This post is the second in a series of posts that focus on the global proliferation and use of Hacking Team’s RCS spyware, which is sold exclusively to governments.

Read the first report in the series, “Hacking Team and the Targeting of Ethiopian Journalists.”

Read the third report in the series, “Hacking Team’s US Nexus.”

Summary

Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.1 Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch,2 and United Arab Emirates (UAE) human rights activist Ahmed Mansoor.3 Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area.4

In this post, we map out covert networks of “proxy servers” used to launder data that RCS exfiltrates from infected computers, through third countries, to an “endpoint,” which we believe represents the spyware’s government operator. This process is designed to obscure the identity of the government conducting the spying. For example, data destined for an endpoint in Mexico appears to be routed through four different proxies, each in a different country. This so-called “collection infrastructure” appears to be provided by one or more commercial vendors—perhaps including Hacking Team itself.

Hacking Team advertises that their RCS spyware is “untraceable” to a specific government operator. However, we claim to identify a number of current or former government users of the spyware by pinpointing endpoints, and studying instances of RCS that we have observed. We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan. Nine of these countries receive the lowest ranking, “authoritarian,” in The Economist’s 2012 Democracy Index.5 Additionally, two current users (Egypt and Turkey) have brutally repressed recent protest movements.

We also study how governments infect a target with the RCS spyware. We find that this is often through the use of “exploits”—code that takes advantage of bugs in popular software. Exploits help to minimize user interaction and awareness when implanting RCS on a target device. We show evidence that a single commercial vendor may have supplied Hacking Team customers with exploits for at least the past two years, and consider this vendor’s relationship with French exploit provider VUPEN.

Introduction

Background: Hacking Team and Remote Control System (RCS)

Hacking Team, also known as HT S.r.l., is a Milan-based company that describes itself as the “first to propose an offensive solution for cyber investigations.”6 Their flagship Remote Control System (RCS)7 product, billed “the hacking suite for governmental interception,”8 is a suite of remote monitoring implants (i.e., spyware) sold exclusively to government agencies worldwide.

Screen capture from Hacking Team promotional video.

Hacking Team distinguishes RCS from traditional surveillance solutions (e.g., wiretapping) by emphasizing that RCS can capture data that is stored on a target’s computer, even if the target never sends the information over the Internet.9 RCS also enables government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap. RCS’s capabilities include the ability to copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser.10 Furthermore, RCS can turn on a device’s webcam and microphone to spy on the target.11

While Hacking Team claims to potential clients that RCS can be used for mass surveillance of “hundreds of thousands of targets,”12 public statements by Hacking Team emphasize RCS’s potential use as a targeted tool for fighting crime and terrorism.13

Hidden Collection Infrastructure and Target Exploitation

Conclusively linking spyware to a government user is difficult. Clearly, a government must consume the information it gathers from the spyware, but direct communication between an infected computer and a government server would be easily linkable to the government and thus undesirable. Hacking Team advertises that the RCS “collection infrastructure”—the mechanism by which data gathered by the spyware is transmitted to the government—renders the spyware “untraceable” to a specific government.

Our research reveals that the RCS collection infrastructure uses a proxy-chaining technique which is roughly analogous to that used by general-purpose anonymity solutions like Tor in that multiple hops are used to anonymize the destination of information.14 Despite this technique, we are still able to map out many of these chains and their endpoints using a specialized analysis.

Before a government can receive data, it must first infect one or more target devices with the RCS spyware. Frequently, this takes the form of phishing attacks that convince a user to open a cleverly disguised executable file, or authorize installation of an application. However, the use of exploits, which take advantage of bugs in computer software, can be a more effective technique. Exploits typically require less user interaction before a successful infection (e.g., opening a Microsoft Word document or simply viewing a webpage is enough). Since 2012, we have been tracking exploits that we have seen used to install commercial backdoors. Our research examines connections between these exploits and discuss their origin.

Roadmap

In this post, we begin by outlining our findings, first regarding the governments using Hacking Team’s RCS spyware, and then regarding the exploits used to install RCS. We then present the methodology for our findings, including our technique for mapping proxy chains and identifying endpoints. Finally, we conclude by putting our findings into the context of the global surveillance marketplace.

Suspected Government Users of RCS

After extensive analysis, we believe we have identified a set of governments that are current or former end users of Hacking Team’s RCS spyware. Our analysis is described in the section entitled “Identifying RCS Proxy Chains.”

Introduction

In response to a number of high-profile cases of repressive regimes apparently abusing Hacking Team’s RCS spyware, Hacking Team Senior Counsel Eric Rabe stated that the company does not provide its products to “repressive” regimes:

“On the issue of repressive regimes, Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the EU, the US, NATO, and similar international organizations or any “repressive” regime.”15

Hacking Team has also stated that RCS is not sold through “independent agents,”16 and that all sales are reviewed by a board that includes outside engineers and lawyers. This board has veto power over any sale.17 Before authorizing a sale, the company states that it considers “credible government or non-government reports reflecting that a potential customer could use surveillance technologies to facilitate human rights abuses,” as well as “due process requirements” for surveillance.18

21 Suspected Government Users of RCS

We suspect that twenty-one governments are using Hacking Team’s RCS spyware. Except as otherwise noted, we identified these countries based on tracing endpoints of Hacking Team proxy chains: Azerbaijan, Colombia, Egypt, Ethiopia,19 Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman,20 Panama,21 Poland, Saudi Arabia, Sudan, Thailand, Turkey, United Arab Emirates,22 and Uzbekistan.

Countries of Concern

While many of these countries are known for their lack of freedom of expression, and politicization of the justice system, several routinely violate basic due process rights, and commit ongoing serious human rights violations. Viewing these countries through the lens of Hacking Team’s claimed sales practices, we highlight a few areas of concern:

Azerbaijan: We identified an RCS endpoint in Azerbaijan (Azertelekom: 109.235.193.83) that was active between June and November 2013. Azerbaijan hit international headlines in 2013 when the results of the October presidential elections were accidentally released before voting began.23 In the run up to the elections, state media released a compromising video of influential Azerbaijani investigative reporter Khadija Ismayilova recorded from inside her home.24 While not used in Ismayilova’s case, RCS can enable the same type of monitoring by covertly activating a computer’s webcam, as well as stealing private videos and pictures from a computer.

Kazakhstan: We identified an RCS endpoint in Kazakhstan(JSC Kazakhtelecom Slyzhebnyi: 89.218.88.xxx). Human Rights Watch (HRW) reported numerous cases of Kazakh government critics facing arrest and detention in 2013. HRW reports that despite the government’s adoption of an anti-torture statute, “torture remains common in places of detention,” and “perpetrators of torture often go unpunished.”25

Uzbekistan: We found three RCS endpoints in Uzbekistan (Sarkor Telecom: 81.95.226.134, 81.95.224.10, and Sharq Telekom: 217.29.123.184). HRW’s 2013 report on Uzbekistan made mention of the government’s systematic use of torture with impunity, including beatings and rapes in detention. The report also mentioned lack of respect for due process, including the dissolution of the independent bar association, and forced disbarment of lawyers who take on controversial cases.26

Saudi Arabia: We identified two RCS endpoints in Saudi Arabia (Etihad Etisalat: 37.242.13.10 and Al-Khomasia Shipping & Maintenance Co Ltd:27 62.149.88.20). HRW has reported “systematic violations of due process and fair trial rights” against detainees in Saudi Arabia, including the use of torture, denial of access to lawyers, inability for defendants to introduce evidence or confront their accusers at trial, and the lack of a penal code or precedent-driven jurisprudence.28

Sudan: We identified one RCS endpoint in Sudan (VisionValley: 41.78.109.91), in a range of eight addresses called “Mesbar” (an Arabic word meaning a device used to “probe”). HRW reported that Sudanese authorities used excessive violence against protesters resulting in numerous deaths. HRW also raised concern over a growing number of politically motivated arrests and detentions and noted authorities’ suspension of newspapers, and harassment of anti-government journalists.29

Target Exploitation

How do governments install Hacking Team’s RCS spyware on a target’s computer? This section briefly outlines one method: the use of exploits, which takes advantage of bugs in computer software.

Introduction

There are many actors that sell exploits to governments. A 2012 Citizen Lab report examined30 the possible connection between Hacking Team and VUPEN, a Montpellier-based company best known31 for the sale of “offensive IT intrusion solutions and government grade exploits.”32 While VUPEN offered oblique denials in response to Citizen Lab’s report, we have observed that very similar exploits continue to be used in the delivery of Hacking Team’s RCS spyware. Recently, it was was reported that VUPEN had sold exploits to the US National Security Agency (NSA).33

Given the usefulness of exploits in the deployment of spyware, it is unsurprising that Hacking Team competitor FinFisher GmbH also supplies exploits as part of their “Government IT Intrusion and Remote Monitoring” solution. In the company’s own words, “The FinFly Exploit Portal offers access to a large library of 0-Day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader, and many more.”34 Hacking Team, FinFisher, and VUPEN promote their products in the same sessions at trade shows.35

Exploits

Here we provide a brief analysis of seven related exploits, which we have selected as representative of a larger corpus of exploits. One can discover related exploits by creating signatures based on these seven exploits.

The exploits we examine here all present themselves as malicious documents. It is possible that the vulnerabilities, pre-weaponization, were discovered and/or sold by different actors. However the exploit documents bear enough similarity to suggest that they are produced using the same procedure or program. Six of these documents appear to facilitate the installation of Hacking Team’s RCS, while the other installs a remote access toolkit known as SpyNet. This suggests that there may be a common actor supplying the exploits independent of Hacking Team.

Exploit 1

Filename: scandale.doc

Hash: dab3e4423525c798d7937441a3b356d7633a30f229911b9bedd38eeff74717d

Exploit: Adobe Flash in Word document

Target: Moroccan citizen journalist group, Mamfakinch.36 The message “Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles…” was submitted to the Mamfakinch online news portal, along with a link to http://freeme.eu5.org/scandale%20(2).doc.

Payload: The final payload was Hacking Team RCS.37 A more in-depth analysis of this attack can be found here.

Exploit 2

Filename: veryimportant.doc

Hash: cd1fe50dbde70fb2f20d90b27a4cfe5676fa0e566a4ac14dc8dfd5c232b93933

Exploit: RTF file with DOC extension; CVE-2010-3333.

Target: United Arab Emirates (UAE) human rights activist Ahmed Mansoor.

Payload: Downloads a second stage38 from http://ar-24.com/0000000031/veryimportant.doc2. The second stage downloads a Hacking Team RCS payload39 from http://ar-24.com/0000000031/veryimportant.doc3.

Exploit 3

Filename: رسالة الكوفحي.doc40

Hash: c166aff46cadce2db642047cdca65234c32c6634d9ed822eeeb2a911178d6cc3

Exploit: Adobe Flash in Word document; Adobe Flash “Matrix3D” Integer Overflow.

Target: Unknown, but the spyware payload used a command-and-control server (hamas.sytes.net) linked to attacks believed to be conducted by the UAE government.

Payload: Downloads a second stage from https://www.maile-s.com/yarab/stagedocJord. The second stage downloads a SpyNet payload from https://www.maile-s.com/yarab/Win32.scr, and downloads bait content from https://www.maile-s.com/yarab/kofahi.doc.

Analysis: A public mailing list post41 credits Nicolas Joly of VUPEN for discovering this vulnerability. While VUPEN takes public credit for the discovery of this bug, it is also possible that the exploit used here was not written by VUPEN, but was instead independently discovered and/or weaponized by another party. Examination of the second stage of the payload shows it to be almost identical to veryimportant.doc2, simply using different URLs.

Exploit 4

Filename: إماراتي مظلوم.doc

Hash: 8dbaa77c4db80da6b110e770851932c65c322153fd9edc1df23bd2312584bd94

Exploit: Adobe Flash in Word document; the exploit does not have a CVE number but appears to have been silently fixed in Adobe Flash 11.4.

Target: A human rights activist in the UAE, and a journalist in the UAE.

Payload: Downloads a second stage from http://www.faddeha.com/stagedocuae1. Neither the second stage nor the payload were available for inspection.

Analysis: The metadata for this sample and for Exploit 3 are identical, suggesting that they were generated by the same actors.

Exploit 5

Filename: Biglietto Visita.doc

Hash: c026ebfa3a191d4f27ee72f34fa0d97656113be368369f605e7845a30bc19f6a

Exploit: Adobe Flash in Word document; CVE-2013-5331. Was first seen used in November and December of 2013 and was a 0-day at that time.

Target: Unknown.

Payload: Downloads a second stage from http://176.58.111.219/ipaddrs/shell. Neither the second stage nor the payload were available for inspection. Was uploaded to VirusTotal along with OSX and Windows samples of Hacking Team RCS.

Analysis: The metadata of the document is as follows:

CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: , Author: unknown, Template: Normal.dot, Last Saved By: unknown, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 14 10:39:00 2012, Last Saved Time/Date: Mon May 14 10:39:00 2012, Number of Pages: 1, Number of Words: 7, Number of Characters: 41, Security: 0

While the previous exploit documents used embedded GZIP compressed flash, this one uses LZMA compression. This compression option was added to the Flash file format recently and is a manual option in Flash Professional CS6. At the time of the attack, it appeared that few anti-virus products supported automated analysis of LZMA compressed flash, making this an effective technique for avoiding detection.

Exploit 6

Filename: 1.doc

Hash: 519939a48ba9dbcc05abfeb4e7fbf9f9dda8c13b567ee6858decaadd09730770

Exploit: Adobe Flash in Word document; CVE-2013-0633.

Target: Unknown

Payload: Downloads a second stage from http://62.109.31.96/0000000025/1.doc2. The second stage downloads a Hacking Team RCS payload from http://62.109.31.96/0000000025/0000000025.exe.

Analysis: The exploit uses LZMA compression. The metadata is almost identical to that of Exploit 5.

Exploit 7

Filename: 1.doc

Hash: 1f9db646053a7bc6be1c8e8ef669079c9e9010306fa537ed555de2387952aa23

Exploit: Adobe Flash in Word document; CVE-2012-5054.

Target: Unknown

Payload: Downloads a second stage from http://62.109.31.96/0000000025/1.doc2. The second stage downloads a Hacking Team RCS payload from http://62.109.31.96/0000000025/0000000025.exe.

Analysis: The exploit uses LZMA compression. The metadata is almost identical to that of Exploit 5.

Summary

Examination of the exploit document’s metadata reveals that exploits 1, 3, and 4 share identical creation and last modification times (2012-05-15T10:39:00Z). Meanwhile, exploits 5, 6, and 7 also share a common time (Mon May 14 10:39:00 2012).42 Creation time for all six of these exploit documents is 10:39:00, which suggests that all documents were created in the same manner. Additionally, all of the exploit documents described here download a second stage containing shellcode that then downloads and installs a third stage implant. We considered that the similarities in exploit payload and metadata were due to packaging by Hacking Team. However, only six of the seven exploits were used to deliver Hacking Team’s RCS. It appears that the exploit document builder is backdoor-independent, allowing customers to select their preferred spyware for post-exploitation.

The exploits discussed above are representative of exploits used to deliver commercial backdoors that we have observed from 2012 until now. They appear to have all been created by the same actor. It appears that Hacking Team partners with a professional exploit vendor that has been providing their customers with exploits for the past two years.

Identifying RCS Proxy Chains

This section outlines the methodology we applied to identify RCS servers, and trace proxy chains to their endpoints. We first describe how we fingerprinted and detected the servers, and then how we traced the proxy chains.

Fingerprinting RCS Servers

We began this research by devising six fingerprints43 for RCS servers by observing distinctive current and previous behavior (via historical scanning results) of servers listed in files detected as “DaVinci” or “FSBSpy” by at least one anti-virus engine on VirusTotal.44 Using our fingerprints, we searched a range of public, historical scanning results:45 the Internet Census,46 Critical.IO,47 Project Sonar,48 Shodan,49 and the ZMap SSL Scans.50 See Appendix A for our scan results.

Two of our fingerprints, A1 and A2, are based on the response of RCS servers when they are issued an HTTP GET request. Fingerprint A2 looks for a specific type of webpage redirection, and fingerprint A1 looks for impersonation of the popular Apache Web server.

/HTTP\/1.1 (404 NotFound)?(200 OK)?\\r\

(Connection: close\\r\

)?Content-Type: text\/html\\r\

Content-[lL]ength: [0-9]+\\r\

(Connection: close\\r\

)?(Server: Apache.*\\r\

)?\\r\

/ =~ banner and /Connection: close\\r\

/ =~ banner and /<meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/[^\\]+\\\">/ =~ banner

The Ruby Boolean expression for Fingerprint A2 as formatted for the Critical.IO data51

Also, when issued an invalid HTTP request, many of the servers return a response with a distinctive typo52 matching an open source Ruby-based webserver written by a Hacking Team employee. Since the project is open source, we do not treat this condition as sufficient to identify an RCS server.

The four fingerprints, B1, B2, B3, and B4, match SSL certificates returned by RCS servers, which have several distinctive formats. Certificates matching B1 identify the server as an RCS server.



A certificate matching fingerprint B1

While examining SSL certificate results, we noticed that servers in several different countries were returning identical SSL certificates. We hypothesized that these servers were related to each other. As we describe in the next section, we found that servers with an identical SSL certificate were likely associated with a single government operator, and represented proxy chains that terminated in endpoints in a single country.

Identifying Endpoints and Mapping Proxy Chains



Visual representation of a Mexico and Morocco circuit. (Note: The Mexican circuit diagram is incorrectly labelled on the map)

We first provide a list of endpoints.