Italian Exploit Developer Follows Hacking Team’s Lead, Sells Powerful Spyware To Human Rights Violators
from the Italy-is-the-new-Israel dept
Italian malware developer Hacking Team began making headlines in 2014. Infections uncovered by researchers at Toronto’s Citizen Lab and Russia’s Kaspersky Lab were traced back to servers located in the United States, Canada, UK, and Ecuador. The US servers topped the list. The second place finisher, however, was Kazakhstan.
Here’s a summary of the Kazakhstan government’s human rights abuses, as compiled by the US State Department:
Significant human rights issues included: unlawful or arbitrary killing by or on behalf of the government; torture by and on behalf of the government; political prisoners; problems with the independence of the judiciary; restrictions on free expression, the press, and the internet; interference with the rights of peaceful assembly and freedom of association; restrictions on political participation; corruption; trafficking in persons; and restrictions on workers’ freedom of association.
Hacking Team’s willingness to sell to abusive authoritarians was further exposed when it was (ironically) hacked by outsiders and its internal documents shared with the general public. The company’s internal “wiki” contained a list of customers, which included UN-blacklisted country Sudan. It also sold its malware to Russia, Saudi Arabia, Egypt, and Malaysia — countries all known for their long histories of human rights abuses. Its exploits also ended up in the hands of Mexican drug cartels.
Hacking Team has since been absorbed by another entity and now does business (but what kind?) under the name “Memento Labs.”
There’s a new Italian player on the phone exploit scene. RCS Labs is filling the void Hacking Team left in its apparent demise, apparently starting with none other than one of Hacking Team’s most infamous customers.
Cyber-security researchers have unearthed a new enterprise-grade Android spyware called ‘Hermit’ that is being used by the governments via SMS messages to target high-profile people like business executives, human rights activists, journalists, academics and government officials.
The team at cyber-security company Lookout Threat Lab uncovered the ‘surveillanceware’ that was used by the government of Kazakhstan in April, four months after nationwide protests against government policies were violently suppressed.
“Based on our analysis, the spyware, which we named ‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,” the researchers said in a blog post.
A blog post by Google’s Threat Analysis Group (TAG) suggests RCS has relied on local ISPs to help deliver its malware payloads.
All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.
Not quite as elegant as NSO Group’s zero-click exploit, Pegasus. But just as nefarious, seeing as it cloaks itself as an official message from targets’ internet service providers. And RCS appears to be far less selective about who it sells to. That’s where the front company comes in, which likely enables RCS to provide malware to foreign governments the Italian government would rather local companies didn’t sell to, like the following:
RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan.
None of these countries will ever top the “Least Likely To Abuse Powerful Spyware” list anytime soon. Marketing the “Hermit” malware as “lawful intercept” won’t decrease lawless applications. The only thing that can prevent abuse is refusing to sell to countries that routinely abuse their own citizens for fun and profit.
And RCS has apparently found a way to bypass Apple’s usually robust app store safeguards to deploy its malware, as The Verge reports:
Attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise Program. This allowed bad actors to bypass the App Store’s standard vetting process and obtain a certificate that “satisfies all of the iOS code signing requirements on any iOS devices.”
It’s certain more evidence of abusive deployment will come to light in the near future, now that multiple security researchers have detected infections that can be traced back to RCS malware. And if RCS insists on doing business with shady governments, it can expect to find itself in the same sanctioned boat as Israeli malware merchants NSO Group and Candiru.