canvassers’ names and phone numbers — widely circulated by email within the campaign — and begun to intimidate them.
“The day before,” the consultant told me, the field network was “motivated and eager to do this work. After the hack, it was very hard to reach them. The few who did answer said that they had received phone calls saying that their lives were at stake. They were worried that if they went out, they or their families would get hurt”.
Madero won the election, with 57% of the 162,792 votes cast over all. In Puebla, his margin was substantially larger, roughly 74%. Cordero’s team decided not to contest the result. They had suspicions about how they were hacked. But it would be another year before any evidence emerged.
Their political enemies, leaked documents seemed to show, had built a spying operation using software made by an Italian firm called Hacking Team — just one of many private companies that, largely below public notice, have sprung up to aid governments in surveillance of the private lives of individual citizens. The industry claims that its products comply with local laws and are used to fight crime and terror.
But in many countries, these tools have proved to be equally adept at political espionage.
Hacking Team has fewer than 50 employees, but it has customers all over the world. According to internal documents, its espionage tool, which is called the Remote Control System, or RCS, can be licensed for as little as $200,000 (€187,000) a year — well within the budget of a provincial strongman.
After it has been surreptitiously installed on a target’s computer or phone, the Remote Control System can invisibly eavesdrop on everything: Text messages, emails, phone and Skype calls, location data and so on. Whereas the US National Security Agency’s best-known programmes grab data in transit from switching rooms and undersea cables, the RCS acquires it at the source, right off a target’s device, before it can be encrypted. It carries out an invisible, digitised equivalent of a Watergate-style break-in.
The US government is almost certainly the world’s most formidable repository of hacking talent, but its most powerful cyberweapons are generally reserved for intelligence agencies and the military.
This might explain why, according to company documents, at least two federal law-enforcement agencies have been Hacking Team clients: The FBI, beginning in 2011, and the US Drug Enforcement Administration, beginning in 2012. The FBI contract paid Hacking Team more than $700,000; the DEA appears to have used the software to go after targets in Colombia.
Documents show the company has also sold its software to some of the world’s most repressive governments. Some, like those of Honduras, Ethiopia, Bahrain, Morocco, Egypt, and Saudi Arabia, are Western allies. Others, like Uzbekistan and Turkey, have a more troubled relationship.
A few are openly hostile to the West. Between 2012 and 2014, Hacking Team was paid nearly €1m by the government of Sudan, a United States-designated state sponsor of terrorism. Even more notable, in light of recent events, is the three-year relationship that Hacking Team carried on with the FSB, one of Russia’s main intelligence agencies.
Hacking Team claims it draws the line at customers who commit “gross human-rights abuses” and that it sells exclusively to governments operating within the laws of their own countries. In at least one case, David Vincenzetti, Hacking Team’s founder and chief executive, told a salesman to hold off on a potential Mexican client. “We sell to official, governmental LEAs” — law- enforcement agencies — “and security agencies ONLY,” Vincenzetti wrote in an email.
When asked about its arrangements in various countries, the company responded that it “does not comment on confidential business dealings.”
Its American spokesman, Eric Rabe, did tell me that neither Russia nor Sudan is a current Hacking Team customer. The relationships, Rabe wrote, ended in 2014, Russia because “the Putin government evolved from one considered friendly to the West to a more hostile regime” and Sudan “because of concerns about the country’s ability to use the system in accordance with the HT contract.”
Separately, the company confirmed that the state of Puebla was, in fact, a former client.
Until recently, most of what was known about the world of private surveillance companies was a matter of hearsay and speculation. Industry players kept a low profile, operating discreetly from rented offices and meeting potential customers in person a few times a year at carefully screened trade shows.
This is why it was so notable when, in July 2015, an unusual tweet appeared in Hacking Team’s Twitter feed. “Since we have nothing to hide,” it read, “we’re publishing all our emails, files and source code”.
Then came another tweet, with links to a downloadable file called Hacked Team. The file was huge, 420 gigabytes of material scraped from Hacking Team’s internal servers. Inside were 33 folders containing the company’s contracts, payroll documents, invoices, legal memos, customer-support records, and a five-year cache of email correspondence from chief executive down.
Hacking Team had itself been hacked.
WikiLeaks pounced on the breach and quickly uploaded the emails into a searchable database. Anyone with an internet connection could now read the chief executive joking about how his company was in the business of selling “the evilest technology on earth”.
With the source code for the Remote Control System now public, the company and its clients had to stop using it temporarily. By the end of the year though, Hacking Team had updated its product and was trying to rebuild its reputation.
I was curious whether a company that profited from online breaches could recover from its own.
I went to Milan to visit Hacking Team’s headquarters, a stately grey apartment building with boxes of limp flowers adorning a few of its sooty sills. Vincenzetti, now 48, is a familiar type — a ferociously competitive, driven entrepreneur whose existence is organised around his work.
As we talked in a conference room, he periodically leapt to his feet and stalked around the table, considering in turn the espresso machine, the view from the window, a case of bottled water.
“If I wanted to break into this room, how would I do it?” he asked. “There is a door, and there are two windows.” He pressed his hands against the glass panes. “The perimeter is the first thing you must secure,” he continued.
Securing data was what he did earlier in his career. Now he had moved on.
“If you cannot break into a bank, you cannot protect a bank. So when you are in security, really there is no difference between thinking offensively and defensively.”
In the mid-1980s, Vincenzetti’s parents, a salesman and a schoolteacher, bought him a Commodore 64, one of the earliest personal computers. He soon created a Pac-Man clone, a Tron lightcycle-style game and a text-based adventure game. As a computer-science student at the University of Milan in the 90s, he became fascinated by cryptography; he corresponded with programmers around the world about new cryptographic theories, and wrote code for email encryption.
Vincenzetti left university early and founded three companies, all of them focused on defensive cybersecurity. After he founded Hacking Team in 2003, he tried to sell his services to Italian police agencies but found them sceptical that Mafiosi and other high-level criminals would ever bother to encrypt their communications.
But after the 2004 Madrid train bombings, which were coordinated via cellphones and the internet, police officers and intelligence agents not just in Italy but all across Europe became interested in contracting with offensive-hacking vendors, part of an emerging arms race over consumer-grade encryption.
The growth of Skype made it easy for users to encrypt their communications, and the authorities were eager to pay for countermeasures like the Remote Control System. Singapore, Hacking Team’s first non-European client, signed on in 2008. The company’s Middle Eastern business took off in 2011, a boom that coincided with the beginning of the Arab Spring.
All Hacking Team customers sign contracts agreeing to comply with local laws. The company says that it vets potential customers and studies reports from journalists and human-rights groups, looking for “objective evidence or credible concerns” that its products are being abused. But when it comes to Hacking Team’s own interactions with customers, leaked documents suggest that employees have sometimes turned a blind eye.
Hacking Team’s most persistent critic is Citizen Lab, a research group at the University of Toronto’s Munk School of Global Affairs.
Before the Hacked Team leak, Citizen Lab documented cases in which Hacking Team software turned up on the devices of activists in Morocco and the United Arab Emirates, and of an Ethiopian-American journalist in Virginia.
Ronald Deibert, Citizen Lab’s director, told me that Hacking Team “is a company that appears to have no internal controls on abuse of its products”. When I asked Vincenzetti about this, he said that Citizen Lab was motivated by money, noting that the group won a million- dollar grant shortly after publishing a report on Hacking Team’s sales to Ethiopia.
Mexico is Hacking Team’s biggest export market, accounting for nearly €6m in sales, according to leaked documents. Ostensibly, the Remote Control System is intended for fighting criminals and drug traffickers there. (“There have been reports that the software was used in the apprehension of Chapo Guzman,” Rabe told me, referring to the Mexican drug lord. “I can’t confirm it.”)
The files indicate that at least seven other Mexican state governments were Hacking Team clients, but because they did not use email to the same extent as Puebla, their activities are harder to track. Multiple former Hacking Team employees told me that abuses of the software were not limited to Puebla.
The Hacked Team documents that offer the most revealing view of the company’s ethos happen to be the most public ones. For years, as often as two or three times a day, Vincenzetti sent mass emails to hundreds of his business contacts. The recipients included numerous members of the US military and intelligence community, as well as government employees from the city of Cincinnati and the Internal Revenue Service. In these messages, Vincenzetti often addresses this audience collectively as “gents.” The news he cites is a reminder of how the geopolitical winds have been blowing in favor of Hacking Team and other self-described allies of law and order.
In Vincenzetti’s world, the system is always, as George Tenet famously said about pre- September 11 intelligence, “blinking red”: The imploding Middle East; a restive, nuclear-armed Russia; battalions of IS-trained jihadis roaming around Europe with their encrypted thumb drives and dark-web expertise. Against this backdrop of ever-increasing danger, concerns about human rights are naïve at best.
Vincenzetti’s emails vividly exploit this sense of danger and alarm. He writes about shadowy gangs of Iranian hackers using the #JeSuisCharlie hashtag to inject malware into French laptops.
He celebrates the conviction of Ross Ulbricht, aka the Dread Pirate Roberts, creator of the Silk Road website. After the arrests of two Uzbek men in Brooklyn for telling informants that they wanted to join up with IS, Vincenzetti writes of “a very serious terrorist plot on American soil foiled”. He went on to tap out this sales pitch: “The time has come for a technologically MORE SOPHISTICATED, and much more effective, internet supervision... something capable to penetrate the core of the terrorists’ HIDDEN forums. And such a (quite unique) technology EXISTS.”
The following day, he gave a few more hints: “I am talking about a NEW technology capable of neutralising their encryption-based protective layers in order to track them, identify them, locate them, chase them and finally bust them. Something operating on a massive scale. Something different. I am talking about a novel, superior, next-generation mass- surveillance technology.”
The tone of Vincenzetti’s sales patter was strangely upbeat, especially considering his dire forecasts. It was almost as if he were in the business of selling microwave ovens or sandwiches, not tools through which the private lives of criminals (and whoever else) could be fully laid bare.
Vincenzetti’s unstated equation — privacy is secrecy, and secrecy is terrorism — is less controversial than it might appear. A supportive echo can be heard in many public statements from American officials, which Vincenzetti often cut and pasted into his mass emails.
Former attorney general Eric Holder called for “investigative and prosecutorial tools that allow us to be pre- emptive.” When FBI director James Comey warned that “encryption threatens to lead all of us to a very dark place,” Vincenzetti forwarded it along approvingly, with the tagline: “We DO have an answer to many if not all of his concerns.” And when, in May 2015, Comey warned of a “threat” that had “morphed” into “a chaotic spider web,” Vincenzetti sent word to his “gents” as well.
One month later, an anonymous hack revealed Hacking Team’s own invisible spider web, and one year later, during the run-up to election day, came the internal emails of the Democratic Party. By then it was clear that tools for digital burglary had spread well beyond the hands of regular police officers.
Comey had argued for weaker safes; Vincenzetti was selling longer crowbars. The tools could be used to arrest Chapo Guzman, fight crime, smear a political opponent or just keep tabs on someone, anyone. To be hidden is to be a terrorist — this was the heart of his pitch. Any digital redoubt that could resist being pried open was a public risk and a private opportunity.
© Irish Examiner Ltd. All rights reserved