(Image: Hacking Team)

The hunters become the hunted. Yesterday, hackers released what they claimed was 400 GB of internal documents stolen from Hacking Team – an Italian company that sells surveillance tools to governments and intelligence agencies.

The release of the documents has exposed the reality of the lucrative cyberweapons market.

Ever since, security experts have been poring over the files and publishing their findings. For one thing, the documents suggest Hacking Team marketed its products to a wide range of governments – including a host of repressive regimes.


Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), says he has downloaded a cache of company invoices in an effort to better understand which governments Hacking Team sold its products to.

“The invoices are fascinating,” he says. “Hacking Team has been selling their software to governments like Azerbaijan and Kazakhstan, Sudan, Vietnam, Ethiopia – a number of governments with documented histories of abusing human rights.”

Soghoian admits that it’s possible the leaked documents have been tampered with in some way, but says his gut feeling is that they are largely authentic. “Researchers have been studying Hacking Team for three or four years and the invoices match up with the countries we believe have been purchasing this stuff in the first place,” he says.

Cheap surveillance

One striking revelation is that the cost of some of Hacking Team’s services is relatively low, according to Soghoian. Government agencies appear to be able to subscribe for as little as $50,000 a year.

The purchased information could allow such agencies to install surveillance programmes remotely onto target computers. “This software is now basically affordable enough that any government can buy it,” says Soghoian.

Hacking Team is far from the only firm working in this field. There’s Gamma International, the company behind FinFisher, which can be remotely installed on a phone, tablet or computer in order to monitor a target’s activity and communications. The firm also had documents leaked by hackers in August last year.

FinFisher, like Hacking Team’s “Remote Control System”, has met with controversy thanks to its apparent use by repressive governments – to spy on journalists, for example.

The ‘exploit’ market

The booming market for surveillance tools is no surprise, says Sean Sullivan, a security expert at F-Secure. He says that intelligence agencies have helped to fuel the market for “exploits” – methods of hacking computer systems.

“One of the unintended consequences of folks like the NSA and GCHQ using the internet as a source for intelligence is that they hired people to find high-end exploits in software,” he says. “You can’t have that without then also fuelling this ecosystem.”

In a statement, company spokesman Eric Rabe said: “Hacking Team has been the victim of an online attack, and we believe documents have been stolen from the company. We are investigating to determine the extent of this attack and specifically what has been taken. Obviously, we will work with appropriate law enforcement to determine who is responsible.”

He added: “We cannot comment on the validity of documents purportedly from our company. However, some of the information that is in the press today – and is reportedly based on these documents – is inaccurate. We are continuing our investigation.”

Spying regulation

Edin Omanovic, a research officer at Privacy International, said the documents show that the trade in surveillance technology needs to be more tightly regulated.

“After the Arab Spring it was quite evident that a lot of European companies were involved in setting up the surveillance systems of most of the dictatorships in the region,” he says. “[The EU is now] trying to ascertain the practicality of imposing export restrictions on technology like the sort of tools that Hacking Team makes.”

Draft legislation to this effect could be ready by early next year, according to Omanovic. “It underlines the essential need for regulatory action to be taken on these sort of companies. It’s not a problem that’s going to go away – it’s only going to get bigger.”