Hacking Team Hacked: the Pakistan Connection, and India's Expansion Plan

USI Library

News Information Services

Dawn/28-07-2015

Hacking Team hacked: The Pakistan connection, and India's expansion plan

JAHANZAIB HAQUE|ATIKA REHMAN

Consider this: your mobile phone is sending a steady stream of private information and location coordinates to an unknown entity that has included your name on a list of targets to be monitored.

Your computer allows those with a set of very sophisticated, very expensive spyware tools to access your digital life, from saved photos and chat messages to watching and listening to you using your device’s camera and microphone. This massive breach of privacy is virtually undetectable and untraceable.

Now imagine such tools in the hands of the state’s security apparatus.

In a recent report, Privacy International (PI), an organization focused on privacy intrusions, asserted that the government had obtained such surveillance tools from multiple sources, including Ericsson, Alcatel, Huawei, SS8 and Utimaco. There is increasing concern that local Law Enforcement Agencies (LEAs) and intelligence agencies have the ability to intrude into a range of devices to capture data, encrypted or otherwise.

RCS primarily works through the installation of malware, a malicious programme that is remotely transmitted to a device and then used to transfer private data through an internet connection.

Aside from allowing access to photos, emails, chat conversations, social media accounts and passwords, the software can tap phone and Skype calls, take photographs using the infected device’s camera and switch on a device’s microphone – all without the user’s knowledge, and without affecting a device’s battery life.

HT boastfully claims to equip law enforcement agencies solely to “fight crime hidden in the new encrypted digital world”. It repeatedly asserts itsRCS hacking softwareis lawful, and “critical to the work of preventing and investigating crime and terrorism…we serve over 50 clients in more than 30 countries; we have been the first movers and leaders since 2004.”

It was perhaps this notoriety and success that led to HT itself beinghacked in July by an anonymous hackerwho released 400GB of the company’s data online, of which one million emails have beencompiled into a public archive by Wikileaks.

In an attempt at damage control,HT published a message from CEO & FounderDavid Vincenzetti who admitted there was a security breach, adding that, “the attack on our company was a reckless and vicious crime.”

Enter Pakistan

With HT acknowledging the data leak, the controversial surveillance company’s detailed liaison with global customers has been laid bare - and among the emails are over 1,000 exchanges with a set of actors who claim to be Pakistani contractors representing various state institutions.

Against the backdrop of Privacy International’s report detailing Pakistan’s desire to build a mass surveillance system, these emails reinforce the idea that some elements within Pakistan have purchased, or are in the process of acquiring intrusive hacking tools such as RCS using the names of top LEAs and intelligence agencies.

The email exchanges run from 2011, where HT staff discuss doing business with Pakistan, in which it sees an “exceptional customer”, up to May 2015 where a contractor claims he has received demands from local agencies for surveillance equipment that can be integrated into unmanned air vehicles (drones) and land vehicles.

With many email chains ending abruptly or switching over to phone calls and private meetings online or abroad, the status of RCS being actively used inside Pakistan is currently unknown.

In the examination of emails that follows, the years long exchanges between Pakistan's contractors and HT reveals how the business of surveillance operates, and the dangers it poses.

From the WikiLeaks vault

The Business of hacking

Leaked email exchanges between Hacking Team (HT) and Pakistani contractors vying for their controversial Remote Control System (RCS) surveillance tool provide insight into how the business of cyber security operates behind closed doors.

The story, which begins in 2011, is one of intrigue and troubling intentions on the part of both buyer and seller.

2011

January 21:HT Sales Manager Marco Bettini sends an email forward to Key Account Manager MostaphaMaanna with the subject: Visiting you in Islamabad.

The original email chain is dated back to 2009, its contents being a lengthy exchange between one ZeeshanZakaria who says he represents Lahore-based Zakimpex. He is talking to members of HT, including MostaphaMaanna and CEO and Founder David Vincenzetti.

The conversation begins with Mostapha demanding to know the agency Zeeshan claims to represent in Pakistan. He adds:

“By the way, I already know the name of this company’s customer."

Hoping to secure a deal and take a cut as the middleman, Zeeshan says his customer is the National Police Bureau. He provides a list of names with designations, including one DIG and multiple SSPs, to get HT’s attention.

Mostapha thanks him for the “clear answer”, and recommends Zeeshan and his customer attend the Intelligence Support Systems (ISS) conference — a global gathering focused on security, law enforcement and intelligence — in Dubai. He says HT will arrange for a demo of RCS hacking capabilities there. David chimes in with a promise to show the customer “a private demonstration of our mobile eavesdropping modules”.

Zeeshan tries to persuade HT to visit Pakistan, but David is clear on the subject: “To my understanding we had decided not to meet in Pakistan (too dangerous) but to meet in Dubai instead.” There is a flurry of emails covering logistics for the Dubai visit, which ends abruptly when Zeeshan names two technical assistance officers of the Federal Ministry of Interior as his travel companions.

It is unclear whether the meeting takes place.

Why this old email chain is forwarded on January 21, 2011 becomes clear as the year progresses — HT is now actively interested in entering the Pakistan market.

February 2:HT CEO David forwards a Financial Times article to his sales staff. The headline reads, “Pakistan court refuses to free US official”. The report outlines the politics behind the case of Raymond Davis, a US official accused of running over two Pakistanis in Lahore.

David notes [in Italian] that the case shows how:

“Pakistanis are very hostile towards Americans and the West in general. This complicates our eventual trip to the country.”

He asks his sales staff to respond to Pakistani customers with “meet at our office” or in “neutral territory such as Dubai”.

Two weeks later, a single email that appears to be part of a longer conversation emerges. HT is back in touch with Zeeshan, who alleges that the FIA has requested him to arrange a demo of RCS. He provides specific dates and times as the “big boss will be available during these dates”.

May 4:Osama bin Laden has been shot and killed two days ago in a covert US operation. David emails his sales staff [in Italian] outlining how Pakistan is a “divided country, highly religious” and stuck in a tussle with “rival India” while also involved with the US in the war in Afghanistan.

He goes on to make a veiled reference:

“He receives $4 billion from the US each year for civilian aid and arms. This could be an exceptional customer”.

It is clear HT actively wants to pursue clients in Pakistan. Mostapha is instructed to reach out to INTECH Solutions — HT’s German partner — for an update. A response follows shortly after: “Hello David , We talked to our German partner. He’ll go to Pakistan to conduct demos and meet with clients.”

Klaus Weigmann, the Managing Director of INTECH Solutions responds with bad news. Their contact in Pakistan has advised against any German visiting Pakistan at this time. Klaus says he cannot risk sending his technicians until the contact says the situation is clear with “no risk to our lives”. The email chain ends; it is unclear whether INTECH Solutions staff visits Pakistan.

June 9:A second contractor identifying himself as Javed Ahmed, Chairman of Karachi-based Miran International appears close to sealing a deal for CID Sindh Police, as a critical Non Disclosure Agreement (NDA) is signed by all parties.

Aiming to reel HT in, he mentions the CID is being funded by the UK government. He also asks HT to stay quiet about pricing until it is approved by them.

Miran International has been in touch with HT since January, promising they should be able to sell RCS to the “Intelligence Bureau [IB] Islamabad Armed Forces [ISI ,AFI,NI and MI] Provincial Intelligence Agencies [CID AND CIA ].”

In a further attempt to build close ties, Javed reveals that a representative of Gamma Group — the developers of Finfisher, another spyware surveillance system — had visited Pakistan to meet a top intelligence agency. He claims that no local deal went through because of price issues and “Gamma were not giving the keys and equipment on trial basis”.

He adds that the quoted cost for purchasing FinMobile was $700,000 and this was “way out of budget”. For the first time, HT provides the cost for a basic RCS package:

“For an ‘entry’ level =10 targets + 1 platform, the price to Miran is about 240K euros. We have a lot of additional ‘powerful tools’ as IPA, RMI, exploit portal ecc the price is more or less 40K for each tool.”

It is not clear whether the CID or other agencies cited by Javed eventually purchased RCS.

August 5:Miran International continues to build its case as HT’s local partner. “Brother, they [local agency] do not have any money of their own. They are receiving donations from UK Embassy and USA Embassy. Through these donations they are buying equipment and technology. And most of the things are being purchased from me, claims Ali Ahmed, the CEO of Miran International.

“Please give your most fair and reasonable price. I will also add fair margin. Then they will take your proposal to the donor country.” He is also forthcoming about whom he represents: the Crime Investigation Department (CID).

November 21:HT has an internal discussion based around Research In Motion agreeing to help the Indian government carry out surveillance of BlackBerry services.

David comes up with a way to pitch to India, outstripping RIM’s solution:

“RCS offers a possibility more than any other system of passive interception, including the capture of data that typically does not travel over the network… and the possibility to “follow” an Indian target when they go abroad (e.g. Pakistan).”

HT Senior Security Engineer FabrizioCornelli replies with the need to test RCS “So India could follow a target traveling in Pakistan” with a stable connection between phone and hub.

November 22:Just a day after a discussion on how to pitch RCS to India through tracking abilities inside Pakistan, HT replies to a new contractor from ‘rival Pakistan’, outlining its hacking software’s capabilities to access “Skype (VoIP, chat), MSN (VoIP, chat), Keystrokes (all Unicode languages), files, screenshots, microphone eavesdropped data, camera snapshots, etc.”

2012

March 14:Ali Ahmed contacts HT for a customer who is interested in purchasing the RCS and “Remote Mobile Intrusion” toolsets. The quoted price, however, is on the “high side” and the email chain ends.

May 25:An HT internal email exchange reveals that the first part of a payment by an unidentified customer has come through, while the second part has been delayed because “Basar had to go to Pakistan. He told me to have a little patience.”

Other emails identify the individual as Syed BasarShueb, the CEO of Pal Group, a UAE-based company that presents its as involvement in multiple mega-ventures including ‘Time Square’ which was reported by the Khaleej Times to be a $1.4 billion real estate project in Lahore — a joint venture with Defense Housing Authority.

October 4:The sales manager at a Dubai-based software firm VytasCeliesius says a Pakistani customer is looking to purchase HT’s mobile intrusion software but has multiple queries regarding its capabilities.

Mostapha responds to the queries, outlining the software’s ability to work on the latest iOS and Android platforms; the ability to remotely install trojans using SMS, WAP push, emails; the need to have the user install the application, otherwise resort to physical infection; the vital need for an internet connection to transfer data.

October 31:HT consultant Bern Fiedler makes an unusual finding that he shares with HT.

“On Pakistan, I do not know whom you are dealing with but Director General Technical of ISI is not aware of any discussions or presentations neither procurement of products from Hacking Team. He confirmed to me that they are in a need of the products and are open to other vendors as well.”

2013

February 25:Yet another contractor, Anwar S. Malik, who identifies himself as Director Business Development of Islamabad-based Hajvairy Technologies, reaches out to HT. He says his company is a registered supplier to the “Ministry of Defense and law enforcement organisations for almost 30 years”.

In a first for any of the local contractors, Anwar flies to Milan to meet HT at its office. An NDA is signed by all parties but the customer is not named.

March 14:Mostapha tells Vytas that HT has begun working on selling RCS to the Pakistan Air Force (PAF) and the Pakistan Navy through a local partner. He tell his German partner that he is assessing whether the opportunities are serious. Vytas responds saying the PAF has already purchased FinFisher from Gamma. Instead, he says his company representatives met with the ISI at ISS in Dubai to discuss mobile intrusion equipment, which was “a high priority”. He adds: