FBI, DEA, US Army bought spyware from hacked Italian company

Reuters / Toru Hanai
Internal documents of the Italian malware maker Hacking Team, leaked online in a hacker attack, show that the FBI, Drug Enforcement Agency and the US Army all made use of its controversial spyware known as Remote Control System, or Galileo.

The FBI’s secret Remote Operations Unit has been using Hacking Team’s software since 2011, according to leaked documents analyzed by The Intercept. Galileo allows users to take over their targets’ computers, activate their cameras, and record their calls, emails, and keystrokes.

The DEA used the software in Colombia since 2012, with an eye to expand it to places like El Salvador and Chile, the company’s emails reveal. The Army unit that purchased Galileo in 2011 was based at Fort Meade, Maryland – home of the US Cyber Command.

Hacking Team referred to its US clients by code names: the FBI was “Phoebe,” the DEA was “Katie,” and the CIA – which did not buy the software, but appears to have tried it out – was “Marianne.” Emails show the Milan-based company also demonstrated the software to district attorneys in New York, California and Arizona, several multi-agency task forces, the Pentagon, NYPD, and Immigrations and Customs Enforcement (ICE).

We do not disclose the names or locations of our clients” and “we cannot comment on the validity of documents purportedly from our company,” Hacking Team’s US spokesman Eric Rabe said in a statement.

Before its email system went down on Monday afternoon, Hacking Team sent a notice to all customers requesting they shut down all instances of Galileo, multiple sources told Vice’s Motherboard blog.

This may be because every copy of Galileo is apparently watermarked, so anyone with access to the data can figure out who is operating the software and who is being targeted by it.

READ MORE: Hackers hacked: Malware firm's data leaked, ties with regimes exposed

“With access to this data it is possible to link a certain backdoor to a specific customer,” the source told Motherboard. “Also there appears to be a backdoor in the way the anonymization proxies are managed that allows Hacking Team to shut them off independently from the customer and to retrieve the final IP address that they need to contact.”

While it remains unclear how the hacker managed to access the files, sources told Motherboard that it was most likely through the computers of two Hacking Team systems administrators, Christian Pozzi and Mauro Rome. Some 400 gigabytes of the company’s data was posted online over the weekend, with one anonymous source indicating the total breach may have been even bigger.

“The hacker seems to have downloaded everything that there was in the company’s servers,” said the source. “There’s pretty much everything here.”

Hacking Team was described to be in “full emergency mode” over the leak, but it is unclear what the company can do to repair the damage to its own reputation, or that of its clients.