Analysis of the Global Surveillance Infrastructure Via HackingTeam.

Security experts from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto have released the results of their analysis on the  global command and control infrastructure used by the Italian firm HackingTeam to manage its spyware instances all over the world.

Many times security experts have accused HackingTeam of providing its spyware to authoritarian regimes and law enforcement for the purpose of surveillance. According the researchers that presented their findings during an event in London, the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is composed by 326 servers distributed in more than 40 countries. The majority of the C&C servers were hosted in the United States, Kazakhstan, Ecuador and UK.

HackingTeam C2 servers RCS 2

Count of C2s Country name
64 UNITED STATES
49 KAZAKHSTAN
35 ECUADOR
32 UNITED KINGDOM
24 CANADA
15 CHINA
12 COLOMBIA
7 POLAND
7 NEW ZEALAND
6 PERU
6 INDONESIA
6 BRAZIL
6 BOLIVIA
6 ARGENTINA
5 RUSSIAN FEDERATION
5 INDIA
4 HONG KONG
4 AUSTRALIA
3 SPAIN
2 SAUDI ARABIA
2 MALAYSIA
2 ITALY
2 GERMANY
2 FRANCE
2 EGYPT
1 UKRAINE
1 THAILAND
1 SWEDEN
1 SINGAPORE
1 ROMANIA
1 PARAGUAY
1 MOROCCO
1 LITHUANIA
1 KENYA
1 JAPAN
1 IRELAND
1 HUNGARY
1 DENMARK
1 CZECH REPUBLIC
1 CYPRUS
1 Other
1 BELGIUM
1 AZERBAIJAN

“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Within the the products under analysis by experts, there is Galileo RCS, a solution capable of monitor communications and data transmission even if over a secure channel. The experts for the first time detailed the control network for the spyware used on victims’ mobile, malicious code used are custom built for each target and loaded onto a device.

“It was a well-known fact for quite some time that the HackingTeam products included malware for mobile phones. However, these were rarely seen,” “In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.” reported Kaspersky Lab experts on the Securelist blog.

The RCS mobile components for every device, including Apple iOS, Android OS, Windows mobile and BlackBerry, allow customers of the HackingTeam company to monitor victims, spy on conversations through principal VOIP and instant messaging applications (e.g. WhatsAppSkype), steal data from their devices and use them as spy bugs enabling the microphone.

“The RCS mobile modules are meticulously designed to operate in a discreet manner, for instance by paying close attention to the mobile device’s battery life,” “This is implemented through carefully customized spying capabilities, or special triggers: for example, an audio recording may start only when a victim is connected to a particular Wi-Fi network (for example, the network of a media house), or when he/she changes the SIM card, or while device is charging.” Kaspersky Lab said.

Experts at Kaspersky and Citizen Lab discovered that the iOS version of the RCS Trojans is able to monitor only jailbroken devices, anyway the spyware can work on any devices considering that is possible to remotely run a jailbreaking tool such as Evasi0n and then load the malware implant.

The Android spyware was characterized by the presence of a sophisticated obfuscator dubbed DexGuard that made hard the analysis of the malicious code.

The malware developer at HackingTeam also used zero-days for their exploits that served with classic spear phishing scheme and also through local infections via USB cables while synchronizing mobile devices.

The findings proposed by the experts are very important because demonstrate the high level of sophistication of the spyware designed by the HackingTeam and the scale of the surveillance operated through its tools.

These tools in the wrong hands are a dangerous weapon.

No doubts, one of the most advanced cyber threats is  malware , we read daily news regarding new  agents developed by cybercriminals, governments or hacktivists, but are we really ready to reduce the exposure of our systems?

Dr. Web, a Russian anti-virus company, has detected a cross-platform Trojan horse that is able to gain full control of its victims and it is also able to can render the system unusable. The agent, named dubbed BackDoor.DaVinci.1, runs both in Windows and Mac OS X and what is singular is the characteristics of the Mac OS X release that for the first time implements rootkit technologies to hide malware processes and files.

The first question is … who has developed the backdoor?According the info available on internet, the trojan has been designed by the Italian HackingTeam, a security firm  which is specialized in the development of offensive solutions for cyber investigations, on its web site it is possible to find the following description of the debated product:

In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security. Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable. For Governmental LEAs and Agencies ONLY.

For the record the name of HackingTeam was published in the SpyFile dossier by Wikileaks’s Team which reports on the technologies developed for surveillance and control of communication channels.

The malware appears as very smart agent that is able to hide its presence to security systems  and is also able to infect mobile devices, it’s spread as a signed AdobeFlashPlayer.jar file, obviously the for the signature it has been used an invalid digital certificate. The file is used to analyze the OS version of victim and execute malicious code.

The malware, following a valid design, is modular and its core components are represented by the backdoor module and a set of drivers that make possible the operation in hidden mode, all the instances of the malware share the same configuration settings stored in a dedicated file and it is equipped with a large collection of module to elude anti-virus software and firewalls. After Dr. Web other security firms have detected the cyber espionage tool giving it different name, for example Kaspersky lab team named it Morkut providing a first analysis on a blogpost. According to Mikko Hypponen (F- Secure) Tweet…

“The Mac backdoor in the news (DaVinci/Morcut/Crisis/Flosax) is a commercial espionage trojan, and openly advertised on www.hackingteam.it”

The developers of the BackDoor.DaVinci.1 claim that their product is able to elude any anti-virus program but Dr.Web antivirus is able to detect it … we can bet that the game of “cops and robbers” is begun and the group of the HackingTeam is already working to introduce improvements that can make their malware undetectable.

TheDaVinci backdoor is not a common malware released in the wild without control but it is a commercial surveillance Trojan sold mainly to governments, it is used to monitor thousands of people all over the world. Of course the product of the Italian firm is not the only one, to provide an example we can remind the FinFisher product developed by Gamma company, similar products have been used by law enforcement and also by authoritarian regimes such as Egypt and Bahrain and other governments such as Germany. Their use is becoming more frequent and the thought that a malicious agent could violate computer defenses for espionage or also for offensive purposes is not very reassuring.

Once released from these companies, are they actually able to control the diffusion of the malware? What could happen if a foreign government or a group of cyber criminals completed a reverse engineering of the products, developing its own malware resulting no easily identifiable software that could be used for cyber espionage on a large scale? Are we all really ready to this?

Unfortunately, although similar instruments designed for justifiable uses, such as support for investigations and prevention of crime and terrorism, exit they are too easily sold to governments that use them for tracking and persecution of dissidents. It should be mentioned that in court similar tools could not to be admitted as evidence since the provider must ensure that the instrument will not alter nature of information and the operation of the device put under control.

I’m not discussing on the the specific case, but it is evident that in the course of proceedings by authorities, the information collected may not be deemed reliable for some reasons. The very fact that a trojan alters the nature of the system that it infects, can lead to rejection of gathered evidence, and lawyers often argue that once comprised it is impossible to guarantee that the data collected from (for example)  a chat are legitimate and not deliberately inserted by the malware. The EU Council has recently recommended that Member States should strive for the examination of computers remotely suspicious, but there are still many unresolved technical and legal aspects. The experience of Germany in its attempt to regulate the use of tools broadly known as “remote forensics” by those who must enforce the law is helpful in this regard. The new generation of technologies, such as software agents, including trojans, have unique features that distinguishes it from existing technologies currently used in the investigation.

During the investigation, these technologies can act independently. Their autonomous decision-making enables them to replace at least some of the functions previously performed by a human, and without the direct supervision of a human controller. This raises the question whether the rules that give human rights to officials can be applied by analogy to software agents, and if the rules are intended to limit the interference of the police citizen’s rights can be circumvented by using technology (Schafer, 2006) .

Another problem … companies that provide free anti-virus and those that provide the control systems are not necessarily in the same jurisdiction of the entity to control, causing conflicts with the relevant privacy laws. How should the person carrying out investigations in relation to suppliers of antivirus? Ask for their cooperation or proceeding seeking to evade them? At the moment it would seem that the second road traveled, at least by German government (BT-Drucksache 16/4995).

Another question … The data collection is automated, so no human subject will decide which data will be relevant and should be copied, but this may involve the collection of any data recorded on the computer including much that is irrelevant to the investigation. These data could be  problematic and sensitive data, such as medical and health information, and therefore protected from investigations under law.

A judgment of the German Federal Supreme Court has established as a requirement for the use of RFS tools by law enforcement agencies for the custody of the selection process is conducted by an investigating judge, a state prosecutor or a bailiff (BVerfG, NJW 2008, 822), but the German judicial system does not have sufficient human resources.

Traditionally, forensic investigations computers are taken off-line to ensure that there aren’t changes and that the object of investigation is in the same condition when the evidence is admitted, as when the crime has found place.

The use of a trojan for investigations requires the authorities to reach from the remote target machines which, however, remain in the control of the suspect and remain connected to the network before, during and after the operations of inspecting.

Thus the problem of acquisition of the test using RFS tools that not only is the original source (the computer) has not been subjected to seizure, but this is not a static environment, yet flexible, which can be manipulated. As a general rule, evidence obtained from an insecure network, such as the Internet, can always be subject to a challenge to its authenticity and reliability.

The attempt to subject to statutory regulation the use of malware for investigation produces new ambiguity, it must be promoted a common approach applicable to the entire class of investigative technologies.

The debate is open, there are many doubts, but there is no ambiguity that these agents have efficacy for those governments who want to spy on and pursue their opponents … from an ethical point of view there is much to discuss.

 

 

 

1 Comment

  1. Think about how much worse this will get when brain uploads and downloads become possible and as technology becomes more integrated with the human body.

    Now think of the utter stupidity, incompetence and utter ego of the politicians in Washington DC and ask yourself how much control they will want to have over these devices.

    This is a very scary thing…

Leave a Reply