(This article is an english verison of the blog post by rainygirl, which is originally written in Korean.
written by rainygirl, translated by hipporoll)
On Jul. 6th, an Italian spyware company ‘Hacking Team’ (HT) was compromised, so that its internal data in size of 400 GB was entirely leaked via torrent. The leaked archive contains internal files such as software source codes, employees’ personal information like salaries or bonus rankings, and even resignations of ex-employees. Above all, there was the most important reason why it interested international media: the leaked archive contained the whole evidences of having sold surveillance tools to national intelligence agencies, i.e. governments.
– [Wall Street Journal] Hacking Team, the Surveillance Tech Firm, Gets Hacked
– [the guardian] Hacking Team hacked: firm sold spying tools to repressive…
– [ZDNet] Hacking Team hit by breach; leak suggests it sold spyware to oppressive regimes
– [WIRED] Hacking Team Breach Shows a Global Spying Firm Run Amok
– [VERGE] Hacking Team spyware company hacked, embarrassing emails revealed
Then several media like Wired UK started to report that the customers list of HT also contains South Korea.
Files reveal that Hacking Team customers include South Korea, Kazakhstan, Azerbaijan, Saudi Arabia, Lebanon, Egypt, Nigeria and Sudan.
– [WIRED UK] Hacking Team’s oppressive regimes customer list revealed in hack
Hacking Team currently has, based on internal documents leaked by the attackers on Sunday evening, customers in the following locations: Egypt, Ethiopia, Morocco, Nigeria, Sudan Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand…
– [CSO Online] Hacking Team hacked, attackers claim 400GB in dumped data
And until 03:00 AM on Jul. 9th, even now, none of major media in South Korea has reported on this issue.
So far only 2 minor media have mentioned the issue: one is Boan-news, a computer security-specialized news website, and the other is ETnews, (Jeonja-Shinmun) an IT news website.
Moreover, the ETnews tried in the 1st article to evade the point by quoting an anonymous expert saying “it’s unreasonable to regard this issue as violations of human rights.” Is that really correct? What happened actually between the Korean government and the spyware company?
So I managed to get the leaked archive of HT.
# Hacking Team’s customer, Korean Army Division 5163
The spreadsheet below is a part of a leaked file, ‘Client Overview_list_20150603.xlsx’.
In the customers list of the Italian spyware company HT, an American agency FBI is directly visible. On the other hand, with a country name South Korea, a customer can be seen with a name of “The 5163 Army Division”.
According to another document, since 2012 HT has received 686,400 Euros in total from the “5163 Army Division”.
– In 2012, 448,000 Euros for license and upgrade of software
– In 2013, 58,850 Euros for maintenance
– In 2014, 145,700 Euros for upgrade as well as maintenance
– In 2015, 33,850 Euros for maintenance
As of Jul. 9th, 1 Euro is equal to 1,253 korean Won. So the document above shows that the “5163 Army Division” paid ca. 860 Million Won from the Korean national budget to the Italian spyware company. Then what exactly did the Korean army division purchase with the 860 Million Won? That can be easily looked up in an invoice. One of the leaked files, “Invoice – 003_2015 – Army Division Korea.pdf” shows the following:
‘Remote Control System‘ is written on the document. At first glance, it could look like a remote PC control application of NateOn. However, that’s actually a ‘surveillance program‘. What that actually means can be discovered surprisingly on Wikileaks.
An introduction of the company describes RCS as a stealth, spyware-based system for attacking, infecting, and monitoring computers and smartphones. It can also keep watch even on encrypted communications, such as messengers and VoIPs like Skype, PGP encrypted communications, and secure emails, etc. This company created a video advertisement to publish on its website.
The Korean “5163 Army Division” had deals with a spyware developer HT that is able to make such a thing. According to one of the leaked files, “RCS 8 Technical.pptx”, the RCS can watch on the following services.
So it can monitor VoIP, emails, as well as social networks.
A newspaper Hankyoreh once reported in Sep. 2011 that NIS, the Korean national intelligence service, was suspected to have kept watch also on Gmail.
(“NIS keeps watch on Gmail too”, Hankyoreh, Sep. 6th, 2011)
The main point of the article was that it would be hardly possible to monitor like that, due to technical difficulties. Though it was actually not impossible, because it had been already possible to intercept certificates on the network level, as well as to install surveillance software on client PCs. In the next year, starting a deal with the spyware company, relevant systems might have started to be set up.
# What exactly are they willing to monitor?
A list of monitoring possiblities that can be implemented in RCS by HT, which is purchased by the Korean “5163 Army Division”, is like below. This is a part of one of the leaked files, “RCS_9.1_Features_Compatibility_v1.2.pdf”.
– For desktop: hidden cameras, wiretapping microphones, chatting, obtaining files, intercepting keyboard inputs, passwords, website URLs, screenshots, etc.
– For mobile devices: hidden cameras, wiretapping microphones, locations, screenshots, etc.
In that file, the spyware company describes possibilities of executing particular apps, recording, installing, uninstalling, and wiping out, on both desktops and mobile devices.
A list of desktop/smartphone operating systems, which are known to be able to be infected by RCS, is like below. It’s a part of one of the leaked files, “Compatibility List (not for customers).9.6.xlsx”.
– “x” means that it’s possible to monitor
It can monitor
- Android from 2.2 (Froyo) to 5.0 (Lollipop)
- iOS from 3.x to 8.x
- Blackberry from 4.5 to 7.1
- Mac OS from 10.6 (Snow Leopard) to 10.10 (Yosemite)
- Windows from XP to 10
- Linux including Ubuntu, Debian, Linux Mint, Fedora
# How is it possible to monitor?
The RCS, which the HT sold to intelligence agencies and financial institutes all over the world, is inherently ‘Spyware’, as mentioned above. That means, customers deliberately infiltrate spywares into the target side to be taken under surveillance. HT also pleads for introducing RCS, as network packet-based monitoring by itself should not be sufficient. A part of slides presented by HT, published by Wikileaks:
Basically it suggests embedding spywares doing whatever it takes. How are they supposed to distribute the spywares? Such an instruction by HT can be discovered in documents like “RCS.pdf”, “RCS 9 Attack Vectors.pptx”.
- Boot a CD-ROM or USB thumb drive
- Insert a memory card
- Manipulate Wi-fi routers
Booting a CD-ROM or USB thumb drive could be done by infiltrating spies into buildings, or by deliberately returning confiscated devices with the drives attached. Indeed it was revealed that an agency in Morocco hacked the UN peacekeeping force, by inserting a spyware USB drive into a PC inside the UN headquarter office.
– [allafrica] Morocco Seems to Have Hacked UN Computers With Hacking Team Technologies
Guide to manipulate Wi-Fi routers is easily understandable given the cases in the past, that firmwares of Wi-Fi routers were manipulated, so that connections were redirected to phishing sites.
Here are several other ways of manipulations, suggested by HT.
- Control Internet service providers
- Control mobile service providers (3G/LTE)
- Execute EXEs or APKs from the Internet
Internet service providers are well-known vendors providing Internet connections, such as SK Broadband, KT, or LG U+. Mobile service providers also mean vendors providing endpoint mobile devices, such as SKT, KT, LG U+, Samsung electronics. Controlling the providers could allow spywares to be installed on PCs or smartphones of particular users, by sending fake automatic updates. HT instructs such manipulations, making use of tutorials and video clips provided by one of their competitors, gammagroup.com. One of the leaked clips, 309_GAMMA-201110-FinFly_ISP.mp4, shows the most dramatic part.
It suggests to intercept network connections to send a fake iTunes update message to the target to monitor. That should be possible doing exactly like the screenshot of the video clip.
So it’s basically about getting systems infected with spyware, making use of remote automatic updates, automatic executions, as well as remote controls. This is exactly the attack mechanism, which is already well-known from a cyber terror incident on Mar. 20, 2013, from which KBS, MBC, YTN, Shinhan Bank, Nonghyup Bank suffered.
– [rainygirl.com] Disaster of central security managements – all about the cyber terror on Mar. 20 (in Korean)
– In the beginning this incident had been recognized as attacks from North Korea, but later it turned out to be attacks to the central security monitoring systems.
South Korea is a country where lots of applications are being continuously autoupdated, e.g. anti-virus apps like Alyak, archiving apps like Alzip, video players like Gom-player, numerous online banking security apps (from activeX to exe). Moreover, a revision of communication privacy protection law was submitted to the Assembly, so that relevant technical actions can be legislated. The main point of the revision is to make it mandatory for service providers as well as social networks operators to install surveillance equipments. Whoever rejects the law could be punished.
According to one of the leaked files, “RCS 7.3 – Administration Manual.pdf”, if a spyware agent would get installed via any possible attacks, then data gathered from the monitoring could become continuously transferred through network. Even when the device is not connected to the network, (e.g. mobile data network is disabled on a smartphone) data could continue to be collected on the device, until the network has been reachable again. In that case, collected data could then become retransferred at once. According to the manual, on a PC where the agent is installed, the monitoring agent could look like a normal process with a program name that an ordinary user of the PC often uses. Otherwise the process could be also totally hidden. This is exactly what ‘malwares’ normally do.
Establishing such systems, the government is able to operate a monitoring screen like below:
# Here’s a real screenshot of the RCS
Current location of a monitored target gets visible on a map. One can see the target’s activities on one screen: who he talks on the phone with, what he talks via VoIP, how the phone camera captures the scenes nearby, what kind of conversations become captured by the microphone, who he talks via Facebook with, etc. Typical movie scenarios have now become a reality. How can managers know conversations during internal meetings of a labor union? How can intelligence detectives know the entire conversations via Kakaotalk? We have been only able to presume their reasons, but now we are about to see the real answer before our eyes.
# What is the ‘5163 Army Division’ anyway?
The “5163 Army Division” located in the Seochogu-District in Seoul, is not a reserve forces training yard. Sisa-in, a weekly magazine, revealed in Nov. 2013 what that really is.
Along with the “7452 Army Division”, NIS also disguises itself as “5163 Army Division”. Employees of NIS use the both names, especially when they need to get loans from banks, or to submit proof of employment. A bank staff mentioned, “First I had thought the 5163 Army Division on the proof of employment would have meant a military base. However, its address was actually Naegok-Dong, the same as NIS.”
– “Disguised name of NIS: “5163 Army Division”
That’s correct. That’s NIS located in Naegok-Dong, Seochogu-District.
(Logo looks somehow strange, but that’s just my feeling)
How the hell did an Italian spyware developer company, HT, know the exact name of “5163 Army Division”, a disguised name of the Korean national intelligence agency, that could want such systems desparately? Even a name of its supplier company?
# 3 days after the leak, why does nobody report on that?
The leaked 400GB of files are already being distributed all over the world via torrent. Those will float overall in the Internet, never being deleted, as long as they spread via torrent.
[Link to a reddit article on its magnet address]
Moreover, its mirror site has also become available, where anyone can see the leaked data online.
http://ht.transparencytoolkit.org/
Even the source codes of its tools are being uploaded on github.
Although every file is revealed like that, why do Korean media report very little on this issue? It’s simple. Either because they don’t know about the essential aspect of the issue, or because they simply cannot report, even if it’s being reported by international media they follow up on regular basis. After publishing this article, I will observe how this issue is going to be reported by Korean media, how much truth they could reveal. It’s also worth following up on how the agency leaders would explain the issue, either the principal of NIS, or the chief of the government, who is definitely reported on this issue to.
Our direct questions should focus on the following: Did the NIS try to use the system to keep anyone under surveillance? Was that someone in North Korea, who is not likely to be connected to the Internet? Was that someone else in South Korea? If that’s the case, what could be the reason?
Let’s look into the expenditure records.
– In 2012, 448,000 Euros for license and upgrade of software
– In 2013, 58,850 Euros for maintenance
– In 2014, 145,700 Euros for upgrade as well as maintenance
– In 2015, 33,850 Euros for maintenance
In 2012, when the “5163 Army Division” bought the software, the principal of NIS was this person:
In 2012, when the “5163 Army Division”, a.k.a. NIS, paid 448,000 Euros to HT to buy the software, such events occurred.
The principal of NIS was consequently on trial for abusing social networks during the election in 2012.
In the same year, the “5163 Army Division”, a.k.a. NIS, paid 448,000 Euros to HT, including 273,000 Euros for the first payment. That’s ca. 560 Million Won from the Korean national budget.
In 2014, when the “5163 Army Division” paid 145,700 Euros for upgrade/maintenance, such events occurred of all things:
Of course immediate reactions followed:
After that, the following event caused many Koreans to go into “cyber-exile”.
In this year, the “5163 Army Division”, a.k.a. NIS, paid 145,700 Euros to HT for software upgrade, including 78,000 Euros for the first payment. That’s ca. 200 Million Won from the Korean national budget.
Did all the events happen just by coincidence?
Are they legal, or illegal?
How did the govermental institutions all over the world make use of the cyber weapon? How has the Korean “5163 Army Division” made use of that?
How would the Internet around us change, after the revision of communication privacy protection law would have passed, which is practically a law to make it mandatory for ISPs to install surveillance equipments.
Could monitoring agents infiltrate into my PC, my smartphone too?
p.s.
1) Analysis on the leaked source codes done by international media confirms a little more. HT has implemented systems that are capable of abusing various zero-day vulnerabilities, (including bugs in Adobe Flash) seizing admin privileges over the vulnerable systems, and remote-controlling the targets.
– [the Register] KILLER! Adobe Flash, Windows zero-day vulns leak from Hacking Team raid
As other relevant vulnerabilities will likely be found out, lots of servers, PCs or smartphones could be exposed to possible attacks. Thus we need to carefully keep track of relevant news. Of course as of Jul. 9th, relevant issues are little reported by Korean media. As it’s highly unlikely for them to report on it, we should follow up with international media.
2) According to analysis by international media on the leaked files, HT seems to have improved techniques for attacks as well as infiltrations, by sharing the targets’ data with its partners as well as its customers, a.k.a. national intelligence agencies.
– One of the emails between HT and its customer. Who would be the “high value target”?
Emails need to be analysed furthermore. As emails also about international situations were also leaked, so emails between HT and Korean agencies will likely be revealed too. Only if someone could do a little more what he should do.
