Screen shot of spyware manufacturer’s logo from Twitter

The president of Italian spyware manufacturer, Hacking Team, joked about WikiLeaks publishing a leak about the firm’s technology on June 8.

“Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-),” CEO David Vincenzetti wrote in an email. “You would be demonized by our dearest friends the activists, and normal people would point their fingers at you.”

Vincenzetti was referring to an “end user,” who wanted the firm’s training to be recorded. He rejected the request fearing video would become “freely available on the Internet.”

“Leaks happen, happen to everyone including the NSA,” Vincenzetti declared. “It happened to me once when I was working as sales man for our technology. I was in Asia. One of the attendees pulled out a camera and started video recording my presentation. I immediately stopped and said: no way. He put the camera in his pocket again.”

Now, for the past few days, over 400 gigabytes of emails from Hacking Team dumped on the internet by hackers have been available. More than a million emails are in a searchable database at WikiLeaks for activists, “normal people,” and journalists to browse and uncover details related to business relationships Hacking Team had with law enforcement agencies in countries with repressive regimes.

WikiLeaks previously published a few documents from Hacking Team when it released “The Spy Files,” which exposed aspects of the global surveillance industry. A presentation, video, and brochure about “remote control systems” or RCS, which Hacking Team sells to law enforcement and intelligence agencies to use against users, were posted on the media organization’s website.

According to Privacy International’s briefing to the Italian government [PDF], RCS is an invasive surveillance technology that can “covertly collect, modify, and/or extract data from a device through the installation of malicious software on the device. The malware is inserted on the computer as a trojan, or a malicious code disguised in inconspicuous files or attachments, and is executed on the device.”

Hacking Team’s technology makes it possible to bypass encryption in “common communications services software” and to log Skype calls, emails, instant messages, web browsing data, deleted files and even shots that are taken with a computer’s webcam.

In September 2013, WikiLeaks published data that showed where Hacking Team surveillance salesman had traveled. It was part of a counterintelligence effort put together by WikiLeaks.

“This is BLATANT privacy violation! HOW did they collect such information?” Vincenzetti reacted in an email on September 5, 2013.

Alberto Ornaghi of Hacking Team replied, “If you are a TELCO operator with access to SS7 signaling it’s easy to know where a phone is,” and, “We could provide our key traveller [sic] a different phone number (when they are abroad) and see a call-forwarding from the old number (always in italy).”

One employee thought the information on Hacking Team operations was from a whistleblower in a telecom provider the firm used. The employee suggested switching to a new provider.

When documents were posted to WikiLeaks in December 2011 that called attention to Hacking Team, Marco Bettini, who would later have his travel on behalf of the firm exposed by WikiLeaks, worried about someone leaking information obtained at the Intelligence Support Systems (ISS) conference in Kuala Lumpur. Bettini believed posted documents came from an ISS event and exhibitors, which were in attendance.

Bettini advised someone involved in organizing conference to prevent anyone from sneaking into the conference. He mentioned an event in Washington, DC, where someone’s ID had to be “double-checked.”

“It could be useful to enforce the controls, especially on those who are not LEAs,” or individuals from law enforcement agencies, Bettini suggested.

Later in the month, the firm alleged that a Vodafone Group employee, who invited a blogger, had been responsible for the publication of documents on ISS vendors.

“We requested Vodafone Management to conduct an internal investigation why Vodafone employee, Mr. Aaron Martin has invited an anti-LI blogger Mr. Eric King, who was presented to us by Mr. Martin as ‘Vodafone consultant.'”

On September 4, 2013, a story was published by the French publication Rue89 on WikiLeaks tracking Hacking Team employees and employees of other companies.

“The tracking of HT employees’ travel (and travel by employees of many other companies) is a service WikiLeaks provided to a number of journalists.  The attached story is the first I’ve seen, but there will be others judging from the several media contacts I’ve had on this subject,” Eric Rabe said in an email

The firm’s CEO expressed amazement that WikiLeaks was focused on “very small” products like FinFisher or RCS, which he insisted were “lawfully sold” to law enforcement or security agencies to “fight crime.” Vincenzetti wondered why more focus was not on the United States, since Prism, Hemisphere, bugs planted at European embassies, etc, had been revealed in disclosures from NSA whistleblower Edward Snowden.

Rabe wrote off the tracking of the firm’s employees as a “cheap stunt.”

“Their “blockbuster” reporting seems to have been based on Google web searches that anyone could have done – certainly in the case of anything they’ve published to date regarding HT,” a comment that does not seem to align with the suspicion expressed by another employee that someone was possibly sharing data on them with WikiLeaks.

In another email, Rabe stated, “Even if we accept the premise that the owner traveled with the phone, this record shows absolutely nothing about the purpose of the trip (vacation travel?), or the results.  And it certainly says nothing about where our clients are, the legitimacy of their use of our technology or any matter really related to the allegation that somehow our software is used for unsavory purposes.   This is a typical WikiLeaks — innuendo, based on half-baked but authentic looking data and the occasional actual fact.”

“It’s important not to get drawn into arguing facts that are not in evidence — something these guys love to do.”

Employees like Rabe were careful to confirm details in documents published by WikiLeaks because they did not want anyone to think what the organization published on Hacking Team was credible.

Rabe exchanged emails with a French journalist in October 2013. The journalist wanted to confirm that Maana was an employee of Hacking Team. Rabe “didn’t want to confirm that WikiLeaks had any credible information so played dumb on this one.”

Somewhat absurdly, when Stefania Maurizi, an Italian journalist with L’Espresso, contacted Hacking Team for comments related to what WikiLeaks exposed, the firm’s CEO replied:

L’Espresso is a quasi-tabloid, WikiLeaks-linked newspaper. In particular, this journalist looks exceptionally aggressive to me: his mail does not look like a media enquiry: it looks like a true police interrogation.

Would you please provide him with a general reply saying that we obviously can not disclose such information? I would also ask her what her “reliable source” are: I take that is a true privacy violation to watch where our people travel to. Finally, it is a fact that we travel to many countries but that does not imply that we do business in every country we travel to: it is very common to meet clients from any given country in a different country, for logistic reasons.

I have just expressed my suggestions and I might be wrong – I am sure that, given your experience and professionalism, you know much better than me how to deal with such a weird person.

On one hand, Hacking Team seems threatened by anyone connected to WikiLeaks possibly exposing anything about them, and on the other hand, there are a number of emails that dismiss WikiLeaks as a nuisance. Both attitudes reveal a level of insecurity and demonstrate that WikiLeaks effectively got under the skin of people at the surveillance firm.

Someone emailed Hacking Team in October 2013, about the time that WikiLeaks was responsible for all the attention the firm received from media. The person requested to be hired.

“I am currently working on Hacking the 400GB insurance files leaked by Wikileaks if you haven’t already. [And] I’m looking for a huge word list also.”

If Hacking Team took the user’s request seriously, none of the employees sent a reply via email.

*For a full database of emails from Hacking Team, go here.

Kevin Gosztola

Kevin Gosztola

Kevin Gosztola is managing editor of Shadowproof. He also produces and co-hosts the weekly podcast, "Unauthorized Disclosure."