Cyber Incident Victim: Hacking Team
Date:
Jul 2015
Location:
Italy
Summary
A notorious Italian surveillance firm specializing in intrusion tools for governments was compromised, leading to the public release of 400GB of internal data including source code, emails, and client documents. Attackers defaced the company's Twitter account and exposed confidential contracts, revealing clients in multiple countries with documented human rights abuses—contradicting claims of avoiding oppressive regimes. Leaked invoices and maintenance records implicated agencies across law enforcement and intelligence sectors, while poor password practices by employees and clients, such as weak credentials stored in exposed files, further compounded the breach. The incident highlighted questionable business relationships and operational security failures within the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 5, 2015, attackers compromised Italian surveillance firm Hacking Team, leaking approximately 400GB of internal data through a publicly accessible Torrent file. The breach occurred while public attention was focused on the Women's World Cup final, with attackers simultaneously defacing the company's Twitter account to display a modified logo, altered biography, and direct links to the leaked materials. The data dump contained source code for Hacking Team's proprietary tools, internal email communications, financial records, client contracts, and configuration documents. Attackers exposed the company's global client list, revealing government customers across 35 countries including Sudan, Ethiopia, Egypt, Russia, South Korea, and the United States—contradicting Hacking Team's longstanding claims of avoiding business with oppressive regimes. Specific evidence included a €58,000 invoice to Egypt for their Remote Control System (RCS) Exploit Portal and a $1,000,000 ETB contract with Ethiopia for surveillance equipment and services. Maintenance records showed active contracts with Spain's National Intelligence Centre (CNI) valued at €3.4 million and the FBI until June 30, 2015, while listing Russia and Sudan as "Not officially supported." The attackers operationalized the breach rapidly, publishing select documents on social media through accounts like @SynAckPwn to highlight Hacking Team's business relationships with governments accused of human rights violations.
The data exposure revealed systemic security deficiencies within Hacking Team, including poor password hygiene among employees and clients. Security engineer Christian Pozzi's Firefox password store was leaked, containing weak credentials like "HTPassw0rd" and "Rite1.!!" for financial, social media, and network infrastructure accounts. Client configuration files exposed similarly vulnerable passwords such as "Passw0rd!81" and "Pas$w0rd," alongside operational details showing Hacking Team advised Egyptian and Lebanese clients to use U.S. and German-based VPN services. The breach disclosed phishing infrastructure linked to Ethiopia's Meles Zenawi Foundation, including eight domains registered by Biniam Tewolde potentially targeting high-value individuals. Human rights organizations cited the Sudan contract as particularly damaging given documented violent suppression of protests by Sudanese security forces. While Hacking Team issued no official response during the initial disclosure period, internal documents indicated impending contract renewals with agencies including the DEA and maintenance agreements extending into 2016 for EU clients. The attackers maintained continuous pressure by progressively releasing sensitive materials over several hours, ensuring maximum visibility through coordinated social media dissemination.