Hacking Team hacked: The Pakistan connection, and India's expansion plan
Consider this: your mobile phone is sending a steady stream of private information and location coordinates to an unknown entity that has included your name on a list of targets to be monitored.
Your computer allows those with a set of sophisticated, expensive spyware tools to access your digital life, from saved photos and chat messages to watching and listening to you using your device’s camera and microphone. This massive breach of privacy is virtually undetectable and untraceable.
Now imagine such tools in the hands of the state’s security apparatus.
In a recent report, Privacy International (PI), an organization focused on privacy intrusions, asserted that the government had obtained such surveillance tools from multiple sources, including Ericsson, Alcatel, Huawei, SS8 and Utimaco. There is increasing concern that local Law Enforcement Agencies (LEAs) and intelligence agencies have the ability to intrude into a range of devices to capture data, encrypted or otherwise.
One software that enables such high-level spying is Remote Control System (RCS) — a ‘cyber security’ solution developed by Hacking Team (HT), an Italian IT company notorious for its spy tools that have been sold to countries as far and wide as Sudan, Bahrain, Saudi Arabia, India, Mexico and Russia.
RCS primarily works through the installation of malware, a malicious programme that is remotely transmitted to a device and then used to transfer private data through an internet connection.
Aside from allowing access to photos, emails, chat conversations, social media accounts and passwords, the software can tap phone and Skype calls, take photographs using the infected device’s camera and switch on a device’s microphone – all without the user’s knowledge, and without affecting a device’s battery life.
HT boastfully claims to equip law enforcement agencies solely to “fight crime hidden in the new encrypted digital world”. It repeatedly asserts its RCS hacking software is lawful, and “critical to the work of preventing and investigating crime and terrorism…we serve over 50 clients in more than 30 countries; we have been the first movers and leaders since 2004.”
It was perhaps this notoriety and success that led to HT itself being hacked in July by an anonymous hacker who released 400GB of the company’s data online, of which one million emails have been compiled into a public archive by Wikileaks.
In an attempt at damage control, HT published a message from CEO & Founder David Vincenzetti who admitted there was a security breach, adding that, “the attack on our company was a reckless and vicious crime.”
Enter Pakistan
With HT acknowledging the data leak, the controversial surveillance company’s detailed liaison with global customers has been laid bare - and among the emails are over 1,000 exchanges with a set of actors who claim to be Pakistani contractors representing various state institutions.
Against the backdrop of Privacy International’s report detailing Pakistan’s desire to build a mass surveillance system, these emails reinforce the idea that some elements within Pakistan have purchased, or are in the process of acquiring intrusive hacking tools such as RCS using the names of top LEAs and intelligence agencies.
The email exchanges run from 2011, where HT staff discuss doing business with Pakistan, in which it sees an “exceptional customer”, up to May 2015 where a contractor claims he has received demands from local agencies for surveillance equipment that can be integrated into unmanned air vehicles (drones) and land vehicles.
With many email chains ending abruptly or switching over to phone calls and private meetings online or abroad, the status of RCS being actively used inside Pakistan is currently unknown.
In the examination of emails that follows, the years long exchanges between Pakistan's contractors and HT reveals how the business of surveillance operates, and the dangers it poses.
From the WikiLeaks vault
The Business of hacking
Leaked email exchanges between Hacking Team (HT) and Pakistani contractors vying for their controversial Remote Control System (RCS) surveillance tool provide insight into how the business of cyber security operates behind closed doors.
The story, which begins in 2011, is one of intrigue and troubling intentions on the part of both buyer and seller.
2011
January 21: HT Sales Manager Marco Bettini sends an email forward to Key Account Manager Mostapha Maanna with the subject: Visiting you in Islamabad.
The original email chain is dated back to 2009, its contents being a lengthy exchange between one Zeeshan Zakaria who says he represents Lahore-based Zakimpex. He is talking to members of HT, including Mostapha Maanna and CEO and Founder David Vincenzetti.
The conversation begins with Mostapha demanding to know the agency Zeeshan claims to represent in Pakistan. He adds:
“By the way, I already know the name of this company’s customer."
Hoping to secure a deal and take a cut as the middleman, Zeeshan says his customer is the National Police Bureau. He provides a list of names with designations, including one DIG and multiple SSPs, to get HT’s attention.
Mostapha thanks him for the “clear answer”, and recommends Zeeshan and his customer attend the Intelligence Support Systems (ISS) conference — a global gathering focused on security, law enforcement and intelligence — in Dubai. He says HT will arrange for a demo of RCS hacking capabilities there. David chimes in with a promise to show the customer “a private demonstration of our mobile eavesdropping modules”.
Zeeshan tries to persuade HT to visit Pakistan, but David is clear on the subject: “To my understanding we had decided not to meet in Pakistan (too dangerous) but to meet in Dubai instead.” There is a flurry of emails covering logistics for the Dubai visit, which ends abruptly when Zeeshan names two technical assistance officers of the Federal Ministry of Interior as his travel companions.
It is unclear whether the meeting takes place.
Why this old email chain is forwarded on January 21, 2011 becomes clear as the year progresses — HT is now actively interested in entering the Pakistan market.
February 2: HT CEO David forwards a Financial Times article to his sales staff. The headline reads, “Pakistan court refuses to free US official”. The report outlines the politics behind the case of Raymond Davis, a US official accused of running over two Pakistanis in Lahore.
David notes [in Italian] that the case shows how:
“Pakistanis are very hostile towards Americans and the West in general. This complicates our eventual trip to the country.”
He asks his sales staff to respond to Pakistani customers with “meet at our office” or in “neutral territory such as Dubai”.
Two weeks later, a single email that appears to be part of a longer conversation emerges. HT is back in touch with Zeeshan, who alleges that the FIA has requested him to arrange a demo of RCS. He provides specific dates and times as the “big boss will be available during these dates”.
May 4: Osama bin Laden has been shot and killed two days ago in a covert US operation. David emails his sales staff [in Italian] outlining how Pakistan is a “divided country, highly religious” and stuck in a tussle with “rival India” while also involved with the US in the war in Afghanistan.
He goes on to make a veiled reference:
“He receives $4 billion from the US each year for civilian aid and arms. This could be an exceptional customer”.
It is clear HT actively wants to pursue clients in Pakistan. Mostapha is instructed to reach out to INTECH Solutions — HT’s German partner — for an update. A response follows shortly after: “Hello David , We talked to our German partner. He’ll go to Pakistan to conduct demos and meet with clients.”
Klaus Weigmann, the Managing Director of INTECH Solutions responds with bad news. Their contact in Pakistan has advised against any German visiting Pakistan at this time. Klaus says he cannot risk sending his technicians until the contact says the situation is clear with “no risk to our lives”. The email chain ends; it is unclear whether INTECH Solutions staff visits Pakistan.
June 9: A second contractor identifying himself as Javed Ahmed, Chairman of Karachi-based Miran International appears close to sealing a deal for CID Sindh Police, as a critical Non Disclosure Agreement (NDA) is signed by all parties.
Aiming to reel HT in, he mentions the CID is being funded by the UK government. He also asks HT to stay quiet about pricing until it is approved by them.
Miran International has been in touch with HT since January, promising they should be able to sell RCS to the “Intelligence Bureau [IB] Islamabad Armed Forces [ISI ,AFI,NI and MI] Provincial Intelligence Agencies [CID AND CIA ].”
In a further attempt to build close ties, Javed reveals that a representative of Gamma Group — the developers of Finfisher, another spyware surveillance system — had visited Pakistan to meet a top intelligence agency. He claims that no local deal went through because of price issues and “Gamma were not giving the keys and equipment on trial basis”.
He adds that the quoted cost for purchasing FinMobile was $700,000 and this was “way out of budget”. For the first time, HT provides the cost for a basic RCS package:
“For an ‘entry’ level =10 targets + 1 platform, the price to Miran is about 240K euros. We have a lot of additional ‘powerful tools’ as IPA, RMI, exploit portal ecc the price is more or less 40K for each tool.”
It is not clear whether the CID or other agencies cited by Javed eventually purchased RCS.
August 5: Miran International continues to build its case as HT’s local partner. “Brother, they [local agency] do not have any money of their own. They are receiving donations from UK Embassy and USA Embassy. Through these donations they are buying equipment and technology. And most of the things are being purchased from me, claims Ali Ahmed, the CEO of Miran International.
“Please give your most fair and reasonable price. I will also add fair margin. Then they will take your proposal to the donor country.” He is also forthcoming about whom he represents: the Crime Investigation Department (CID).
November 21: HT has an internal discussion based around Research In Motion agreeing to help the Indian government carry out surveillance of BlackBerry services.
David comes up with a way to pitch to India, outstripping RIM’s solution:
“RCS offers a possibility more than any other system of passive interception, including the capture of data that typically does not travel over the network… and the possibility to “follow” an Indian target when they go abroad (e.g. Pakistan).”
HT Senior Security Engineer Fabrizio Cornelli replies with the need to test RCS “So India could follow a target traveling in Pakistan” with a stable connection between phone and hub.
November 22: Just a day after a discussion on how to pitch RCS to India through tracking abilities inside Pakistan, HT replies to a new contractor from ‘rival Pakistan’, outlining its hacking software’s capabilities to access “Skype (VoIP, chat), MSN (VoIP, chat), Keystrokes (all Unicode languages), files, screenshots, microphone eavesdropped data, camera snapshots, etc.”
2012
March 14: Ali Ahmed contacts HT for a customer who is interested in purchasing the RCS and “Remote Mobile Intrusion” toolsets. The quoted price, however, is on the “high side” and the email chain ends.
May 25: An HT internal email exchange reveals that the first part of a payment by an unidentified customer has come through, while the second part has been delayed because “Basar had to go to Pakistan. He told me to have a little patience.”
Other emails identify the individual as Syed Basar Shueb, the CEO of Pal Group, a UAE-based company that presents its involvement in multiple mega-ventures including ‘Time Square’ which was reported by the Khaleej Times to be a $1.4 billion real estate project in Lahore — a joint venture with Defense Housing Authority.
October 4: The sales manager at a Dubai-based software firm Vytas Celiesius says a Pakistani customer is looking to purchase HT’s mobile intrusion software but has multiple queries regarding its capabilities.
Mostapha responds to the queries, outlining the software’s ability to work on the latest iOS and Android platforms; the ability to remotely install trojans using SMS, WAP push, emails; the need to have the user install the application, otherwise resort to physical infection; the vital need for an internet connection to transfer data.
October 31: HT consultant Bern Fiedler makes an unusual finding that he shares with HT.
“On Pakistan, I do not know whom you are dealing with but Director General Technical of ISI is not aware of any discussions or presentations neither procurement of products from Hacking Team. He confirmed to me that they are in a need of the products and are open to other vendors as well.”
2013
February 25: Yet another contractor, Anwar S. Malik, who identifies himself as Director Business Development of Islamabad-based Hajvairy Technologies, reaches out to HT. He says his company is a registered supplier to the “Ministry of Defense and law enforcement organisations for almost 30 years”.
In a first for any of the local contractors, Anwar flies to Milan to meet HT at its office. An NDA is signed by all parties but the customer is not named.
March 14: Mostapha tells Vytas that HT has begun working on selling RCS to the Pakistan Air Force (PAF) and the Pakistan Navy through a local partner. He tell his German partner that he is assessing whether the opportunities are serious. Vytas responds saying the PAF has already purchased FinFisher from Gamma. Instead, he says his company representatives met with the ISI at ISS in Dubai to discuss mobile intrusion equipment, which was “a high priority”. He adds:
“[ISI] would like to have mobile as well as PC intrusion equipment with a big number of target SW licenses, e.g. 500 or 1000."
It is unclear what takes place next, as a final email from Mostapha says an offer will be sent over shortly.
June 10: An individual identifying himself as a former PTA chairman reaches out to David directly. After clarifying that the PTA does not “get involved with tracking or eavesdropping of data as we do not have the constitutional mandate”, he asks the HT CEO to address a few key questions:
“What if extortionists...use prepaid cell phones which have been purchased by the street-side through an unregistered vendor, does not carry correct antecedents of the owner, may have been used by someone innocent previously...or have been obtained from a cell phone company instantly. CDRs show no previous calls made except to just one person whom they threaten. Many of these are not notorious notorious but doing this as an alternative to poor economic conditions, no education, unbalance in society, political backing etc.”
“My question is, can such people be tracked down for relief to say 99%(+) of the other respectable citizens without considerable investment in networks… Another problem is spoofing sender ID through software and SMS service providers available outside the country through Web-to-SMS etc.”
HT Operations Manager Daniele Milan responds on David’s behalf. He says it would be almost impossible to track phones in the scenario described without significant investment in interception/geo-location equipment, as well as educating victims of blackmailing on how to react. He mentions that this can only be done by covering the networks of all telecom operators, who would have to have such equipment in place.
“Cooperation from telecom companies can greatly simplify the tasks of LEAs. This is exactly the scenario where our solution, Remote Control System, fits in perfectly: for tactical usage against a few selected targets of major relevance, who use modern technology to communicate and pull the strings of their criminal plans,” Daniele says. The email chain ends.
September 18: Bernd Fiedler contacts HT and says Pakistan activities have been halted as, “We are currently awaiting the promotion of the new DGT of ISI, any action with the current one will be a waste of time as he will be out of the job soon. I expect that we can start moving forward somewhen end of October beginning of November”.
October 30: Miran International’s representative provides HT with the names of four high profile officials of the Sindh Police who will be traveling to attend Millipol Paris 2013 — an annual, worldwide exhibition of internal state security. Mostapha asks whether invitations are needed for the entire delegation. The Miran representative says entry passes have already been arranged.
2014
January 23: Miran International keeps pushing for a partnership, with Javed asking what happened “after our very positive meeting at Millipol. I was very optimistic after we met that finally the management of your company will send you to Pakistan to introduce your technology to potential end-users. Is there any hope or shall I stop fantasising.” There is no response from HT.
July 21: A deal appears to be reaching fruition thanks to months long efforts by Zeeshan Zakaria who now says he is part of Lahore-based Defence Solutions & Systems
Zeeshan aims to sell RCS to the “army and another intelligence customer”.
NDAs are signed and exchanged for a customer interested in IP intrusion techniques and intrusion through WIFI, along with solutions to hack into Skype, Tango, Viber and WhatsApp. Zeeshan and the HT representatives seem relaxed, almost jovial in their exchanges.
2015
January to March: The new year brings a sudden rush of local contractors vying to become partners for HT’s surveillance software. One identifies himself as Ali Zubair, Director Strategic Planning of Islamabad-based United International Technologies (UIT). He promises sales will be for powerful end-users.
Another man, Adil Khan, who claims to be Vice President Sales and Marketing of Islamabad-based Teletrade International says he will land HT important customers — the very same as those cited by UIT. Yet another representative of Miran International chimes in with an, “inquiry from one of the premier Intelligence Agencies in Pakistan for infecting of GSM handsets.”
Edward Tufail of Italy-based Commercial Consultations claims to represent Karachi-based Vision Security, yet another company interested in a partnership. David terms this both “suspicious, and a waste of time”.
May 4: MI Fareed who claims to be President, Intertech Tradelinks, a Canada based company “currently in Dubai”, says he has received demands from Pakistani LEAs and intelligence agencies for the purchase of surveillance equipment.
He says the equipment would be used “to reduce crime levels, to protect from terrorism threats and to identify new incoming security danger as well as for similar uses in the commercial and social sector of Pakistan. He adds that:
"[Pakistan is] a front-line ally of the USA/allied forces in their war against terrorism in this region, as well as an active participant supporting Saudi Arabia in their continuing conflict in Yemen.”
He adds another “special purpose” requirement that no other contractor has requested: equipment and technologies for integration into “unmanned vehicles” i.e. air (drones) and land. Whether this request ever moved from an NDA to an actual purchase is unknown.
This is the final Pakistan-related email from the WikiLeaks HT archive.
In the name of security
Can the right to privacy be compromised in the name of a security crisis?
Should intelligence agencies be trusted not to misuse powerful surveillance tools?
“In the modern context it is necessary to have effective surveillance equipment, particularly with our deteriorating security situation,” argues defence analyst and security expert Ikram Sehgal, “But what happens is that intelligence agencies justify the use of these tools in the name of counterterrorism and countering criminal activity, while a majority of the operations end up being dedicated to surveillance of common, private citizens, or used for political pursuits etc.”
Sehgal says tools like RCS are problematic when there is a lack of checks and balances in place. “When you have a body which does not answer to anyone or at least does not answer to all authorities that it theoretically should be answering to, then that’s going to cause problems,” he adds.
A former director general of the Intelligence Bureau who requested anonymity agrees that software like RCS “are absolutely necessary tools given the complexities that now prevail in intelligence gathering and security.” He adds that “intelligence agencies do not have many other sources to turn to, and while human intelligence has always been there, it cannot be as efficient as these software and tools.”
Legislation to regulate the activities of intelligence agencies is key the former DG says, but it would still not be enough. “The best way to ensure that surveillance software is not misused is to appoint the right people to do the job. Because even if you have regulatory laws in place, if implementation is lax those laws would be of no use to anyone. If you have the right person at the helm, they would do the right thing no matter what laws may or may not be in place,” he says.
Former DG FIA Tariq Khosa voices similar views. “The government is working on a cybercrime law so it can bring these operations within its ambit,” he says.
He suggests the formation of a cybercrime task force which answers directly to the government. He stresses the need for a parliamentary committee on intelligence affairs that carries out necessary oversight. “The proceedings of this committee may be in-camera if necessary but its effective presence is critical in a democratic setup”.
The problem with surveillance software
Digital rights experts in Pakistan see good reason to be concerned about spying software like RCS.
"There is next to no public or government oversight of our agencies. The software and hardware that is being purchased by them has in the past been used by regimes to spy on citizens. As such, we have powerful intelligence agencies that are rarely investigated or even castigated in public for fears of being under surveillance for doing so.
What is needed is judicial oversight, public debate and legislation that binds security agencies to the Constitution."
Nighat Daad – Director, Digital Rights Foundation
"The first step in addressing this situation is disclosure. Not through leaked documents, but in an official capacity by relevant institutions. The danger with such technology though, is that some of it can be so invasive that oversight is impossible. Once it gets into someone’s hands, privacy will be an elusive, distant reality.
On a global level, the debate as far as the sale of communications surveillance equipment goes, hinges on what is ethical for companies to make and sell. Around the world, governments and security agencies had taken excessive steps in the name of security and terrorism. We see all of that being rolled back now. The door on bulk data collection, blanket surveillance, overbroad and discretionary powers is shutting globally. It’s slow and gradual, but it is happening. We should be cognisant of that and not repeat the mistakes of others."
Farieha Aziz – Director, Bolo Bhi
"The intention of the state is evident. A China-like Internet governance model is becoming a reality in the name of sovereignty, and national security.
There is great concern regarding this, especially the targeting of human rights defenders and journalists. Our fears are now being verified on a daily basis, and the threat is as real as it gets. Civil society needs to unite to take on these undemocratic and dangerous decisions by state institutions.
Shahzad Ahmad – Director, Bytes for All
India wants HT to meet expansive surveillance needs
Hacking Team conducts webinar for RAW; CABSEC is already a customer of HT Israeli partner
Elements of the Indian state have been in steady talks with Hacking Team (HT) till June this year to obtain spying software for internal as well as cross border surveillance. In the trove of emails, the Italian firm implicates the desire of India’s intelligence agency and government to obtain spying tools, also indicating the Cabinet Secretariat’s satisfaction with a demo of the controversial RCS surveillance software.
From the Wikileaks HT archive, an email dated May 14, 2015 was sent by one Deepak Patel representing Evincesis Info Solutions, who said he was aware of “government establishment” demands.
“[Need is] to acquire tools and services which can help them stay ahead of law bending elements [sic] specially when the Indian soil is under constant threat from cross border attacks,” he explained to HT, assuring them he works closely with agencies on “various levels”.
An email exchange in February 2014 reveals that HT staff conducted a webinar demonstrating their hacking tools to the Research and Analysis Wing (RAW), National Investigation Agency (NIA), Intelligence Bureau (IB) and the National Tech Research Organization (NTRO).
Further examination of leaked emails sent from India in 2015 reveal that HT was actively trying to hire an Indian field officer, and was also in advanced stages of finalising a visit to Hyderabad for a demonstration to law enforcement agencies. An email request dated June 12, 2015 was made by a Prabhakar Kasu of Ortus Consulting, who proposed cellular interception hardware solutions to the South Indian state.
Kasu asked for an estimate on costs for 24 and 50 mobile licenses so he could share it with his client — the Andhra Pradesh police intelligence — to try and convince them to use it. He said he wished to know the price for mobile hacking only “given their current urgent priority”.
A figure of $1 million was given to Kasu, who later prepared visa documents and hotel options for the HT staff. The visit was set for early July and HT staff confirmed their travel dates and flights.
An indication of what the Indian authorities were looking for can be gleaned from an email sent by Amit Kumar of company Vis Exec. He listed the needs of an ‘end user’ that included penetration of Skype, Whatsapp, email, call data records, IP addresses, locations, posts, images, email and contact lists.
While the Indian government agencies did not directly approach HT, the contractors who reached out to the Italian firm appeared to have worked closely with them.
In one startling 2011 exchange, HT staff discussed a new opportunity in India through their Israeli partner NICE Systems. The customer interested in purchasing RCS was the Cabinet Secretariat (CABSEC).
When asked to explain what CABSEC was, HT employee Marco Bettini was told it was an intelligence organisation directly under the Prime Minister office. “They are already [sic] a customer of us (for other solutions…).”
Later in 2012, NICE writes to HT after a meeting with CABSEC in Delhi where RCS was demonstrated. “The customer was happy with the solution capabilities… we would like you [HT] to prepare a proposal that we will hand to our contacts at CABSEC”.
Additionally in 2013, Rohit Bhambri who identified himself as Director India Operations of NICE Systems, said his customer was keen for a solution that focused on mobile phone devices. In internal emails, HT said Bhambri’s client was CABSEC, “but for the moment we are not supposed to know that”.
India, however, remains unclear about the procurement of such software.
Talking to NDTV, UPA’s Home Minister P Chidambaram said he could not recall the Intelligence Bureau or the National Investigation Agency (NIA) acquiring the sort of technology discussed in the emails. “Nothing of this nature came to me,” he said.