An unknown number of hackers accessed and posted at least 400 GB of the “offensive technology” manufacturer Hacking Team’s internal documents, emails, slideshow presentations, and more, on Sunday evening. Up until now, the company hadn’t confirmed reports that its clients were using its technology for more insidious purposes, including to monitor national dissidents and journalists. The company had also never explicitly listed its clients, which now has been found to include the FBI and the U.S. Drug Enforcement Agency.
While the infamous technology firm was always known for selling technology that provided clients access to specific targets’ devices and systems, the data breach tangibly proved many human rights groups’ worries about the company and its deals.
Citizen Lab, for example, most recently wrote in March that Hacking Team’s technology allowed the Ethiopian government to hack into the computers and accounts of Ethiopian Satellite Television (ESAT) employees based in the U.S. ESAT operates as an independent television and radio station.
The government had previously targeted journalists outside of Ethiopia, as well.
Now, a leaked clients list confirms the Information Network Security Agency in Ethiopia as a Hacking Team customer. The ledger states that the Ethiopian agency first purchased Hacking Team’s technology in 2012, and so far, has spent roughly $829,200 to initially buy and then maintain the company’s products.
Another leaked document, an invoice, appears to show that Hacking Team sold a “Remote Control System” to Sudan’s National Intelligence and Security Services in 2012 for approximately $593,000. This apparent Sudanese deal could, if proven accurate, violate restrictive UN sanctions against the African country.
While the most damning discoveries from the breach might be these humans rights violations and client list, the breach also yielded an intimate look at the company’s internal communications and procedures, along with a list of used passwords, some of which were as simple as “passw0rd.”
Details of the firm’s technology leaked, too, such as a white paper on its “Remote Control System Exploit Portal,” which allows even “untrained personnel” to execute an exploitation on a target’s device or system. Available exploits include public software vulnerabilities, zero-days, private vulnerabilities, and “social” exploits, or “errors by the human target in opening the document.”
The white paper, dated 2011, also claims that the portal always contains at least three zero-day exploits.
One person has come forward and claimed to be behind the attack on Hacking Team, as well as the 2014 attack on Gamma International’s similar FinFisher software. The hacker, known as Phineas Fisher, confirmed to Motherboard that he was behind both attacks.
Hacking Team also allegedly is telling customers to stop using its technology, although another leaked document, the “crisis procedure,” indicates that the company could shut down every client’s software remotely through a built-in backdoor.
The company’s website went down earlier on Monday, but appeared to be running again at the time of this publishing.
Hacking Team has not responded to a request for comment and more findings are expected as researchers and curious onlookers continue wading through the data trove.