SAN FRANCISCO — On the afternoon of April 22, Dotan Peltz, the head of sales at an Israeli surveillance company called NICE Systems, emailed his colleagues at the Italian surveillance company Hacking Team to describe an upcoming “African opportunity.”
Written in the informal, yet cryptic style used across hundreds of emails exchanged between the two companies, Peltz wrote that the “process is boiling” and that it “is being sponsored by the topmost level of the country.” Only the subject line gave away that the country in question was Uganda, while subsequent emails revealed that “the process” was a package of surveillance software for the government. The two companies had already sold software to Uganda’s police force, but they hoped that the new contract would be much larger.
Nowhere do the emails question what the Ugandan government would do with the software, despite Uganda’s frequent appearance in the newspapers that month for its surveillance of human rights organizations in the country, and attacks on local LGBT groups.
The Milan-based Hacking Team and Tel Aviv-based NICE Systems are two of fewer than a dozen companies worldwide that deal in the distribution and development of surveillance software to nation states. Hacking Team, which describes itself as a company that provides lawful interception tools for police and security officials worldwide, has been repeatedly linked to countries that use surveillance software to repress minority and dissident groups.
Hacking Team’s website as of Aug. 24 Hacking Team
Until recently, the level and scope of their cooperation with NICE Systems was undocumented. But on July 8, a group of hackers leaked one million of Hacking Team’s internal emails, laying out all of the company’s secrets and explaining, in their own words, how they use malware and vulnerabilities to create spyware that can get into nearly any computer and smartphone.
The breach showed that Hacking Team and NICE exchanged nearly 3,000 emails between August 2010 and July 2015. While codenames were used in many of those emails, BuzzFeed News found at least five countries where the two companies were discussing doing business: Uganda, Mexico, Finland, Colombia, and Israel.
The contracts being discussed would provide those countries with Hacking Team’s Remote Control System, which allows governments to use so-called zero days, a unknown vulnerability in software that hackers can exploit to infect the phones of anyone in their country, as well as monitor emails, record keystrokes, and snoop on their phone and computer cameras and microphones.
Spokespeople for Hacking Team and NICE declined to answer repeated requests for comment from BuzzFeed News, or give further details about the way in which their companies work together on those contracts. One Israeli employee of NICE, when reached by BuzzFeed News on a cell phone number revealed in many of the email exchanges, said, on condition of not being named, “Don’t be childish. Of course we do business with Hacking Team. We do good business with them and there is nothing wrong with that.”
“Don’t be childish. Of course we do business with Hacking Team. We do good business with them and there is nothing wrong with that.”
In April 2014, LGBT activists in Uganda began noticing that their computers and cell phones were behaving suspiciously. Phishing emails began to target the community, asking them to click on what appeared to be links to news articles, but which activist groups in Uganda later identified as malware.
“I received this link from multiple people in my mailing list, therefore it was hard for a layperson to know that it was a spyware,” one person told the Ugandan civil rights NGO Unwanted Witness. The NGO said it tested the email and found malware that appeared to be linked to the Zeus malware, a notorious piece of spyware that collects contact details, correspondence documents, and other personal information from infected computers.
“It was designed to sweep as much material from the infected computer as possible, and then use the address book to reach out to all of the contacts available through that person. It was very smart malware,” said one cybersecurity expert, who is based in Uganda and spoke to BuzzFeed News by phone. He asked not to be identified by name as he is still working to help the community and is afraid of being targeted by the government. “I don’t know who created the malware, but they were targeting this community.”
In recent years. Uganda has enacted a series of legislations that restrict access to information online, as well as personal rights to online privacy. The 2014 Anti-Pornography Act, which defined pornographic material very broadly , required internet service providers to monitor and preemptively filter and block content.
LGBT activists, meanwhile, have been fighting against a number of attempts to reinstate the Anti-Homosexuality Act, which mandated up to a life sentence for homosexual “offenses” and criminalized abetting homosexuality. The act also criminalized the use of electronic devices “for the purposes of homosexuality or promoting homosexuality. ”
Despite the act being struck down by the courts , Ugandan LGBT activists believe their computers to be monitored, and say the malware that targeted their computers on April 2014 was just one of the instances they knew of.
“This malware, the phishing emails, we found them and so we knew about them. Who knows what we can’t find? Who knows what is already infecting our computers and phones?” said the Ugandan cybersecurity expert.
No group has claimed responsibility for the April 14 malware. Email exchanges suggest that NICE and Hacking Team appear to have been already doing business in the country during that time, but the Ugandan activists groups who analyzed the malware said they had no way of telling whether it came from NICE and Hacking Team or from another surveillance software company.
Emails exchanged between Hacking Team employees show, however, that they used similar malware attacks in the past. In a July 2012 email chain, the company discusses among itself a blog post on the Dr. Webb antivirus blog about a newly discovered piece of malware. While some cybersecurity experts linked the malware to Hacking Team, the group assures itself in the email chain that the malware can’t be definitely tied back to them. “They don’t have a clue,” and “they don’t really understand what it is,” are among the reassurances sent out by various people on the Hacking Team email chain, who watch and email each other as Kaspersky and other cybersecurity firms analyze the malware and conclude it is being used by criminals on the black market.
“They think we are a new Zeus,” writes Alberto Ornaghi, a Hacking Team engineer, referring to the Zeus malware, which was well-known at the time. “It’s only positive for us,” he adds, saying that they had not discovered any other clues in the malware to point back to Hacking Team.
One quote from the blog, in particular, was highlighted by the Hacking Team CEO David Vincenzetti.
“It’s unclear if the malware, which offers functionality similar to the Zeus financial malware, has been designed solely with black-market distribution in mind, or whether it might also be marketed to law enforcement agencies.”
Of all the companies with which Hacking Team corresponded, NICE appears to be their largest partner. Run by Barak Eilam, a former member of Israel’s 8200 cyberintelligence unit, NICE was acquired by the Israel-based global electronics defense company Elibt Systems for $157.9 million in May 2015.
In discussing the countries on email, the companies referred to them by using codenames only, a sample for which can be seen in this email sent by Hacking Team VP of Business Development Philippe Vinci on May 13, 2015.