Hack reveals how some ASEAN countries spy on their people

Reading Time: 4 minutes
hacking_team_video
Shot from Hacking Team’s marketing video

Government agencies in Singapore, Malaysia, Thailand and Vietnam are all on a customer list of a notorious Italian company whose main product is a spyware solution that includes digital intrusion tools to monitor activities on computers and smartphones.

In the night between July 5 and 6, unidentified hackers broke into the computer system of Milan, Italy based Hacking Team, a company that is known for selling its spyware with offensive surveillance and “evidence collection” capabilities to governments and law enforcement agencies around the world, a product that it humbly calls “Remote Control System” and brands as “Galileo”.

The hackers published a massive, 400 gigabyte trove on bittorrent of internal documents from the company, among which a highly interesting and comprehensive list of Hacking Team’s customers can be found.

Investvine provides the full Excel list for download, noting that it is from an unofficial leak and is not necessarily entirely accurate. We also emphasise that the acquisition and the use of the described surveillance software by government agencies of certain countries might not automatically indicate a breach of privacy laws in the respective jurisdictions. In cases the spyware has been sold to otherwise embargoed countries, such as Sudan, there is still the issue of whether hacking tools are defined as weapons in the terms of arms control agreements.

Hacking Team itself says it does not sell its software to countries that abuse human rights and that the product is used in around 30 countries worldwide on five continents. As a result of the hack, however, which also brought to light the source code of the spyware, Hacking Team said that “the ability to control who uses the technology has been lost” and “virtually all clients have suspended the use of the system that was compromised in the attack” and that the company will “provide an update to the Remote Control System that will allow clients to resume criminal and intelligence investigations.”

In ASEAN, the list shows customers such as the Infocomm Development Authority of Singapore (iDA), the city state’s main information and communication government body tasked with the “Intelligent Nation 2015” master plan. Other big customers are the Royal Thai Army and the Department of Correction of the Thai Police, and the latest clients were two mysterious agencies in Vietnam, GD1 and GD5, likely one military and one public security law enforcement or intelligence organisation.

But within the region, Malaysia seems to have the biggest interest in what its people are doing on their computers and phones, as the list depicts no less than four Malaysian agencies that are using the Italian “Remote Control System”: The Malaysian Anti-Corruption Commission, one obviously military intelligence body marked as MAL-MI, an agency abbreviated “Malaysia K” which could be the Kor Risik Diraja (Royal Intelligence Corps) which is Malaysia’s main intelligence agency and – last but not least – the Prime Minister’s Office, whose so-called Research Division is actually the public name for the Malaysian External Intelligence Organisation, the country’s main foreign intelligence agency.

hackingteam-stealthMalaysia, Vietnam and Thailand seem to be in further negotiations with Hacking Team as the document states them as “opportunities,” which is marketing jargon that talks about possible future deals are ongoing. New agencies involved are the Royal Malaysian Police – Commercial Crimes Investigation Department, the Malaysian Communications and Multimedia Commission, the central body overlooking all telecommunication and multimedia activities in the country, the Royal Thai Armed Forces Security Center, the Royal Thai Police Narcotics Suppression Bureau and Vietnam’s Ministry of Defense.

Other global customers of Hacking Team include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, as well as several US agencies including the Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI) and the Department of Defense. The document shows that Hacking Team, for example,  has client revenues of €750,000 with Ethiopia’s Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its spyware, and gets €80,000 in annual maintenance fees. For Sudan, a country that is the subject of a UN embargo, the document shows revenue of €960,000 for licensing and €76,000 annual fees from the National Intelligence and Security Services for the same software. Among the top spending client countries are Italy, Mexico, Saudi Arabia and United Arab Emirates.

The methods the spy software uses are quite disturbing. In fact, an “agent” is secretly installed on a user’s device in the course of a direct hacking attack, no matter if the targeted operating system is Windows, OS X, Linux, Android, iOS, Symbian, Windows Phone or Blackberry. Installation of the “agent” takes place via fake software updates, emails with fake and/or malicious attachments and security flaws in popular software such as Adobe Flash.

The “agent” overcomes encryption on the target device and is able to “collect evidence” in stealth mode and to transmit collected data from the device to the company’s own server. That way, the spyware can

  • Collect emails, text messages, phone call history and address books
  • Log keystrokes
  • Uncover search history data and take screenshots
  • Record audio from Skype and voice calls
  • Use phones to collect ambient noise and conversations
  • Activate phone or computer cameras unnoticeably
  • Hijack telephone GPS systems to monitor a target’s location

Hacking Team’s Remote Control System Galileo is one of two high-profile government spyware solutions, the other being FinFisher, a product of British/German software company Gamma International which is a subsidiary of British Virgin Islands-domiciled Gamma Group, a controversial computer surveillance firm employing ex-military personnel. Gamma Group’s customers in ASEAN include Indonesia. Both firms say they are selling to governments only.

Below is Hacking Team’s own marketing video:

Do you like this post?
  • Fascinated
  • Happy
  • Sad
  • Angry
  • Bored
  • Afraid

Reading Time: 4 minutes

Shot from Hacking Team’s marketing video

Government agencies in Singapore, Malaysia, Thailand and Vietnam are all on a customer list of a notorious Italian company whose main product is a spyware solution that includes digital intrusion tools to monitor activities on computers and smartphones.

Reading Time: 4 minutes

hacking_team_video
Shot from Hacking Team’s marketing video

Government agencies in Singapore, Malaysia, Thailand and Vietnam are all on a customer list of a notorious Italian company whose main product is a spyware solution that includes digital intrusion tools to monitor activities on computers and smartphones.

In the night between July 5 and 6, unidentified hackers broke into the computer system of Milan, Italy based Hacking Team, a company that is known for selling its spyware with offensive surveillance and “evidence collection” capabilities to governments and law enforcement agencies around the world, a product that it humbly calls “Remote Control System” and brands as “Galileo”.

The hackers published a massive, 400 gigabyte trove on bittorrent of internal documents from the company, among which a highly interesting and comprehensive list of Hacking Team’s customers can be found.

Investvine provides the full Excel list for download, noting that it is from an unofficial leak and is not necessarily entirely accurate. We also emphasise that the acquisition and the use of the described surveillance software by government agencies of certain countries might not automatically indicate a breach of privacy laws in the respective jurisdictions. In cases the spyware has been sold to otherwise embargoed countries, such as Sudan, there is still the issue of whether hacking tools are defined as weapons in the terms of arms control agreements.

Hacking Team itself says it does not sell its software to countries that abuse human rights and that the product is used in around 30 countries worldwide on five continents. As a result of the hack, however, which also brought to light the source code of the spyware, Hacking Team said that “the ability to control who uses the technology has been lost” and “virtually all clients have suspended the use of the system that was compromised in the attack” and that the company will “provide an update to the Remote Control System that will allow clients to resume criminal and intelligence investigations.”

In ASEAN, the list shows customers such as the Infocomm Development Authority of Singapore (iDA), the city state’s main information and communication government body tasked with the “Intelligent Nation 2015” master plan. Other big customers are the Royal Thai Army and the Department of Correction of the Thai Police, and the latest clients were two mysterious agencies in Vietnam, GD1 and GD5, likely one military and one public security law enforcement or intelligence organisation.

But within the region, Malaysia seems to have the biggest interest in what its people are doing on their computers and phones, as the list depicts no less than four Malaysian agencies that are using the Italian “Remote Control System”: The Malaysian Anti-Corruption Commission, one obviously military intelligence body marked as MAL-MI, an agency abbreviated “Malaysia K” which could be the Kor Risik Diraja (Royal Intelligence Corps) which is Malaysia’s main intelligence agency and – last but not least – the Prime Minister’s Office, whose so-called Research Division is actually the public name for the Malaysian External Intelligence Organisation, the country’s main foreign intelligence agency.

hackingteam-stealthMalaysia, Vietnam and Thailand seem to be in further negotiations with Hacking Team as the document states them as “opportunities,” which is marketing jargon that talks about possible future deals are ongoing. New agencies involved are the Royal Malaysian Police – Commercial Crimes Investigation Department, the Malaysian Communications and Multimedia Commission, the central body overlooking all telecommunication and multimedia activities in the country, the Royal Thai Armed Forces Security Center, the Royal Thai Police Narcotics Suppression Bureau and Vietnam’s Ministry of Defense.

Other global customers of Hacking Team include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, as well as several US agencies including the Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI) and the Department of Defense. The document shows that Hacking Team, for example,  has client revenues of €750,000 with Ethiopia’s Information Network Security Agency (the spy agency of a country known to surveil and censor its journalists and political dissidents) for licensing its spyware, and gets €80,000 in annual maintenance fees. For Sudan, a country that is the subject of a UN embargo, the document shows revenue of €960,000 for licensing and €76,000 annual fees from the National Intelligence and Security Services for the same software. Among the top spending client countries are Italy, Mexico, Saudi Arabia and United Arab Emirates.

The methods the spy software uses are quite disturbing. In fact, an “agent” is secretly installed on a user’s device in the course of a direct hacking attack, no matter if the targeted operating system is Windows, OS X, Linux, Android, iOS, Symbian, Windows Phone or Blackberry. Installation of the “agent” takes place via fake software updates, emails with fake and/or malicious attachments and security flaws in popular software such as Adobe Flash.

The “agent” overcomes encryption on the target device and is able to “collect evidence” in stealth mode and to transmit collected data from the device to the company’s own server. That way, the spyware can

  • Collect emails, text messages, phone call history and address books
  • Log keystrokes
  • Uncover search history data and take screenshots
  • Record audio from Skype and voice calls
  • Use phones to collect ambient noise and conversations
  • Activate phone or computer cameras unnoticeably
  • Hijack telephone GPS systems to monitor a target’s location

Hacking Team’s Remote Control System Galileo is one of two high-profile government spyware solutions, the other being FinFisher, a product of British/German software company Gamma International which is a subsidiary of British Virgin Islands-domiciled Gamma Group, a controversial computer surveillance firm employing ex-military personnel. Gamma Group’s customers in ASEAN include Indonesia. Both firms say they are selling to governments only.

Below is Hacking Team’s own marketing video:

Do you like this post?
  • Fascinated
  • Happy
  • Sad
  • Angry
  • Bored
  • Afraid