It’s now indisputable fact that governments in the Middle East are using spyware to spot political activists rather than terrorists or criminals. I wrote many articles about this phenomenon since the revelation of WikiLeaks SpyFiles. But the latest discovery should make us think twice about cybersecurity in the region.
Today, The Citizen Lab at the University of Toronto and Kaspersky Lab both published detailed analysis on software called “Remote Control System” from Hacking Team in Italy. According to the Italian firm, this surveillance and spying product is sold only to countries looking to track suspects and criminals and they don’t sell to repressive regimes. Unfortunately, this claim is not true at all..!
The latest analysis reveals that this company offers its remote control spyware to governments in the Middle East, and the most shocking part is that they have also “Command-and-Control Servers” inside Middle East countries. The researchers discovered that this malware comprises at least 326 servers in 40 countries around the world. It’s not surprising that the US and other western countries have the largest servers but what makes sense is that couple of servers is located inside Middle East. The only meaning to this is that Middle East countries, especially Law Enforcement are keen to cooperate with this malware gang, Hacking Team. They need these servers inside their countries to have full control over what’s going on. In addition, they don’t need too much hassle with legal issues related to servers located outside their borders!
As revealed by Citizen Lab, this map shows countries in the Middle East suspected of using this malware.
To trace the location of HackingTeam servers, researchers at Kaspersky scanned the entire IPV4 Internet address space, using a special “fingerprinting” method it developed that can identify RCS command-and-control servers (C2s). These servers are used as hidden infrastructure to deploy the malware and infect targets. In the Middle East, these C2s are found in Saudi Arabia, Egypt and Morocco. Some of the IP addresses revealed appeared to be connected directly to government authorities, according to the researchers.
There are many incidents in the Middle East prove that this malware has been used by governments to suppress human rights activists and even journalists.
The Italian company claims that its malware can’t be detected and it’s invisible to users who will be targeted by the infection. In fact, this somehow true if the user is not aware enough or not practicing information security at all. The exploit or the payload of this malware depends on many things to trick the target, for example:
- Exploit unpatched software (if you don’t regularly update your software or OS, you are in danger)
- Social Engineering tactics (If you normally open email attachments from untrusted or unknown sources, you might be infected. If you download many Apps on your mobile phone from Google Play, then you could be infected. If you jailbreak your iPhone, you can easily be infected!)
- Fake update from trusted source (sometimes, they use fake update sent from trusted service provider that may cooperate with government authority to infect your cell phone for example. The update or any other malicious software could be signed by fake or stolen certificates)
With poor security awareness in the Middle East, this malware could be easily used to trick users and infect their devices. But one of the dangerous consequences, beside violation of human rights, is the national security of those countries that are using this peace of malware. Even if they have servers located inside their borders and controlled by government authorities to target civilians, without strict security measures these surveillance tools could be used against the government itself.
What will happen if this so called “hidden infrastructure” of the command and control servers got hacked?
What will be the consequences on national security when foreign intelligence agencies cooperate with this malware gang to hack your infrastructure?
Governments that use off-the shelf technologies to hack their people will not be able to defend their infrastructure if hacked by cyber-mercenaries!
Resources FYI:
Police Story: Hacking Team’s Government Surveillance Malware
Mapping Hacking Team’s “Untraceable” Spyware
HackingTeam 2.0: The Story Goes Mobile
Did Hacking Team receive Italian public funding?
Wikileaks (HackingTeam Presentation)
Enemies of the Internet (HackingTeam case)