Hacking Team leak: Dealings with UK police agencies, demo for Bangladeshi 'death squad'

Reuters / Andrew Biraj
Hacking Team, an Italian firm which came under attack for selling hacking tools to governments with dubious human rights records, reportedly showed its spy technology to a security agency in Bangladesh dubbed by Human Rights Watch a “death squad.”

Some 400 gigabytes of Hacking Team's internal documents and source code were leaked online after the Milan-based company became the target of a hacker attack over the weekend, exposing deals with countries such as Sudan and Saudi Arabia.

Just two months ago, a Hacking Team representative traveled to the Bangladeshi capital Dhaka for “a practical demonstration” of the company's surveillance equipment “in the ground settings of Bangladesh,” according to the company’s emails reviewed by the Intercept.

Last month, a reseller for Hacking Team in Bangladesh reported that he had submitted the bid papers for the deal with The Rapid Action Battalion which, according to Human Rights Watch, has been “responsible for numerous acts of torture and other ill-treatment, arbitrary arrests, and approximately 800 killings over the last 10 years.”

Hacking Team has also supplied its technology to the DEA, which as one leaked email reveals, is using the spyware to launch surveillance operations from the US embassy in Bogota. The email also suggests that apart from the Hacking Team technology, the DEA is also using other spying equipment at the embassy in Colombia.
The Intercept's Ryan Gallagher, who says he has been reading through the hacked file, reported that one of Hacking Team’s key corporate partners is an Israel-based company with close links to Israeli military and intelligence agencies. According to his biography, Nice Systems's CEO Barak Eilam was formerly an officer with an “elite intelligence unit” in the IDF.

The leaked Hacking Team documents show that Nice has been involved in closing a number of deals for the company across the world, with contracts in Azerbaijan and Thailand. He has been credited with pushing for sales in Brazil, Kuwait, Finland, Georgia, Greece, India and Uzbekistan, just to name a few.

The firm's ties with Sudan have already caused a major embarrassment, given that Hacking Team has previously publicly denied selling its tools to Khartoum. Among the leaked documents was the one showing how the firm required the Sudanese government to pay €480,000 ($530,000) by wire transfer for "remote control" systems used to access a target's personal data.

Last year, reporters Without Borders listed the company, which has always maintained that it legally sold its products to be used for law enforcement on its Enemies of the Internet index.

The leak appeared to be a major blow to Hacking Team’s reputation. Speaking to the International Business Times in the wake of the cyber attack, the company's spokesman Eric Rabe brushed off allegations from journalists and activists saying Hacking Team has been dealing with “despotic regimes.”

Rabe said: “We don’t have anything to hide about what we are doing and we don’t think that there is any evidence in this 400GB of data that we have violated any laws and I would even go so far as to argue that there is no evidence that we have behaved in anything but a completely ethical way.”

According to the hacked files, Hacking Team’s clients as shown in invoices and other documents reveal dozens of countries, including: Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, the United States, Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Vietnam, Australia, Cyprus, the Czech Republic, Germany, Hungary, Italy, Luxemburg, Poland, Russia, Spain, Switzerland, Bahrain, Oman, Saudi Arabia and the UAE.

UK police agencies 'trialing' Hacking Team technology

The leaked documents cited by the Intercept show that police agencies in the UK have also tested Hacking Team’s controversial technology, and have been attempting to purchase it for years. According to the leaked data, they have been hindered by “some concerns to do with legal authority” of the technology.

In May 2011, Hacking Team arranged a secret meeting with several interested British agencies, and was told that attendees may include London’s Metropolitan Police, the government’s Home Office, domestic intelligence agency MI5, customs officials and the Serious and Organised Crime Agency.

According to the leaked documents, two years after this meeting the Metropolitan Police told Hacking Team that it was “now ready to progress” with a trial of the spying tool. In 2013, it invited Hacking Team to formally submit a bid for a spy technology contract. A confidential document, cited by the Intercept, specified that the force wanted to obtain “'software' that can be covertly introduced to a third parties device and will allow us to ‘Look, Listen and Follow’ the third party. The Authority will receive, record and playback the ‘Product’ retrieved from the third party on a 'System' that shall be scalable, using proven technology that has in-built security measures appropriate to this task.”
The deal, worth £385,000, was cut short in 2014 following “internal reviews on how we wished to move this area of technology forward,” according to an email from the police. However, a future deal was not excluded, with the email stating: “Of course in the months/years to come this could change and if that is the case then we would welcome your organization’s participation.”

The identity of those who leaked the sensitive information from Hacking Team remains unknown. The company said that before the attack it “could control who had access to the technology, which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation,” Hacking Team said.