Here Are the Tools Hacking Team Tried to Sell Canada's Top Spy Agency

Emails show CSIS and the RCMP were interested in Hacking Team’s collection of software vulnerabilities, exploits, and network hacking tools.

|
Jul 10 2015, 5:45pm

Image: Jamie McCaffrey/Flickr

When members of the the Royal Canadian Mounted Police (RCMP) met with the Italian surveillance company Hacking Team in Ottawa in 2011, they weren't just interested in the company's remote spy software—they also inquired about Hacking Team's collection of software vulnerabilities, exploits, and network hacking tools.

Oh, and they invited the Canadian Security Intelligence Service (CSIS) along to the meeting as well.

An email sent on July 16 by Hacking Team senior security engineer Alberto Pelliccione shows that the RCMP was interested in spying on users of Android and BlackBerry mobile phones, as well as Windows PCs. For this, Hacking Team sold a product called Galileo—a remote control service (RCS) software capable of intercepting phone calls, text messages, passwords and app data from compromised computers and phones, as well as eavesdropping on webcams and microphones.

But the RCMP also asked Pelliccione about three additional products: Hacking Team's remote mobile infection (RMI) tools, injection proxy appliance (IPA) and access to the company's exploit portal.

RCMP liked the demo, gave Hacking Team "compliments," and felt the $200-250K cost was reasonable

In other words, the RCMP was considering a suite of hacking tools that could potentially allow its investigators to infect targets with spy software remotely, over the internet, and without their knowing—the sort of capabilities typically associated with the NSA, or Canada's equivalent CSE. Not all of Hacking Team's customers purchased these tools, which cost extra. Some only opted for the core product, Galileo.

The RCMP ultimately decided not to purchase any of Hacking Team's software or services.

"I can tell you that the RCMP is open to considering new technologies to improve judicially authorized or lawful investigative practices," wrote RCMP spokesperson Sgt. Julie Gagnon in an email Wednesday morning. "The RCMP tested the Hacking Team technology in 2011. The RCMP did not purchase and does not use the Hacking Team technology."

The RCMP has yet to respond to an additional request for comment.

Customers of Hacking Team's exploit service, for example, could request information on software vulnerabilities—essentially, holes in software such as Internet Explorer, Microsoft Office and Adobe Flash—that could be exploited to deliver malware to targets. Some of these exploits were so-called zero day exploits: software vulnerabilities that have been discovered by researchers, but intentionally kept secret so that any malware exploiting the vulnerability will not be detected by antivirus or security software.

Instead of having to physically install Hacking Team's spy software on a target device, a law enforcement agency such as the RCMP would only need to trick a target into opening a file specially crafted using one of these exploits—an email attachment, perhaps, or a link to a webpage online.

But tricking a target into opening a file or browsing to a specially crafted website is not always easy, which is why Hacking Team also offered a product called an injection proxy appliance, or IPA. According to a company brochure previously studied by Citizen Lab, this is a networking device, typically installed alongside an internet service provider's servers, that can hijack a target's internet traffic without their knowing, and surreptitiously deliver malware to their device or computer.

Put simply, otherwise innocuous internet activity, like watching a video or downloading a new app, could be intercepted by Hacking Team's IPA, and then modified to include malware, too. Instead of a video, the target might be prompted to update their installation of Adobe Flash first—using an update that contains malware. Or, an installation file for a new game or app could be modified—in real-time, on its way to a user's computer—to include Hacking Team's spyware tool.

In an email, Motherboard asked CSIS to clarify why they were invited to attend the meeting, who was present, and whether the agency also participated in the RCMP's trial of Hacking Team's software. According to CSIS spokesperson Tahera Mufti, "CSIS does not confirm nor deny any details with respect to our methodologies, interests, or activities."

"The sooner we get them in and make them fall in love with RCS, the sooner they can decide and make a purchase"

The meeting between Hacking Team and the two Canadian intelligence agencies, according to Pelliccione's email, included "the chief of the technical investigation services, the leader of the forensic service analysis and three engineers of both departments," but it is not clear whether he is referring to CSIS or RCMP.

CSIS was invited, Pelliccione wrote, because "it's hard to meet them in other ways," CSIS explained to him.

RCMP liked the demo, according to Pelliccione's email, gave Hacking Team "compliments" and felt the $200-250K cost for Hacking Team's base RCS software was reasonable. Nevertheless, the agency asked to evaluate the product for one to two months before deciding. The RCMP would eventually purchase a computer according to Hacking Team's requirements, and be given a temporary license for the RCS software—but not access to the exploit portal or an IPA.

According to Pelliccione, the RCMP's trial was activated on September 29, 2011, and stayed active until November 30, a period of two months. The agency was given a test license for up to five target devices—a mix of Windows computers and BlackBerry phones.

But when Velasco reached out to the RCMP the following month, he discovered that the agency had little time to use Hacking Team's software.

"They have the demo key," Velasco wrote, "but have little time to work with it and learn it. Yet, they realize they need this technology. They have suggested a visit to HT HQ and would like to know if that is possible and how soon."

"The sooner we get them in and make them fall in love with RCS, the sooner they can decide and make a purchase," he continued. "Possibly this year."

But problems only continued. The following day, in an email titled "Big problem with Canada," Velasco wrote that an RCMP employee named Rick Gendre had requested a list of security software that was incapable of detecting Hacking Team's malware.

"I sent them a reply that it is available but only for customers," Velasco wrote, but "Rick said that if he does not get that information he is done with testing and will not work with HT and will not use RCS!"

In the end, Hacking Team decided to send the RCMP a "partial" list—not that it mattered. Emails show that Hacking Team continued to pursue a relationship with the RCMP after the agency's trial ended, and Alex Velasco sought follow-up meetings with the agency in 2012 and 2013, but to no avail.

As we now know, the agency opted not to buy any of Hacking Team's software. It is not clear whether the RCMP ever visited Hacking Team's headquarters.