If you live in Singapore, Malaysia, Thailand or Vietnam and you are an activist or a journalist, the government probably knows a lot more about the inside of your computer than you think, and more than you want it to.
On July 5, unknown hackers broke into the computers a shadowy company based in Italy that has become notorious across the world. With offices in Milan, Washington, DC and Singapore, its name is The Hacking Team, and it is one of a half-dozen such firms identified as “digital era mercenaries” because they sell products to governments to spy surreptitiously on their own citizens.
Top Asian clients among the countries using The Hacking Team’s services are Malaysia, the seventh-biggest spender, paying The Hacking Team US$1,861,131 for its assistance in spying on its citizens. Singapore is 10th, just behind the US, which is 9th. Singapore paid The Hacking Team US$1,209,963. Vietnam is 21st, at US$560,735, followed by Thailand at US$466,482.
According to the Massachusetts-based CSO cyber-security firm, the US Department of Defense apparently had a contract with The Hacking Team but no longer does. The FBI had an active maintenance contract until June 30 and the Drug Enforcement Agency has a renewal in progress.
The hackers, whoever they were, downloaded 400 gigabytes of internal documents, source codes and email communications with governments and dumped the haul onto the Internet. The documents tell a chilling story of helping some of the world’s most repressive countries including Sudan, Saudi Arabia, Azerbijan and Kazakhstan. In all, 38 countries are on the list of clients. According to other sources, The Hacking Team also expressed the intention to go after Human Rights Watch and other such activist organizations.
And what do they get for their money? Here is a presentation on the company’s website to entice governments to spy. It is well worth listening to:
“You have new challenges today. Sensitive data is transmitted over encrypted channels. Often the info you want is not transmitted at all. Your target may be outside your monitoring domain. Is passive monitoring enough? You want more. You want to look through your target’s eyes. You have to hack your target. You have to hit many different platforms. You have to overcome encryption and capture relevant data. Being stealthy and untraceable. Deployed all over your country. That is exactly what we do. Remote Control System Galileo. The hacking suite for governmental interception. Rely on us.”
“Without advanced technology, authoritarian regimes would not be able to spy on their citizens,” Reporters Without Borders said. “They sell products that are used by authoritarian governments to commit violations of human rights and freedom of information. They are Gamma, Trovicor, Hacking Team, Amesys and Blue Coat.”
Bahrain’s royal family has used Trovicor’s surveillance and interception products to spy on news providers and arrest them, according to Reporters Without Borders. Blue Coat’s deep packet inspection products have made it possible for Syria to spy on dissidents and netizens throughout the country, and to arrest and torture them. Amesys provided products to the Libyan secret police during the late Muammar Gaddafi’s reign. The Hacking Team and Gamma have provided malware to capture the passwords of journalists and bloggers.
“Online surveillance is a growing danger for journalists, citizen-journalists, bloggers and human rights defenders,” Reporters Without Borders secretary-general Christophe Deloire said. “Regimes seeking to control news and information increasingly prefer to act discreetly. Rather than resort to content blocking that generates bad publicity and is early circumvented, they prefer subtle forms of censorship and surveillance that their targets are often unaware of.”
The contract with the Malaysian government apparently was routed through the Prime Minister’s Office, “Malaysian Intelligence,” both listed as “active,” and the Malaysian Anti-Corruption Commission, now listed as “expired” according to documents made public by CSO. Thailand’s contract, with the country’s department of corrections, was listed as expired. A full list of curated documents made available by CSO can be found here.
The Singapore government’s Infocom Development Agency is the unit that apparently purchased the Galileo software. That agency, according to its website, “formulates and develops short- and medium-term infocomm-related policies, as well as standards, codes of practices and advisory guidelines - all of which are enforceable by IDA - pertaining to issues such as licensing, interconnection, resource and competition management, to name a few. IDA also monitors local and global infocomm market trends, developments and regulatory measures, while remaining technology-neutral, to ensure that the current infocomm policies and regulatory frameworks are effective and relevant.”
According to The Hacking Company’s website, “In today’s connected world, data is moving from private devices to the social cloud. Encryption is everywhere to protect the users’ privacy from prying eyes. In the same way, encryption is hiding criminal intents from you. Don’t you feel you are going blind? Sometimes relevant data are bound inside the device, never transmitted and kept well protected … unless you are right on that device.”
The government’s target, according to the website, “can be anywhere today, while your hands are tied as soon as he moves outside the country. You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that.”
The system allows governments to take control of target computers and monitor them regardless of encryption and mobility.
“It doesn’t matter if you are after an Android phone or a Windows computer: you can monitor all the devices. Remote Control System is invisible to the user, evades antivirus and firewalls, and doesn’t affect the devices’ performance or battery life. Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move.
“Keep an eye on all your targets and manage them remotely, all from a single screen. Be alerted on incoming relevant data and have meaningful events automatically highlighted. Remote Control System: the hacking suite for governmental interception. Right at your fingertips.”