In one of the largest coordinated crackdowns in the history of hacking and law enforcement, hundreds of people have been raided, questioned, or arrested for being connected with a commercially available program that sells for as little as $40 on the open market. It’s called Blackshades, and it’s a remote access tool, or RAT as it is known in the computer industry.
Europol claimed 359 raids connected to the Blackshades investigation, with the FBI confirming 97 arrests in 16 countries. The arrests were trumpeted with press conferences on both sides of the Atlantic. But it’s unclear how many actually used the software for criminal activity—instead of merely possessing it. And it’s unclear whether the charges against all of these supposed hackers will actually stick.
According to an AP report, the French police arrested citizens the FBI identified as having used or even acquired the software. One French publication reported over 70 search warrants executed on May 13th, all related to Blackshades.
The 16 governments bringing charges may have a tough time with their cases if they were arresting people for possession of the software package. Without logs or other evidence of the purchasers using the software against unsuspecting targets, most of those governments will have to prove that the purchasers intended to use the software in an illegal way. The software was often marketed as being for illicit intrusion, but marketing material isn’t evidence.
Europol claimed the raids had seized firearms, drugs, and cash unrelated to the software, and those people will likely face additional charges.
Michael Hogue, one of the alleged creators of Blackshades, was arrested in connection to a credit card sting operation in July of 2012 and released on $20,000 bail. He pleaded guilty and cooperated with the authorities. The four indictments issued Monday by the U.S. Attorney’s office in the Southern District of New York included Hogue’s alleged co-creator of Blackshades, Moldova-based Alex Ycel; Brendan Johnston, who did sales and marketing for the product; and two customers, Marlen Rappa and Kyle Fedorek, who allegedly bought Blackshades and used it to compromise unauthorized computers.
The FBI claims that over 700,000 computers have been taken over by Blackshades worldwide, allowing for a host of possible abuses. It is unclear how many perpetrators might have been involved, or the nature of the exploitation of those computers.
“Once a computer was infected with the RAT, the user of the RAT had complete control over the computer,” said the FBI in a press release Monday. “The user could, among other things, remotely activate the victim’s web camera.” The release also went on to mention file access, access to online logins, as well as the ability to use the computer in a distributed denial of service, or DDoS, attack.
Despite the shocking list of features highlighted by the FBI press release, Blackshades was technically no different than any other remote desktop tool. There is nothing sinister about RATs as a kind of program. Remote Access Tools are a ubiquitous feature of networks and the Internet, allowing for administration and control without being physically present with the computer. To work properly, such a tool needs to have administrative access—to do anything the computer owner can do, including access files, logins, and USB devices like a webcam. But unlike most commercially available RATs, Blackshades was promoted and packaged as a spying tool, much like Hacking Team’s DaVinci and Gamma’s Finfisher programs, controversial software packages marketed for unauthorized control of someone else’s computer.
While Hacking Team and Gamma claim to only sell to governments, Blackshades was available to anyone, costing 150 Euros for their Gold product. All three RATs have have been found on the computers of journalists and activists in Middle Eastern countries. In 2012, Morgan Marquis-Boire and Seth Hardy of Citizen Lab in Toronto reported that Blackshades was distributed to anti-government Syrian activists over Skype, a method consistent with Syrian government attacks on the computers of both rebels and protesters. Marquis-Boire has extensively researched DaVinci and Finfisher malware, and says Blackshades is a bit different. It was “a reasonably featureful backdoor product sold very cheaply,” he says. “What’s interesting is that we saw this used in hot conflict situations, not only in Syria, but also in Libya. We have seen this malware used not only for cybercrime, but also espionage and intelligence gathering…by governments that are presumably unable to purchase so-called ‘Lawful Intercept’ backdoors such as FinFisher or Galileo.” (Galileo is the latest version of Hacking Team’s offering.)
In a way, Blackshades was democratizing the same tools available to wealthy nations to poor ones and normal people.
“KheOps,” a French digital activist with the hacker collective Telecomix, participated in the group’s opSyria project for several years. He has worked extensively with people whose computers have been compromised by tools like Blackshades, diagnosing and repairing intrusion as well as training activists on evading attacks. He doesn’t see this operation as useful. “Why [are they] targeting, massively and worldwide, this RAT in particular?” he said. “The result will be catching script kiddies [inexperienced hackers using tools built by others], scaring people about ‘hackers,’ but probably not to solve a real issue…[how] to stop RATs from being misused.”
Just as Blackshades could be used for authorized remote administration or as a research and education tool, nothing stops supposedly good tools from being misused. “You can wrap a RAT written for good purposes into a malicious installer, for instance…an infected Word document you created yourself,” says KheOps, “It will install the RAT without the user knowing it, probably with pre-configured settings to connect to the attacker’s machine.”
Blackshades is only one of many remote access tools. Dozens are available in the black and gray markets, as wall as being marketed more normally to remote workers and worried parents. If purchasing or downloading remote access software is grounds for a search warrant or arrest, the civil liberties implications are worrying.