11 July 2015
by Martin McKenzie-Murray

Spyware company's shadowy deals exposed

Millionaire hackers' spyware clients include South Sudan, Russia, Saudi Arabia – and Australia.

David Vincenzetti had changed. From anarchic cyberpunk of the early ’90s – a young man enchanted by the nascent web and its clandestine harbours – to the conservative CEO of Hacking Team and one of the most reviled figures of the internet. That young punk would also become a millionaire, the result of selling surveillance software to the world’s law enforcement and spy agencies – including the Australian Federal Police.

Twenty-five years ago he was still a junior computer scientist at Milan University. Vincenzetti would reminisce warmly about the period in an email with younger colleagues this year: “The Internet had already been created and made available to some Universities only. I was in my early twenties and I frequently visited the AT&T Bell Labs and the MIT meeting the outstanding and in fact quite unique legendary computer scientists of that time. Such computer scientists had invented the Internet, they had invented the programming languages, they had invented Unix and its relevant protocols, and they were starting to work on something new: computer security.”

“The first thing to do in order to repress the lone wolves phenomenon is mass surveillance.”

This week, Vincenzetti’s world collapsed. The hackers were hacked. It was a profound compromise – more than 400GB of Vincenzetti’s company’s documents made publicly available. It was an electronic evisceration, revealing personal details of employees, the source code of their spyware, and the intimacies of an arrogant culture. There was also a meta-level to the disclosure – how shabbily Hacking Team had protected its own secrets. “There will be other more devious malware companies out there, but they’re unlikely to be so relaxed about their security,” Andrew Holgate tells me. Holgate is an Australian web technology expert based in Rome. “Italy has many beautiful church facades with half-complete interiors,” he tells me.

But most importantly, the hack confirmed what many had long suspected – that the company had been selling its spying tools to some of the world’s most brutal governments – South Sudan, Russia, Saudi Arabia, Kazakhstan and Bahrain. And it would also implicate a major Australian agency.

Turning defence into offence
Vincenzetti founded Hacking Team in 2003 in Milan. Initially it focused on defensive strategy – helping clients defend their cyber-infrastructure from attack. But Vincenzetti soon borrowed a favoured mantra of aggressive sports coaches: the best defence is a good offence. He designed Galileo, software designed to insinuate itself within a target’s computer so it might be remotely monitored or controlled. “The generic names for such tools are remote access tool (RAT),” Stilgherrian tells me. Stilgherrian writes extensively on information security and privacy issues. “They give the attacker complete access to what’s happening on the target device, or rootkit, because they give ‘root access’ – that is, complete administrator-level access – to the device, covering their tracks in the process.

“When these tools are run on the target device, they scan it for vulnerabilities, looking for a way in – and there’s always some way in – install themselves, erase their tracks, and report back to the attacker’s mothership. From then on, the attacker effectively has their own secret control panel on the target device. They can copy or change data, turn on the camera and microphone, send messages, monitor calls, literally anything at all. And because they’re running directly on the target device, they have access to the raw data for something like a secure communications app before it’s encrypted.”

This wasn’t all they did. Hacking Team sniffed for vulnerabilities in existing technologies – phone apps, for instance – then sold exploitative codes to clients. When it was revealed last month that a glitch in Samsung Galaxy phones could transform them into a remote bugging device, Vincenzetti sent an explanatory article to colleagues. “Impressive news, albeit massive and pervasive computer security bugs affecting millions of devices is the new normal now,” he wrote. “Is it really exploitable? Yes. Are WE working on it? Obviously.”

Vincenzetti believed in pre-emptive strikes and perpetual surveillance. A subscriber to the newsletter of conservative think tank American Enterprise Institute (AEI), he favourably quoted AEI fellow and former US ambassador John Bolton: “To stop Iran’s bomb, bomb Iran.” In the same month Vincenzetti emailed colleagues: “The first thing to do in order to repress the lone wolves phenomenon is mass surveillance.”

While Vincenzetti was only the head of a small firm – roughly 40 employees – he had effectively declared war on multiple fronts. He believed in maintaining the primacy –and essential decency – of “the West”. But he saw wild and continual threats: Russian incursions on land and cyberspace; Iran’s nuclear ambition; the swirl of jihadist groups and their unofficial patrons. A voracious reader, Vincenzetti subscribed to the world’s prestigious mastheads and intellectual papers as well as obscure trade journals such as Defence Helicopter.

Almost daily he sent articles to colleagues, and always with a preceding riff. About an article on the Greek financial crisis, he wrote: “Its relevance exceeds the financial realm, we are talking about geopolitics here, and geopolitics implies warfare as a whole, cyber included. Something extremely important is going to happen in Europe in the next few days. Its outcome could have far-reaching consequences. Let’s assume that Greece leaves the EU. An unprecedented financial meltdown will happen in Greece. The streets would explode. In order to survive, the Greek government could turn to Russia, it would ask Russia for help, he would ask Russia for a loan. Russia would ask something in return. What about the rental of a coastal strip for a Russian military base? The cost of renting for about 90 years a coastal area for building up and operating a military naval base in Syria cost Moscow about $80B. That is more than enough for solving Greece’s financial issues. A creepy scenario, isn’t it?”

Vincenzetti also saw himself as a muscular counterpart to Julian Assange, a proud adherent to realpolitik and a man willing to put his skills to the service of Western institutions. He was now contemptuous of the culture he was once part of – the libertarian rogues of the web who favoured privacy and were sceptical of the state. Vincenzetti loathed WikiLeaks and the amorphous hacktivist group Anonymous. He was especially scornful of Tor, an encrypted browser that protects the identities of its users. Vincenzetti believed it was merely a blanket for terrorists and drug dealers, and was plotting its destruction. In an email from June this year, Vincenzetti wrote: “Definitely, ‘privacy tools’ such as this one should be regulated. In the meantime, such ‘Onions’ can be ‘crypto-exfoliated’, aka their encryption layers decrypted and therefore fully penetrated by our groundbreaking / extra-low latency / effective on a mass scale offensive security solution.”

Not for the first time, Vincenzetti would contradict himself. For it was an anonymiser chain – which functions very like the Tor browser – that Hacking Team was attempting to sell to Victoria’s Independent Broad-based Anti-corruption Commission (IBAC) only last month, along with a suite of spyware.

Anti-Corruption Commission interest
IBAC became fully operational in 2013, statutorily empowered to investigate “serious corrupt conduct”. It was formed out of the Office of Police Integrity, and while its mandate would be significantly broadened, IBAC has been serially accused of lacking teeth – that the legal threshold for its investigations is maddeningly high. But once the threshold has been met, investigators can perform covert surveillance on their targets – from bugging homes to tapping phones.

Last month, a member of IBAC’s electronic surveillance team began negotiations with Hacking Team for a three-month pilot program worth nearly $500,000. The money would, for a start, buy an anonymiser chain of virtual private servers. Stilgherrian explains: “It’s like the Tor network, which bounces your internet traffic randomly around a series of computers, making it difficult to trace its origins. For someone using Hacking Team’s surveillance tools, it means that if the target becomes aware that they’re being monitored, and tries to trace the source, it just leads back to this random network.” I am not implying any wrongdoing on the part of IBAC.

On June 9, Daniel Maglietta from Hacking Team’s Singapore office provided the IBAC staff member with a breakdown of the cost. “The figure includes $118,000 USD of professional services (installation, foundation training, advanced training and 3 weeks of on-site assistance). Following the 3 months you may have the option of extending the license on a monthly basis fee of 85,000 USD; and following the Pilot project you may also have the option to complete the purchase of the entire solution; in this scenario the amount paid for the temporary licenses shall be discounted from the total figure.”

Many emails were exchanged, and the two talked via Skype. Negotiations seemed to be progressing well. On June 25, the IBAC staffer emailed Maglietta to say: “Thanks for getting this information to me so quick. I’ll be in contact with you about what our next step [will be] in the next week or two.”

This appears to be the last email exchange between the pair. Less than two weeks later, Hacking Team would be spectacularly breached. IBAC had narrowly dodged a bullet. Had they paid for those services, their investigations would have been compromised. And it asks a heavy question of those who seek such tools: how might the very acquisition of spyware make one vulnerable?

Millionaire mercenary
David Vincenzetti held Reaganite assumptions mixed with Samuel Huntington’s “clash of civilisations” theory – that after the Cold War, global conflict would be principally determined by religious and cultural differences. Vincenzetti reserved special hatred for Iran. “The Russian regime is not as odious, fanatical, death/martyrdom-prone and unpredictable as Iran,” he emailed colleagues last month.

But these older frameworks would be reinforced with decidedly modern warfare. The ambitions of the enemy could be repressed or thwarted with computer code. “Cyber technologies are increasingly important for either defence and offence,” he wrote earlier this year. Hacking Team could play its own part in the clash of civilisations.

Except the leaks this week destroyed the image of a professionally secure band of hackers – ones that practise what they preach. Their code has been mocked; their lax security lampooned. And it has also destroyed the pretension of Vincenzetti as a sort of cyber-Reagan, heroically defending the status quo against lunatics, anarchists and malicious world powers. Vincenzetti’s clients include Russia, as well as those whose use of his spyware will be put to the protection of terrorists and the persecution of journalists. The cyberpunk has become a millionaire mercenary – albeit one who is now contemplating the ashes of his reputation.