July 13, 2015

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

hackingteam

Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police — also known as the “Carabinieri” — an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the Carabinieri to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the Carabinieri and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Apparently nobody detected the BGP hijack at the time, and that action eventually allowed Hacking Team and its Italian government customer to reconnect with the Trojaned systems that once called home to their control server at Santrex. OpenDNS said it was able to review historic BGP records and verify the hijack, which at the time allowed Hacking Team and the Carabinieri to migrate their malware control server to another network.

This case is interesting because it sheds new light on the potential dual use of cybercrime-friendly hosting providers. For example, law enforcement agencies have been known to allow malicious ISPs like Santrex to operate with impunity because the alternative — shutting the provider down or otherwise interfering with its operations –can interfere with the ability of investigators to gather sufficient evidence of wrongdoing by bad actors operating at those ISPs. Indeed, the notoriously bad and spammer-friendly ISPs McColo and Atrivo were perfect examples of this prior to their being ostracized and summarily shut down by the Internet community in 2008.

But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.

Italian researcher Marco d’Itri dug through the leaked Hacking Team emails to unearth evidence of this plot. d’Itri has links to the emails (in Italian) at his blog here.

Update, 2:17 p.m. ET: Swapped in “Carabinieri” for an acronym of the Italian National Military Police, and added links to leaked Hacking Team email threads discussing the alleged BGP hijack.


25 thoughts on “Hacking Team Used Spammer Tricks to Resurrect Spy Network

  1. walter p komarnicki

    a pity the internet was never originally designed with security as a major concern but maybe it’s not too late to start over again before the whole system goes under, a victim of the law of unintended consequences colliding with the law of diminishing returns.

  2. J.P

    Hate seeing people like this disrupt the common people for their own wallet.
    Good work Krebs, keep it up brother.

  3. chuck fonta

    Unfortunately both Unix and the ARPA net were designed to make the exchange between users easy!
    UNIX by Bell labs was designed to be usable by friendly staff members who wanted to share information while developing common projects. The ARPA net too was meant to share information.
    Systems like DEC’s VMS, or IBM’s operating system which were designed to be used by hostile clients working on the same machine were proprietary, copyrighted, and expensive.
    As a result, “For FREE, Take” ruled and Unix based systems became the foundation for our operating software, and so did the ARPA net become the foundation of the internet.
    Fixing it, although doable on paper, would be like putting up a sea wall around Florida to protect against global warming.

    1. John Doe

      Seriously what are you talking about? Random thoughts? I don’t see how anyone can make a connection with the story to your comments.

    2. Infosec Pro

      “for FREE, take” and you get what you pay for.

      1. EstherD

        Don’t know about you, but I got *more* value out of my “free” UNIX installations than I *ever* did with *any* of the systems I paid for: DEC RT, RSTS, VMS or Microsoft whatever.

  4. IA Eng

    Its interesting to see if their was any info of who this hacking team purchased some of the zero-days. It just goes to show us that there are probably many more zero days out there than we know about – probably some spanning over a few versions…..

    Zero days can be covered up by insiders, whether the person ignores, deletes or modifies a vulnerability report after the work is supposedly done.

    As far as for all these holes that exist in software month after month, it is pretty obvious that there is little QA going on – short of ensure that the patch doesn’t break anything. It’s like the highway workers trying to get rid of potholes on a stretch of highway – its a continuous battle against time, traffic and other variables (weather).

    There are plenty of smart workers at these software corporations. Surely they have the capability to run some sort of fuzzing routine to find any additional issues. Its like slapping more stucco on a once brand new beautiful structure that the overall appearance has become quite twisted. Sure there are many many lines of code, and an “acceptable level of error” in patching. But when the outside researchers find a major hole within days of the patch being released – it makes me wonder exactly what the heck is going on.

  5. Mahhn

    Clearly the State Criminals (of countries governments) don’t care what criminals do if they also work for them. Very sad state of the world. This is what they are doing: If you let me rape them I’ll let you rape my mother. Evil people know no limits.

    1. roflem

      Yup, we have come to this point. “Legalized” cybercrime which sells the exact same trojans with a little GUI and different structure, that the East European countries were so famous for. Including the C&C servers and probably a botnet which made clickfraud to alleviate the costs? :-))) On the “darkweb” these were sold for 5-10.000 $ and these idiots think they can add a little GUI and resell them for 100 times that amount to governments and get away with it? ?
      Reselling ZeroDayExploits should be made illegal under the Vienna Convention!!!
      Instead the coders of flash/win/ios/android should be forced to pay a fine for the research of people who find zde´s.

  6. JB

    Mr. Pozzi got hit by the Karma Bus and is still being dragged underneath it 🙂

    1. CooloutAC

      I’m sure many countries have dealt with them. And I’m sure they aren’t the only “security researchers” out there who do this. I’ve been told that many “researchers”, (and I use that word loosely) hold back many exploits and don’t reveal all the ones they have at events like defcon or pwn2own, because there is way more money selling the exploits to gov’ts or other agencies…

  7. nitefood

    Hello Brian, the italian national military police is called “Carabinieri”. Not to be confused with INMP, which is a national institute that focuses on migrants health and tries to contrast poverty-related health issues.

    Thanks for a very good read, as always. Other italian readers might find the original email exchanges between the involved parties very interesting – they’re linked at the bottom of this article: http://blog.bofh.it/id_456

    1. nitefood

      And I might add, after reading the whole email exchange between the Carabinieri and HT, that the Carabinieri came up with the BGP hijack on their own, without HT “pushing” in any way the option. The Carabinieri had lost control of the C&C VPS, and thanks to a “hook” they had inside the italian hosting provider Aruba, they were immediately granted the propagation of the needed subnet.

      Furthermore, the Carabinieri contacted two other major italian ISPs (Telecom Italia and Fastweb), and were granted immediate assistance by both. Fastweb responded immediately, while Telecom Italia took a little longer to comply. The Carabinieri had asked them to propagate the route without filters and limits, even if announcements came from an unrelated peer (Aruba).

      HT had some internal exchanges about the “trick”, but apparently they had limited techincal understanding of the way the BGP hijack was going to work out.

      Nevertheless, in a final email they were reportedly “cheering up” during a video chat with a Carabinieri person once their targets finally synchronized with the “new” C&C server.

  8. Jagger

    With the development of the internet world, the hacker team is becoming more and more powerful. We use the iKeyMonitor or some keyloggers to monitor our children to protect them from being hurt,but the haker, they may use the spyware to spy some information which is illegal in nowadays. I think this need to be prevented. Or we may be hurt. In order to avoid this, we have many things to do I think.

  9. GrifiN

    Brian,

    For IT admin’s, like myself, who cannot remove Flash Player from their environment because we depend on websites that reqire Flash and therefore must continuously update it, I stumbled accross this option from Adobe
    Extended Support Release – (Flash Player 13.0.0.302)
    here is a quote from the link below
    “Adobe makes available a version of Flash Player called the “Extended Support Release” (ESR) to organizations that prefer Flash Player stability over new functionality. We have created a branch of the Flash Player code that we keep up to date with all of the latest security updates, but none of the new features or bug fixes available in our current release branch. This allows organizations to ceritify and stay secure on Flash Player with minimal effort.

    We recommend that companies focused on security and stability take a close look at this release option.”

    http://www.adobe.com/uk/products/flashplayer/distribution3.html

    Are you familiar with this? does it minimize the attack surface? less patches?

    Thank for a all your good work!

    1. GrifiN

      Ignore/Delete this, wrong article.
      Apologies

  10. Jimbob

    These guys do good work, stop bullying them. We need these sort of programs to ensure the bad guys stay in check.

  11. Beta Test

    Word is leaking out that … this wasn’t a “hack” … well, not by an outsider hacktivist.

    Supposedly … the documents were released by a source internal to Hacking Team … out of spite … during which is best described as “an internal difference of opinion” on pay.

  12. Sam

    “But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.”

    That’s one way of looking at it. What I see is more to the point of “this example also shows that law enforcement agencies are really only the soldiers of the gang of thugs that managed to beat out all the other gangs and thus have a self-declared monopoly on violence because really, with human nature being what it is, there isn’t really any other way for us to live together on this spinning lump of rock without everyone eventually tearing each others’ throats out.”

  13. Charlie Harvey

    BGP just seems to be broken. I’ve not looked at it in depth but I keep hearing stories about bad stuff happening with BGP.

    It seems like there is a good case for building something better and given the smaller (relative to IPV4, say) number of people responsible for administering it there may be some hope of replacing with something better…

Comments are closed.