Cyberwar (2016) s01e03 Episode Script

Cyber Mercenaries

1 Ben: Spyware is secretly used by governments To track criminal activity.
This is about surveilling the activities of somebody Who is either thinking about breaking the law Or has actually broken it.
It's also deployed by repressive regimes To spy on their opposition.
A government is a surveillance machine.
Journalists and dissidents are targeted for surveillance.
Whenever you speak against the government, You are a terrorist.
Cyber weapons markets jeopardize lives in the name of profit.
We don't have official laws That provide for transparency and accountability.
Should cyber mercenaries be held responsible? I'm going to meet someone who believes he's a victim Cyber mercenary surveillance.
Mesay mekonnen is a journalist for esat, An ethiopian news network.
From this nondescript office, mesay and his team Can influence a country of more than 99 million.
So why don't you explain to me what esat is? Esat is an independent media organization.
It's established by ethiopians, journalists who have been Fled from ethiopia because of the situation in ethiopia.
We are working for the people of ethiopia, The voice for the voiceless, So we are giving platform to the opposition.
And you're all journalists in exile? Yeah, all.
The last 10 years, more than 100 journalists now have fled.
Why are the government going after journalists? Media is their first enemy.
There's no free media in ethiopia.
People working as free media, They think that they are against the government.
And whenever you speak against the government, You are a terrorist.
The ethiopian government has been consistently singled out By the un and human rights watch for instances Of targeting journalists for doing their work.
The ethiopian government Continued harassing opposition members.
Several coalition members in oromia and southern ethiopia Are also intimidated, detained and tortured For their involvement in politics.
December 2013, esat employees E targeted with a series of ware attacks through skype.
I got this friend request, and the logo, The person who sent me a friend request is esat's logo.
So I thought that it is a friend and not a bad guy, So let me accept him.
When I accept him, he sent me immediately a pdf file, And I tried to open.
There is My computer, full of broken words, And I got shocked.
To find out who was behind the attack and how they did it, I traveled to san francisco to speak with bill marczak Of citizen lab, a cyber surveillance watchdog.
When he came across the esat file mesay received, He got in contact with mesay and examined the malware That had infected his computer.
What did you discover? So what we did was we looked at the server which the spyware Was communicating with to see if we could figure out any clues About the spyware's origin.
The reason why spyware communicates with a server Is because it steals information off of your computer, And it needs to send it to the attacker somewhere.
And one of the things we noticed is that The server actually returned an ssl certificate that said, "issued by htsrl.
" An ssl certificate is a digital certificate used to authenticate And create a secure link between a website and an end user.
And it also contained in the description, "rcs certification authority," and rcs being the acronym for Remote control system, which is a product Of an italian company known as hacking team.
Based in Italy, hacking team Has branded itself a global supplier of spyware, Ith ads like this, featuring a shady black hat hacker To hawk their tools and support services.
Voice: Rely on us.
Ben: But they're not the only game in town.
Companies like finfisher, cyberbit and trovicor Also sell surveillance software.
Their spyware can surveil cell phones, Monitor your computer's camera and microphone, And steal emails, passwords, contacts and files.
So we issued this report through citizen lab, And immediately hacking team issued their denials.
But interestingly, we were monitoring the command And control server which the spyware had communicated with, And we noticed that it was very quickly pulled offline.
And then the hacks came back.
The hacks came back, yes.
In 2014, there were several instances where members of esat Received emails containing hacking team spyware.
Who was targeting them? When we traced this spyware to this endpoint, There was an internet address registered To a satellite company which provides services across All of africa, the middle east, and some places in europe.
And we queried this range of ip addresses, and we found that One of them had identified itself as insa pc.
I was like, "okay, google, what is insa?" Ethiopian information network security administration, Government of ethiopia.
I was like okay, this is it.
Citizen lab caught the ethiopian government Trying to spy on journalists.
And the spyware they used was supplied by hacking team.
The one guy who could really explain the bigger picture Was citizen lab's director, ron deibert.
You've taken a particular interest In digital surveillance tools.
Why is that? There is a huge market for surveillance technologies, And what we found is that that market extends to Some of the world's most notorious autocratic regimes And human rights abusing countries.
And that's a problem from a human rights perspective.
Surveillance in and of itself is not a bad thing.
It is, I think, naive to expect we'd ever go back To any sort of pristine time where there is no surveillance.
It's just part of human nature.
A government is a surveillance machine.
From the 15th century to today, it's the same.
The question is: What is that surveillance for, And are there proper checks and balances around it? That applies to what citizen lab does, It applies to what google does, It applies to what the United States does.
Or ethiopia.
Or ethiopia, yeah.
How do you feel that there's a company in Italy, That's a free country, Selling cyber surveillance tools to your country? It's very, very unfortunate to, you know Learn that these democratic countries, you know Helping dictatorship in africa.
Hacking team had been caught red-handed, So I wanted them to explain why they knowingly armed An authoritarian regime with their surveillance tools.
Ben: In 2013 and 2014, the ethiopian government targeted Journalists with spyware supplied and supported By an italian company called hacking team.
I think the view that we need 100% privacy And anything else comes second is a shortsighted view, And doesn't recognize the realities of the digital world.
Eric rabe is hacking team's Chief marketing and communications officer.
We met in new york.
How about the case of ethiopia? Yeah, ethiopia is a country that we became convinced Was using the software in an inappropriate way against A person here in the us, a purported journalist.
The ethiopian government frankly argued that that person Was also a member of a An organization That was actively trying to overthrow the government, And that's why they wanted to surveil him.
So it was a legitimate sale to a customer who seemed to need it And seemed to be willing to use it in an appropriate way.
We found out differently.
We suspended business with ethiopia, And they're not a client anymore.
These are some pretty powerful tools that you're selling.
Well, they allow surveillance of activity in the digital space.
You know, with everything encrypted from end to end, Phone calls and internet communications And email messages, the only way an investigator Can actually tell what somebody is doing In that digital space is by accessing those tools Either before they're encrypted or after they're decrypted.
And that happens only in one place, And that's on the device itself.
So this software allows observation Of that activity on the device.
So are these legitimate tools, do you think? I think they are legitimate tools, And I think they're really necessary for law enforcement.
This is not about, you know, Listening in on your cell phone conversation.
This is about surveilling the activities of somebody Who's either thinking about breaking the law Or who's actually broken it.
Although he has no direct evidence, Mesay believes that the data gathered by The ethiopian government through hacking team's software Had devastating consequences for his colleagues.
Did any of the people that you were contacting Go to jail because of that hack? Yeah! Three of our contacts are now in jail.
So hacking team malware Essentially helped put ethiopians in jail? Definitely.
So you're talking about privacy, security.
What about human rights? I don't think hacking team is the principle Human rights enforcement agency for the world.
We're a software company that serves law enforcement.
That's what we do.
We're not embarrassed about it.
We spoke to people at esat who were the targets of ethiopian Hackers, and they wondered why hacking team would sell To a country who has obvious human rights violations.
Ethiopia was not on anybody's blacklist.
There was no prohibition that any country The us, the eu, nato or anybody else - Had against ethiopia at the time that software was sold.
That said, it doesn't take a global affairs phd to know That they've violated some really basic human rights.
Well, then I would suggest that The appropriate Channel is for Italy, for example, To refuse to allow us to sell there, or for the un to act.
But then who's responsible For what happens in the fallout of using these tools? Does hacking team absolve themselves of that, or? No, I don't think so, but I think the human rights Organizations are unable to get to the countries involved Who are really responsible for the human rights abuses.
So they turn to, you know, those that they can reach, That is companies like hacking team.
It's not an unreasonable political tactic to use, But I don't think it's reasonable to say that Hacking team is responsible for human rights abuses.
July 5th 2015, an infamos cker known as phineas fisher Breached the hacking team's servers, exfiltrating R 400 gigabytes of documents And posting them online for anyone to see.
Security experts around the world Ebrated the leak on twitter.
All of hacking team's dirty laundry spilt onto the internet, Exposing price lists and software source code.
Ient lists showed sales the fbi, dea and us arm.
Even an officer with the campus police force at uc santa barbara Was interested in buying its malware.
It also showed that hacking team was selling To governments notorious for human rights abuses, Places like kazakhstan, bahrain and sudan.
Maybe the hack was a good thing, it was a kick in the ass.
I don't think it was a good thing! it was a You know, it was a criminal act.
I mean, there's sort of something about, It's kinda cool, it's sort of robin hood, blah blah blah.
" No, it's not robin hood.
It's al capone.
You can't, just because you disagree with somebody, You know, destroy them or attempt to destroy them.
And what about the hacker who hacked you guys? Phineas fisher? I would love to meet him! I wanted to meet the legendary phineas fisher too, But that would prove to be pretty complicated.
Because after the leak, like any skillful hacker, Phineas fisher kept a low profile.
Ben: A black hat hacker had hacked hacking team's servers, Stealing hundreds of gigabytes of data.
After leaking it online, Phineas fisher all but disappeared.
But with an assist from my colleague at Vice's tech and science site, motherboard, We finally negotiated interview terms.
Since we wouldn't be able to show his face, The hacker had a strange request: He would only Do the interview if he was represented by a puppet.
These are the exact words from our live text exchange, Voiced by one of my colleagues.
What was the goal on hacking the hacking team data? Were you trying to stop them? Well, for the lulz.
I don't really expect leaking data to stop a company, But hopefully it can at least set them back a bit And give some breathing room To the people being targeted with their software.
We spoke to some ethiopian journalists who were targeted By their government using hacking team's software, And they wanted to thank you.
cool.
Kinda weird seeing my hacking addiction - I mean, hobby - Actually affecting people in the real world in a positive way.
What do you think of surveillance companies, And hacking team specifically? I would say they're people with no morals going where The money is, but that's maybe not entirely true.
I imagine I'm not all that different From hacking team employees.
The same addiction to that electronic pulse And the beauty of the baud.
I imagine if you come from a background Where you see police as largely a force for good, Then writing hacking tools for them makes some sense.
But then citizen lab provides clear evidence it's being used Mostly for comic book villain level of evil.
In all, the finfisher and hacking team customers Where targets of the spying have been identified in bahrain, Ecuador, mexico, ethiopia, it's all investigative journalists, Dissidents, political opposition, etc.
Being targeted.
Not real crime, but threats to those in power.
While hacking team was selling spyware To law enforcement agencies tasked with catching criminals, They also sold to authoritarian regimes who use their wares To crack down on dissent.
Other details revealed through the hacking team data dump Information about companies were supplying hacking tem With the technology to build their spy tools.
Security firm netragard was singled out for selling them A zero-day; that is, an undiscovered security flaw In software that can be exploited to penetrate a system.
Buying and selling zero-days is legal, but covert.
While they can be used to test and improve A company's network security, zero-days can also be used To inject malicious software into a computer.
A piece of technology that I created Well, brokered really, 'cause I didn't really create it.
But a piece of technology that I brokered, a deal that I was involved with, potentially armed these rogue nations With a tool that let them break into these other systems? I didn't want any part of that.
Adriel desautels admitted to selling a zero-day exploit To hacking team after the esat hack.
I think that it should be your responsibility To make sure that you are not selling to somebody That you believe will do anything malicious.
That said, netragard - respected, above-board company - You sold to hacking team.
When you misuse a zero-day, who's more at fault: The broker or the end user? When you misuse a zero-day, the end user, absolutely.
I mean, if I sell You know, I'm nike, and I sell shoes to some guy, And he runs down a woman and rapes the woman.
Is it nike's fault for selling the sneakers? Or what about microsoft? How many people have been hacked by somebody Using microsoft's operating system? Microsoft's not accountable for that, right? The ethics of it and the responsibility of it Are up to the actor or the team responsible For executing that specific operation.
Adriel's moral dilemma seemed hard to avoid in the grey market Where zero-days are bought and sold, A market fuelled by a booming cyber arms trade.
So I went to london to meet edin omanovic, A cyber surveillance researcher for privacy international.
So have you always been interested in the arms trade? Yeah.
Just, you know, coming from bosnia I've being interested in Conflict and the arms trade and foreign policy and so on.
Right, how the weapons gets where Yeah, exactly, yeah.
Does this surveillance market Does it mirror at all the conventional weapons market? What you've got in the arms market is a system whereby Governments have some kind of control over the exports.
So they would be able to say to this company, "you're selling this.
We wanna be able to control who you're selling that to.
" At the moment, that doesn't exist for The surveillance market, because much of the technology is new.
Governments need to step in and say that if a product is being Sold from their country to a regime where it's gonna be used For human rights abuses, they need to be able to stop that.
And who are the major players in it Who are buying these technologies? It would be countries without their own capability To develop these kind of tools, Which oftentimes tend to be authoritarian countries.
Where are these companies based that are selling them? Generally they tend to be in well-developed countries With big ict and defense security sectors.
How big is this industry? Actually, one of the scariest things is that Because it's so secretive, nobody actually knows.
There's been a few estimates by people in the industry, Somewhere in the region of $5 billion a year.
But ultimately, 'cause it's so secretive, There's just no way of knowing.
They want it to be kept a secret.
So it stays in the shadows that way.
Stays in the shadows.
From a growing arms and surveillance market.
But cloaked in secrecy, there's no way of knowing How big it really is.
And citizen lab director ron deibert thinks There's an even more fundamental problem.
It's only going to continue to grow.
And once states' armed forces and intelligence agencies Start equipping themselves, their adversaries take it as A challenge and do the same, and it ratchets up constantly.
There's certain conditions that tend to favour arms races, And if you look at the environmental conditions Around cyberspace, many of them are there.
So like, you know, offense has the advantages, Speed and so on.
It's very difficult to verify.
Wow, that's a scary proposition.
We don't have enough weight Behind the idea of watching the watchers.
Marietje schaake is a member of the european parliament She's been leading the charge to include spyware Under international arms law.
Do you think the vendors are responsible if they make a sale To an authoritarian regime? Well, they should be helped in making the right assessment.
If a company like hacking team can operate legally, That is the most clear sign that our laws are outdated and Desperately need to be updated, to make sure that there is No unintended consequences and that we stop this Grey and unregulated market from going on the way it does.
But can you really regulate, police computer code? The fact of the matter is that we don't have official laws that Provide for transparency and accountability in this market.
There's only very few measures such as The wassenaar arrangement or such as sanctions On specific countries like iran and syria, The worst of the worst human rights violators.
Hacker phineas fisher thinks there's not much difference Between the good guys and the bad guys anyway.
The difference between authoritarian regimes And democratic ones is the hacking team customers Jail, torture and kill, where the democratic ones Have gentler ways of managing dissent.
But many in the international community Do see good and bad guys.
And that's why they drafted the wassenaar arrangement, Which regulates the export of both conventional arms As well as technology that can be used as arms.
It's been signed by 41 countries.
In 2013, network surveillance and intrusion software Was added to its list of restricted items.
I think that that arrangement, as is built today, Will help to destroy the security industry.
Adriel is one of many security researchers Critical of the arrangement.
If you take a company that operates in multiple countries, That company might suffer a breach, and you might have A piece of technology here, you know, that is somehow Regulated because of offensive capabilities.
With wassenaar in place, you can't just send that information Over to your other division.
You have to go and apply for the license, And by that time, the hackers have had a field day And taken whatever they wanted.
It prevents fast response.
I believe it was written with good intention, But I believe it was written by politicians and people Who didn't really understand the nature of zero-days.
And more importantly, they didn't understand How grey the boundaries are.
Despite the grey boundaries, hacking team claims to be In full compliance with the wassenaar arrangement.
But in the wake of the leak, the italian government revoked Hacking team's global license.
They now have to apply for an individual license every time They want to export their software outside of europe, A sign that times may be changing For spyware manufacturers.
If you could say anything to the hacker who hacked hacking team, What would you say? Keep on hacking these hackers, and expose them.
They are helping, they are fuelling Dictatorship in ethiopia.
The market for spyware is growing fast.
Without tough legislation around the sale of these cyber weapons, Anyone can be a target.
Including me, including you.