Previously unreported samples of Hacking Team’s infamous surveillance tool – the Remote Control System (RCS) – are in the wild, and have been detected by ESET systems in fourteen countries.
Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to government and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticised for selling these capabilities to authoritarian governments – an allegation it has consistently denied.
When the tables turned in 2015 with Hacking Team itself suffering a damaging attack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code- leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.
Following the attack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; recent news suggests it has ties to Saudi Arabia.
ESET began the investigation after researchers from Citizen Lab provided information which led to the discovery of the RCS software signed with a previously unseen valid digital certificate. Further discovery uncovered several more samples of Hacking Team’s spyware created after the 2015 hack, all being slightly modified compared to variants released before the source code leak.
The samples were compiled between September 2015 and October 2017. ESET deemed these compilation dates to be authentic, based on ESET’s telemetry data indicating the appearance of the samples in the wild within a few days of those dates. Further analysis led ESET to conclude that all samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.
ESET has chosen not to name the fourteen countries to prevent potentially incorrect attributions based on these detections, since the geo-location of the detections doesn’t necessarily reveal anything about the origin of the attack.