A controversial cyber espionage company called Hacking Team is reeling this morning after hackers gave it a taste of its own medicine by breaking into its systems, downloading hundreds of gigabytes of data and throwing it all on the open Internet.
Hacking Team has not said whether the leaked documents are legitimate, but NPR verified that at least the hacked personal passwords do check out.
Without a doubt, a hack of this kind would be terribly problematic for a company that secretly sells spyware to governments — including, if the documents prove authentic, repressive ones — around the world.
Here's how one Twitter user put the news into context:
Hacking Team has been controversial for years. Reporters Without Borders, for example, lists the company as an enemy of the Internet. Over the years, Citizen Lab, a lab that studies surveillance at the Munk School of Global Affairs at the University of Toronto, says that it has found Hacking Team's spyware in 21 countries, including Sudan, Egypt, Ethiopia, Turkey and Malaysia.
On two occasions, the Lab has written open letters to Hacking Team urging them to stop use of their software to quash human rights in repressive countries. Hacking Team has always maintained that it complies with the Wassenaar Arrangement, which is intended to limit the kind of dual-use technology that can be sold to certain regimes.
CSOOnline, which covers cybersecurity issues, reports that one of the leaked documents — purportedly an invoice for services to Sudan — is especially telling:
"The link to Sudan is especially newsworthy as the company previously stated they've never done business with the nation. There is a UN arms embargo on the Sudan, which is covered by EU and UK law. If they were doing business with the Sudanese government, Hacking Team could be in hot water.
"In 2014, a Citizen Lab report revealed evidence that Hacking Team's RCS (Remote Control System) was being used by the Sudanese government, something the Italian company flat-out denied.
"However, on Sunday a contract with Sudan, valued at 480,000 Euro, and dated July 2, 2012, was published as part of the 400GB cache. In addition, a maintenance list named Sudan as a customer, but one that was 'not officially supported.' Interestingly, Russia has the same designation."
Christopher Soghian, a privacy activist with the ACLU tells NPR's Elise Hu that this trove of documents is a "smoking gun" that shows that "Hacking Team has in fact sold its technology to a number of governments with truly atrocious human rights records."
He added: "What this shows us is that surveillance software, advanced surveillance capabilities, are now available to the largest and smallest governments in the world. We really need to have a bigger conversation about whether these tools should be used in democracies."
Elise called Hacking Team's office in Italy, but the person who answered the phone directed any questions to an email address.
One of Hacking Team's employees apparently tweeted about the incident. Before the account was deleted, Christian Pozzi, a senior security engineer at the company, said they were working with police to catch the hackers.
"A lot of what the attackers are claiming regarding our company is not true," the tweets read. "Please stop spreading false lies about the services we offer."
A cached version of that Twitter timeline can be found here.
No one, yet, has taken responsibility for the hacking.
Update at 1:14 p.m. ET: U.S. Sales
Back in April, Vice's Motherboard blog reported that the Drug Enforcement Agency had been secretly buying surveillance software from Hacking Team.
If these leaked documents are legitimate, they would prove Vice's story correct. Two spreadsheets included in the trove of data, show that Hacking Team has sold hundreds of thousands of dollars worth of software to the DEA, the FBI and the Department of Defense.
One of the spreadsheets shows that $473,000 worth of software was delivered to the DEA through a company called CICOM USA.
As Motherboard reported, federal records show that CICOM USA, a communications company headquartered in Maryland, has been given many contracts throughout the years.
In 2012, for example, records show that CICOM received a DEA contract worth $575,000 for "other communications equipment manufacturing."
According to Motherboard, the DEA was purchasing software known as Remote Control System, which is "capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user's webcam and microphone as well as collect passwords."
"Surveillance tech experts say the DEA's relation with Hacking Team is further proof that methods and tools once only reserved for the military, intelligence agencies and even cybercriminals—such as drones and StingRays—are becoming commonplace in law enforcement as well.
"'Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement,' Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, told Motherboard.
"And given the how powerful this spyware can be, Soghoian added, 'we need a public debate over this invasive surveillance technology.'"