More Aussie agencies wanted Hacking Team's spyware

Emails leaked by attackers who infiltrated the systems of spyware provider Hacking Team this week reveal the Australian Federal Police was not the only local agency interested in the firm's suite of surveillance tools.

Analysis of the leaked emails by iTnews reveals a number of agencies - including ASIO, IBAC and two local police forces - were also interested in the company's spyware.

On Monday, attackers took over Hacking Team’s Twitter account to reveal they had managed to get into the internal systems of one of the world's most notorious providers of offensive information technology to governments.

The attackers published 400 gigabytes of internal files - including sensitive emails and product source code - which detailed, among other things, the names of its clients across the globe.

The Australian Federal Police was revealed as a past user of the company’s products - which allow governments to monitor online communications, record voice-over-IP (VoIP) sessions, remotely activate microphones and cameras, and break encrypted files and emails.

It paid A$126,525 in November 2009 and A$234,980 in February 2010 for offensive-use products from Hacking Team.

The force was the only Australian agency directly listed in the company’s leaked client list as a user of Hacking Team’s products.

Read below for the AFP's spyware shopping list

However, the accompanying leaked emails reveal several other Australian agencies also signalled interest in the spyware - including the Australian Security Intelligence Organisation (ASIO).

Who wanted in?

Government IT and infosec solutions provider Criterion Solutions contacted Hacking Team in October last year, on behalf of a government client “interested in the company’s technology”.

It signed an NDA to discuss potential solutions with Hacking Team, but was forced to reveal the client's name before progressing any further with product details.

It revealed Australia’s spy agency ASIO had asked the firm to find out more about what the spyware merchant had to offer.

However, it is unclear whether ASIO signed up to use Hacking Team’s products, as the ensuing conversations appear to have taken place on Skype.

An ASIO spokesperson has been contacted for comment.

ASIO is not directly listed as a customer of Hacking Team in the company’s leaked client list.

The leaked emails also revealed the NSW Police force asked Hacking Team for a price list on the company’s remote control system product in July last year.

Hacking Team suggested a Skype call to go over product details, and attempted to get the force to sign an NDA to access product whitepapers, but the emails indicate no further discussions progressed from there.

NSW Police told iTnews earlier this week it had never had a relationship with Hacking Team.

Bad timing

One agency, however, had been painstakingly close to signing a contract with Hacking Team just prior to Monday's hack.

Victoria's Independent Broad-based Anti-Corruption Commission (IBAC) first contacted Hacking Team in November last year, seeking further details on the company’s remote control system.

A Skype call was held between the organisation and Hacking Team’s Singapore-based representative Daniel Maglietta on May 8 this year, and IBAC later signed an NDA to access more product information via whitepapers.

According to the emails, Maglietta then flew to IBAC’s headquarters in Melbourne on May 21 this year to hold a live product demonstration with a number of his colleagues.

The emails reveal IBAC was interested in a three-month pilot project of a “slightly lighter version” of the remote control system, which would include exploit and intelligence capabilities for all platforms except Linux for five seats.

Hacking Team sent IBAC a budget proposal early last month which detailed a US$373,000 price point for the three month pilot. The company offered an option to extend the license following the pilot for a monthly fee of US$85,000.

The pair then discussed options for virtual private servers and anonymisers, and on June 24 IBAC said it would get back in touch with Hacking Team over the next few weeks in regards to the next steps.

However, the large-scale breach earlier this week appears to have put a dampener on any potential partnership - at least for now.

No further correspondence between the pair was detailed in the leaked emails.

An IBAC spokesperson said the organisation was not a client of Hacking Team and had never purchased any of its services.

The Northern Territory Police similarly contacted Hacking Team last September to organise an onsite demonstration of the company’s remote control system, the emails reveal.

Following an initial Skype call, NT Police signed an NDA to access product whitepapers, and later scheduled a live demo in Darwin for late November last year.

At the live demonstration, Hacking Team took NT Police through the RCS architecture, showing how it could be used on a desktop infection using an unspecified exploit.

The firm also demonstrated how data could be retrieved through pre-infected Blackberry, iPhone 4s and Android phones.

Nine NT police staff from the computer crime and surveillance divisions attended the session.

The live demo resulted in Hacking Team sending NT Police three separate unspecified configuration quotations for the force’s consideration in December.

The emails do not detail any further correspondence. It is unclear whether NT Police signed a contract with the spyware firm.

An NT Police spokesperson earlier in the week refused to confirm or deny whether the force used Hacking Team’s products.

The AFP's shopping spyware list revealed

The leaked emails also detailed the several years-long relationship between the Australian Federal Police and Hacking Team, which mainly revolved around the firm's remote control surveillance solutions.

The files reveal the AFP actively tested and trialled remote control spyware with specific requirements.

Hacking Team was asked by the force in October 2008 to provide a particular configuration for a trial of the RCS backdoor program, with the following secret surveillance capabilities:

• Keystroke logging
• Print jobs capture
• Web browsing history
• Password capture
• Operating system clipboard capture
• File capture of DOC and PDF documents up to 500 kilobytes in size
• Synchronisation over three minutes
• Automatic uninstall after ten minutes, or if three sync attempts had failed.

The federal force was not, however, interested in webcam, instant messaging or chat monitoring capability.

The success of Hacking Team's solutions for the AFP was not detailed in the emails, but the files did indicate the force encountered issues with Apple products.

“We will not contemplate purchasing the Mac OS X backdoor until we have physically tested a working system,” a member of the AFP technical field team told Hacking Team support in December 2010.

But the company appeared unable to deliver a working backdoor for the 64-bit version of Apple’s OS X based on the OS' "closed" nature, and by February 2011 only had a prototype, untested suggested solution for the AFP.

The federal police force ended the relationship in late February 2011 as it “no longer has a need for the capacity you provide.”

The AFP had an annually renewable contract with Hacking Team, which asked for a €49,000 (A$72,580) break fee to cover one year’s worth of maintenance for its RCS product.It is unclear whether the AFP paid the fee.

Hacking Team expressed disappointment with the AFP’s decision to cancel the contract, and attempted to retain the customer by claiming version 7.2 of its RCS spyware contained fixes for the Mac OS X and iPhone issues the feds had encountered.

It offered the force a temporary license to try out the new version to entice the AFP to stay on as a client, but the pitch was unsuccessful.