Hacking Team's Twitter account began publishing the company's own private correspondence on Sunday evening. By Monday morning a four-hundred-gigabyte torrent had appeared, containing what appears to be the complete contents of the company's email archives, source code, internal documents, and customer files. The breach was claimed by Phineas Phisher, who also claimed last year's Gamma International / FinFisher leak. The archive is being mirrored and indexed across multiple sites including WikiLeaks (wikileaks.org/hackingteam/emails), and researchers around the world have spent the last forty-eight hours reading.
What is in the archive is, as a snapshot of the offensive market, unprecedented. Hacking Team sells its Remote Control System product — they are now rebranding it Galileo — to government and law-enforcement customers. The customer list, on the leaked invoices, includes Ethiopia, Sudan, Egypt, Bahrain, Saudi Arabia, the Russian FSB, the United Arab Emirates, Mexican state agencies, Italian local police forces, the United States DEA and FBI, and many others. The previous public denial that the company sold to repressive regimes is, on the documentary evidence in the archive, contradicted comprehensively. The Sudan invoice in particular (widely reported via Motherboard, July 6) is a single PDF that the company spent two years denying the existence of.
For the technical security community, the more immediate concern is the inclusion of working zero-day exploits in the leaked source. By Monday afternoon, Adobe had published an advisory and emergency patches (APSA15-03 and APSA15-04) for two Flash Player zero-days extracted from the Hacking Team archive. CVE-2015-5119 was patched on Wednesday and is already in active use by exploit kits — Angler picked it up within twenty-four hours of the disclosure. CVE-2015-5122 followed within hours of the patch. There is at least one further Flash exploit in the archive that is still being analysed, and Windows kernel exploits are being identified as researchers work through the 0day directory.
The operational pattern is therefore: a leak that is also, accidentally, a mass arming event. The exploits Hacking Team had been keeping for the use of their customers are now, in source form, available to anybody with the bandwidth to download the torrent. Exploit kits — Angler, Neutrino, Nuclear — incorporate them within a day. The ordinary commercial cybercrime ecosystem now has access to capabilities that were, until Sunday, the property of state customers. That transfer is happening at a speed that exceeds the normal patch cycle.
For the SOC and engagement work, the immediate operational consequences are concrete. Patch Flash everywhere on customer endpoints, including any embedded Flash in installed applications; verify with an inventory check, not just an update push. Where Flash cannot be patched in the very short term, disable it via group policy or kill-bit; the click-to-play approach is the more nuanced answer but the first answer this week is "off". Update IDS signatures for the documented exploit families; the Emerging Threats Pro feed has signatures pushed for both CVE-2015-5119 and 5122 by Wednesday morning. Watch for unusual Flash content in egress traffic — exploit-kit landing pages have specific characteristics in their decoder structure that signature well.
For the longer engagements there is a question I want to raise with the manufacturing client at the next board review. Hacking Team's customer list includes several state actors with which the client's overseas subsidiaries have working relationships. The likelihood that the same RCS implant has been used against the client's infrastructure — by a government acting on a matter that they consider legitimate, in a jurisdiction where they have legal authority to do so — is non-zero. The threat model for an organisation operating internationally has to include state surveillance as a category, and the breach gives a remarkable amount of detail on the technical capabilities to plan against.
The wider story is the visibility into how the offensive market actually operates. The internal correspondence in the archive shows the day-to-day texture of the work — sales pitches, customer support tickets, technical discussions, internal disagreements about ethics, the legal opinions about export-control regimes (the Wassenaar dual-use updates of December 2013 feature heavily). Researchers will be reading this for months. The legitimate academic work on the surveillance industry, which has mostly relied on partial leaks and inferential analysis, has just acquired its primary source.
I will be writing more about this in the coming weeks, particularly about the technical architecture of RCS as documented in the leaked manuals — there are interesting design decisions worth describing — and about the procurement and licensing pattern that the customer correspondence reveals. There is enough material in the archive to fill many hundred-thousand-word essays. The first task this week, however, is patching.