After nearly 20 days, the hacking into and eventual release of Hacking Team's communications, documents and surveillance tool details continued to ripple through the security industry
On Wednesday, the Italian company issued a second comment confirming its selling of technology to Sudan, which many observers speculated broke UN sanctions against the country.
Hacking Team argued otherwise.
“At the time of the company's only sale to Sudan in 2012, the HT technology was not classified as a weapon, arms or even dual use,” Eric Rabe, chief marketing and communications officer, wrote. “In fact, it is only recently that has Hacking Team technology been categorized under the Wassenaar Arrangement as ‘dual use technology' that could be used for both civil and military purposes.”
The Wassenaar Arrangement places limits on the export of various goods and software, especially “intrusion software,” which is defined as “software that is designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures of a computer or network capable device.”
It must also extract data or information, or modify a system or user data. It could also modify the standard execution path of a program or process to allow for the execution of externally provided instructions.
Rabe claimed in his post that the only criminal activity involved in the Hacking Team breach was the breach itself.
“In the case of every sale, Hacking Team has complied with regulations in effect at the time of the sales,” the post stated. “Today the company complies with new regulation developed in 2014 and enacted in January 2015. Under the new regulation, Italy reviews all sales of Hacking Team technology in accordance with European Union and Wassenaar Arrangement requirements.”
With that in mind, one well-known security researcher, Collin Mulliner, called the company out for using his research as a structural backbone in its Android surveillance tools.
The leaked code demonstrates that the Italian company used Mulliner's open source Android Dynamic Binary Instrumentation tool that provides injection functionality.
Beyond using the tool, however, Hacking Team left the researcher's copyright information in its files, including his name, email and website, which could suggest that he helped build the company's product.
“I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists,” Mulliner wrote. “Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team.”