In early March, Motherboard reported that a new, mysterious government-malware company called Grey Heron is advertising malware designed to steal data from Signal and Telegram messaging apps. The company seemingly came out of nowhere, suddenly advertising its wares at surveillance fairs over the last few months.
But Grey Heron does have a history: The company emerged from controversial spyware firm Hacking Team, despite Grey Heron not mentioning these links publicly, Motherboard has learned. The move, it appears, may be to distance Grey Heron from the notorious, and perhaps damaged, brand of Hacking Team.
“Grey Heron’s mission is to provide to law enforcement the strong tools to balance the capabilities of those who wish to do harm,” a copy of Grey Heron’s brochure previously published by Motherboard reads.
Grey Heron was formed from other players in the government hacking space, including Hacking Team, a source familiar with the company said. In private conversations within the surveillance industry that were later detailed to Motherboard, Grey Heron has suggested it sees distancing itself from Hacking Team and its history as a benefit.
Indeed, Hacking Team may be the most high-profile government malware provider in the world due to its bold, public facing marketing, and because it sold surveillance products to a host of authoritarian regimes, including Sudan, Ethiopia, Bahrain. It also suffered a massive data breach, exposing many of the company’s secrets. In 2015, a pseudonymous hacker known as Phineas Fisher broke into the servers of the company, and went unnoticed for weeks. The hacker stole more than 400 gigabytes of internal data, including emails, customer records, and—worse—the spyware’s source code. On July 5, 2015, he revealed the hack from Hacking Team’s own, hacked, Twitter account, and dumped all the data online.
After a couple of years of struggles, an investor linked to the Saudi government bought a stake in Hacking Team, giving the company new cash to grow again, Motherboard recently reported,
Although the exact contours of the relationship between Hacking Team and Grey Heron are still fuzzy, an ex-Hacking Team employee, who spoke on condition of anonymity because he’s not allowed to talk about his former employer, said that it would “make sense to use a different name to continue to sell to those clients who weren’t happy after the hack.”
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here .
“Except those customers who don’t care because they buy spyware without thinking twice,” the former employee, who had no direct knowledge of Grey Heron, told Motherboard. “I imagine that there’s a lot of them who don’t see Hacking Team favorably anymore, including the reselling partners, perhaps even more so than the final customers.”
Grey Heron has said privately that the Italian government has given the company permission to export its products throughout the European Union, and that Grey Heron has particular interest in selling to European and North American clients.
The firm has exhibited at two recent UK surveillance shows, the Home Office sponsored Security & Policing event, and the International Security Expo, according to the shows’ websites. At the latter, Eric Rabe, who handles Grey Heron’s marketing and communication and is also Hacking Team’s longtime spokesperson, gave a talk on “privacy and the encryption threat.”
Rabe did not respond to multiple requests for comment concerning connections between the two Milan-based companies. David Vincenzetti, Hacking Team’s CEO, did not respond either.
The idea that those linked to Hacking Team can rebrand themselves under a new company may irk those pushing for accountability in the surveillance industry.
“The surveillance sector clearly needs further regulation to stop bad actors selling the means to crush dissent to any authoritarian afraid of their own society,” Lloyd Russell-Moyle MP, member of the UK Committees on Arms Export Controls (CAEC), told Motherboard in a statement. “It is vital that export licensing regimes across Europe apply these laws and crucially talk to one another to ensure human rights are not trampled over.”
Ron Deibert, director of The Citizen Lab, Munk School of Global Affairs and the University of Toronto, which has tracked Hacking Team extensively, said, “As long as it’s done within proper laws and regulations, individuals and businesses are free to reconstitute themselves in any way they choose. The bigger issue is the overall lack of transparency and accountability in the commercial spyware industry.”
“Given the history of abuses which we and others have documented, and the absence of transparency and public accountability, it is essential that researchers and journalists fill the void by tracking the companies closely—which of course we intend to do as part of our research mission,” he added.