NEW YORK — We know dictatorships spy on innocent people. And now we know where they buy their tools — from a tiny Italian company in Milan.
It’s called Hacking Team. And the world knows about it, because Hacking Team has been hacked.
On Sunday, a massive load of stolen documents were uploaded to the Internet. It revealed contracts, invoices and internal presentations of Hacking Team. And it offered a glimpse into a shadowy world of selling high-powered cyber weapons — even to genocidal maniacs.
CNNMoney could not verify the authenticity of these documents. However, specific details in several separate documents form a consistent picture of Hacking Team’s business dealings.
Hacking Team offers consulting on computer security, and its professional hackers build powerful tools. They can spy on emails, text messages and more.
The dark side? Various human rights groups — such as Amnesty International and Human Rights Watch — have worried that Hacking Team’s tools will get into the wrong hands, helping governments arrest journalists and protestors to suppress free speech.
In the past, Hacking Team has denied helping “repressive regimes.”
But now there are documents that show the opposite.
One contract exposed in the data breach shows that Ethiopia paid Hacking Team $1 million for spy tools in 2012. Hacking Team got paid €58,000 to provide spy tools to the Egyptian government in early 2012. Both contracts were for “Remote Control System,” a powerful spying software.
Then there’s Sudan, whose government has engaged in a genocide that killed 400,000, and whose president, Omar al Bashir, faces international criminal charges for mass murder and rape.
Stolen documents show that in March, the United Nations investigated whether Hacking Team sold equipment to Sudan. Hacking Team starkly denied then doing business with Sudan. But it actually got paid $960,000 to provide spy tools in 2012, according to leaked contracts.
“These are very powerful tools that are being sold to basically anyone with a checkbook,” said American Civil Liberties Union principle technologist Christopher Soghoian, who has closely studied the exposed contracts.
The documents show that Hacking Team sells spy tools to many of the countries that rank worst in the World Press Freedom Index, including Azerbaijan, Kazakhstan and Vietnam.
It’s unclear exactly how these governments used these spy tools. But critics point to their abysmal records on human rights and fear the worst.
Until now, there have only been hints about the use of Hacking Team’s tools. Last year, a human rights groups called Citizen Lab found that Hacking Team’s spy tools were used to attack computers belonging to Ethiopian journalists in the United States — breaking American laws. Russian cybersecurity firm Kaspersky tracked it spreading worldwide.
But Hacking Team has always remained silent about its clientele.
“Here, we finally have evidence in the form of invoices,” Soghoian said.
Hacking Team isn’t the only company that makes this type of surveillance software. But it’s the first to have so many internal documents exposed to the public.
It is unclear who broke into Hacking Team. According to tech site Motherboard, a hacker who has gone by the name “PhineasFisher” claimed credit — the same person who last year hacked a similar German maker of surveillance tools, Gamma International.
Hacking Team did not respond to requests for comment on Monday.
On Twitter, one Hacking Team employee shared his thoughts. Security engineer Christian Pozzi said, “The attackers are spreading a lot of lies about our company that is simply not true.” He tried to dissuade anyone from downloading the files, claiming they were infected with a computer virus. Pozzi later deleted his Twitter account without explanation.
Documents reviewed by CNNMoney show that Mexico, Morocco, Saudi Arabia and United Arab Emirates are some of the company’s top clients. They’ve each paid more than $1 million.
According to one spreadsheet, Hacking Team also sells its services to the FBI and the Russian government.
CNNMoney asked the FBI how or why it’s using this spying tool, but the agency has not yet provided a response.
What’s the danger in selling this stuff? It places NSA-type technology in anybody’s hands. In fact, U.S. Director of National Intelligence James Clapper told Congress in 2013 that these kinds of tools pose a serious threat. There’s no guarantee they won’t someday be used to spy on Americans — or American companies doing business abroad.
“These hardware and software packages can give governments and cybercriminals the capability to steal, manipulate, or delete information on targeted systems,” Clapper said back then.