Hacking Team, an Italian company that manufactures cyberespionage and warfare tools used by repressive governments around the world, has been selling its gear to a U.S. firm that does business with the Pentagon, according to a trove of documents stolen from the company by unknown actors and posted online.
The U.S. company, CyberPoint, which is based in Baltimore, is listed among what Hacking Team calls its “offensive” customers, who apparently are using the company’s products and services for offensive operations. (“Defensive” customers are listed in a separate file.)
Precisely how the company is using Hacking Team’s products isn’t clear from the documents. But CyberPoint’s own American business offers clues, and links the controversial Italian company—which counts authoritarian governments including Russia, Sudan, Egypt, and Saudi Arabia as clients—to the American military’s burgeoning cyberwarfare apparatus.
The FBI, the Drug Enforcement Administration, and the Department of the Army are also listed as Hacking Team customers. The Italian operation worked with another U.S. firm, called Cicom, as its conduit to those government organizations.
In April, Hacking Team customer CyberPoint was awarded a $2.3 million contract from the Air Force for “complexity and side-channel adversarial integrated defects.” In plain English, a side-channel attack is one that tries to break the encryption protecting information by monitoring the physical attributes of the encryption system itself—like how long it takes to perform certain functions or how it uses power. Side-channel attacks differ from “brute force” attempts that use powerful computers to come up with thousands upon thousands of guesses at an encryption key until hitting on the right one. They are effectively another means by which a country can spy on anyone using encryption to guard the privacy of their communications.
In June, CyberPoint received a $6 million research contract from DARPA, the Pentagon’s leading research and development agency, to study how the U.S. military computers might be vulnerable to side-channel attacks. While that research is aimed at protecting American systems, the knowledge it takes to break encryption is also essential for protecting it, so offensive and defensive hacking are to a certain extent interchangeable disciplines.
A CyberPoint representative didn’t return a request for comment.
The company advertises itself as being in the cyber defense business. But among its offerings are services that require offensive expertise, such as searching for flaws and vulnerabilities in customers’ systems.
CyberPoint also bills itself as a kind of matchmaker between U.S. companies and government agencies and foreign technology firms, testing their products’ security and assessing “issues related to foreign ownership, control, and interest,” according to CyberPoint’s website. “We can deliver security reports and market analysis, but we can also open new sales channels, work with companies to create derivative products, and even draw on an investment fund to get innovative ideas off the ground,” the company says.
CyberPoint doesn’t specify whether Hacking Team received that special service. But it boasts a close relationship with the U.S. government. According to a company press release, CyberPoint plans to host an FBI supervisory special agent at a craft brewery in Laurel, Maryland, this month, where he will talk about a notorious computer botnet that the law enforcement agency helped take down last year.
An FBI spokesman declined to comment.
CyberPoint has other U.S. government ties. It has employed at least one former U.S. intelligence officer who worked in offensive cyber operations for the National Security Agency, according to a source who spoke on the condition of anonymity. Paul Kurtz, who worked on cyber security and counterterrorism issues for the National Security Council during the George W. Bush administration, worked for three years as CyberPoint’s chief information security officer after leaving government.
And the company has close ties to at least one foreign government, the United Arab Emirates, where it has run a cybersecurity operations center and is advertising for positions.
The work for the UAE provides another glimpse of the company’s potentially offensive cyber operations. Among the leaked Hacking Team documents is an invoice that shows CyberPoint bought the Italian company’s Remote Control System, a spying tool that allows users to “take control of your targets and monitor them regardless of encryption and mobility” and “hack into your targets with the most advanced infection vectors available,” Hacking Team claims on its website. Reportedly, the Remote Control System can turn on a laptop computer’s camera and microphone, making it an eavesdropping device.
The invoice for CyberPoint is billed to the company’s office in Maryland but was labeled by Hacking team as “MOI—UAE,” apparently a reference to the United Arab Emirates Ministry of Interior, which houses the country’s security services. Hacking Team has also sold its products through companies acting as middlemen to the governments of Egypt and Saudi Arabia.
The Middle East and the Gulf region have been important markets for Hacking Team, according to its client rosters and leaked invoices. In March, company employees spoke at a surveillance conference for law enforcement agencies in Dubai. Some of the presentation titles—“Offensive Surveillance in Today’s Changing, Challenging and Dangerous World,” and “Intruding Personal Devices with Remote Control System”—make clear that the company is based on turning government agencies into cyber spies. CyberPoint also presented at the conference, on “automating malware analysis” to assist in hacking investigations.
The company has also found a home with U.S. allies in Asia. Notably, Hacking Team has sold its Remote Control System to the South Korean army. South Korea and the United States share a common cyber foe in North Korea, which has attacked companies in both countries.
The U.S. has also mounted aggressive cyber spying operations against North Korea. And as The Daily Beast reported, the U.S. launched limited offensive cyber operations against North Korean computer networks last year in retaliation for the country hacking Sony Pictures Entertainment.
The motivations of the intruders who posted Hacking Team’s secrets online are still unclear. But the disclosure could be a problem for some of the company’s spy agency clients. Now that the world knows which countries Hacking Team was working for, those spies themselves could be the next targets.
Nicholas Weaver, a senior researcher at the International Computer Science Institute, told The Daily Beast, “There are almost certainly a lot of intelligence agencies warming up for some significant ‘fourth party’ collection, that is, steal data from somebody else’s cache of stolen data.”