Koen Rouwhorst

personal blog

Dutch police are looking to buy Hacking Team spyware

Published on July 08, 2015

Hacking Team, the ethically bankrupt Milan-based company that sells surveillance technology to anyone willing to pay, got hacked. The hack was announced in a tweet last Sunday on the firm's own hacked Twitter account, accompanied with a link to a torrent file for a 400 GB archive comprising internal emails, financial documents and source code.

Hacking Team demonstration overview

Overview of the RCS demo that was sent to the client

When going through the leaked email archives, with the help of Jurre, I came across a conversation in which a meeting had been scheduled for last Monday between Hacking Team and the Dutch National Police (formerly known as KLPD). During this meeting Hacking Team planned to demonstrate its Remote Control System (RCS) (a.k.a. Galileo), which is a spyware toolkit that can be used to, among other things, remotely and covertly activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords. This is remarkable because Dutch law enforcement at the moment is not allowed to remotely access so called "automated works" (e.g. computers and phones). A proposal that would grant law enforcement such powers is expected to be submitted to the Dutch parliament later this year.

This is not the first time Dutch law enforcement takes an advance on possible future legislation. Last August, data obtained from the FinFisher breach revealed (1, 2) that the Dutch National Police held active licenses for FinSpy and FinSpy Mobile. Both products are similiar to Hacking Team's RCS and can be used to remotely and covertly monitor Skype conversations, extract files, record microphone use, and take screenshots and photos using the device's camera.

This scheduled meeting came after two employees of the Dutch police visited the Hacking Team booth at the UK Home Office-sponsored Security & Policing conference in March this year. They seemed impressed with Hacing Team's product and arranged a demo through an intermediary, a company named Providence. The meeting was scheduled on Monday June 6, the day after the night the hack was announced. In one of the emails the police specifically requested that a technical expert was present at the demonstration as they did "not [want] a sales pitch, but a real capability overview.". It is unclear whether the meeting took place as Hacking Team went in full emergency mode the same day.

Demo

Calendar event for the planned demo with the Dutch police

Email conversation

Below you will find the full email conversation between Hacking Team and Providence (intermediary) in chronological order. Names for all those involved have been replaced with their initials:


FROM
[HT-PV]
SENT
Monday, June 8 2015 13:01
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

H [PV-PS1],

It was nice catching-up with you last week during ISS.

As promised I'm coming back to you regarding the RCS training in Milan. Our objective is to train you during a partner training for 2 full days so that you can come back to us with a Social Engineering training that is already adapted to our solution and to our customer's needs.

Our best alternative date would be June 30th to July 1st in Milan. How would those dates fit with the respective agenda of the 2 persons from Providence who will participate ?

Let me know as soon as you can, as we are also checking availability of the other partner.

Regarding the trip to the Netherlands and the presentation/demo to National Police (ex KLPD) and Netherland Intelligence, let me know which are the best dates/alternatives so that we can book the week and the presence of a Field Application Engineer.

Thanks in advance

--
[HT-PV]
VP Business Development

Hacking Team
Milan Singapore Washington DC
www.hackingteam.com

email: [XXXXX]@hackingteam.com
mobile: +39 [XXXXXXXXXX]
phone: +39 [XXXXXXXXXX]


FROM
[PV-PS1]
SENT
Monday, June 8 2015 18:40
TO
[HT-PV]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [HT-PV],

The police just came back to us that they would like to have a demonstration in the first two weeks of july (that is when there main technician will be present). Would this be possible for you?

Once we fix a date for them, we will then organize meetings with the other relevant customers in NL.

Met vriendelijke groet,
Best regards,

[PV-PS1]
Co-Owner & COO Providence Group
http://www.providenceitf.com/

sent from my Iphone


FROM
[HT-PV]
SENT
Monday, June 8 2015 19:44
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [PV-PS1],

That sounds great.

On my side, the week of July 6th looks good (better if beginning of the week, such as July 6th, 7th or 8th). Let me check with [HT-AS] the availability of a Field Application Engineer that week for the demo. I confirm as soon as possible. Let us know if those days are OK for them as well.

I am attaching again the one-page description of the demo that we will perform in the Police. Do not hesitate to transfer and send them the document. Could you please make sure that they will have the cabled internet connection ?

I will also send you tomorrow the names of the 2 persons from KLPD that visited our booth in UK Security & Policy (Farnborough), so that you could check if they are in the same organization.

Let's touch base again tomorrow.

[HT-PV]

[HT_Demo_Overview.pdf]


FROM
[HT-PV]
SENT
Monday, June 9 2015 09:07
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [PV-PS1],

I have checked internally with [HT-AS] and confirmed that a FAE would be available for the days mentioned in the email below: 6th, 7th or 8th. If the 6th, I would suggest the afternoon, so that we have time to travel in the morning.

Best regards

[HT-PV]

--
[HT-PV]
VP Business Development

Hacking Team
Milan Singapore Washington DC
www.hackingteam.com


FROM
[PV-PS1]
SENT
Monday, June 15 2015 11:55
TO
[HT-PV]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [HT-PV],

Good news, we got a confirmation from the Dutch Police.

Meeting is confirmed on the 6th (after lunchtime) for the presentation. They arranged a secure facility with the necessary requirements. We will get the details of the location later.

We will know push for meetings with the other customers on the 7th and 8th..

Cheers,
[PV-PS1]

Co-Owner and COO
Providence Group


FROM
[HT-PV]
SENT
Monday, June 15 2015 15:08
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [PV-PS1],

Great. We will arrange our flight to Amsterdam on the morning of the 6th. As soon as you have the location of the meeting, please tell us so that we know if we need to arrange a rent a car or if we go by train (whatever easier based on the location).

Regarding the people from the Dutch Police that visited our booth in March 2015 in Farnborough, you'll find below their details:

Let me know if you know them.

[HT-LI] will be Hacking Team's Field Application Engineer that will perform the Galileo demo. [HT-MB] and/or myself will be able to join as well.

Let us know if you need your id or passport previously to the meeting.

Thanks

--
[HT-PV]
VP Business Development

Hacking Team
Milan Singapore Washington DC
www.hackingteam.com


FROM
[PV-PS1]
SENT
Monday, June 15 2015 20:36
TO
[HT-PV]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

Hi [HT-PV],

We will let you know asap where the location will be (they are a bit secretive about it).

Yes I know those Police Officers really well. Especially [DP-JO]. He is actually promoted as a chief of the National Technical Support unit.

I don't believe they will be present at this meeting as you will meet the cyber and digital forensics department (but they are from the same unit as [DP-JO] etc). They are the unit working with your kind of solutions.

Do you want me to reach out to [DP-JO]? If so, I need a bit more background info (what did he want etc). I have his contact details.

Best regards,

[PV-PS1]


FROM
[HT-PV]
SENT
Tuesday, June 16 2015 09:16
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [PV-ER]; [HT-MB]
SUBJECT
Re: Travel to the Netherlands

OK. Perfect.

Regarding [DP-JO], yes I think it could be a good idea for you to reach him out and let him know that we will be visiting the cyber unit. He may give you some insights.

[DP-JO] visited our booth during the Security & Policing UK conference in Farnborough. He stayed quite long with us, almost 50 minutes, during which we did a very complete demonstration of Galileo. So he was able to see different infections (PC and mobiles) and have a look at the evidence that were collected.

I remember he said he was impressed and that was indeed the type of solution that the Dutch Police should have in order to improve their investigations. So I believe he can be a supporter of the solution internally.

Thanks

--
[HT-PV]
VP Business Development

Hacking Team
Milan Singapore Washington DC
www.hackingteam.com


FROM
[PV-PS1]
SENT
Monday, June 30 2015 16:29
TO
[HT-PV]
CC
[PV-PS2]
SUBJECT
Demo on the 6th

Hi [HT-PV],

I had a meeting today with the National Police regarding the demonstration on Monday the 6th.

We are expected to turn up at 12:45 at a secret location (we get the details this Thursday) for the meeting and demonstration. They will make sure all the right setup requirements are present.

They specifically requested that a deep technical expert is present as they will have a lot of question. There words : not a salespitch but a real capability overview.

Another unit (military intelligence) requested if they could do a separate meeting/demo in our office in the Netherlands in the morning of the 6th. Will that be possible? How long is your setup time?

It will take a hour to drive from our office in Haarlem (Stolbergstraat 9 in Haarlem) to the requested location.

I will not be present as I am leaving to Asia this Sunday. But [PV-PS2] (in CC) will be at both meetings to support you.

Please let me know flight details etc, so [PV-PS2] can make arrangements to pick you up etc.

It seems the interest is real, so fingers crossed and hopefully we will move forward to a positive result.

Best regards,

[PV-PS1]

Co-Owner and COO
Providence Group

T (EU). +31 [XXXXXXXXXX]
T (UK). +44 [XXXXXXXXXX]
M. +31 [XXXXXXXXXX]
W. www.providenceitf.com


FROM
[HT-PV]
SENT
Tuesday, June 30 2015 17:23
TO
[PV-PS1]
CC
[HT-GR]; [PV-MD]; [HT-AS]; [HT-LI]; [PV-PS2]; [HT-MB]
SUBJECT
Re: Demo on the 6th

Hi [PV-PS1],

You will have a long life :-) I was just about to send you an email asking if you had the address confirmation from the Dutch Police

I'm copying to your email [HT-MB] (Head of Sales), [HT-AS] (Head of Field Application Engineers) and [HT-LI] (HT's FAE).

Both [HT-MB] and [HT-LI] will be participating to the meeting and demo. We anticipated that there will be technical questions so, yes, I can confirm that [HT-LI] has the experience to answer technical questions about our capabilities: he has already performed complete installation of our solution and also full training to end-users in different countries and cultural environments. He is by the way this week performing an installation and training this week :-).

Could you tell us how many people and technical people you anticipate in the meeting ?

Regarding the other unit meeting, if we consider the time to travel from one location to the other, the set-up time (at least 15mn if everything is ready: cables LAN, projects), and the time sufficient to do the presentation, the demo and the Q&A, I think it is too short to do the 2nd meeting on Monday morning. All the more if the meeting with the Dutch Police is at 12.45.

What we had planned to do is to remain one more day, and to do the second meeting on the 7th in the morning or afternoon. Is it possible ? Alternatively we could do the 6th, but in the late afternoon after the Dutch Police demo, so that we have no time constraint to stop and run 7th is definitely better.

Hi [PV-PS2], nice hearing from you. And thank you in advance for helping us in the logistics and pick-up arrangements. [HT-MB] will send you the flight details and be in contact with you.

I'm convinced that there is a real need in the Netherlands for such a capability and that we will impress them :-)

Enjoy Asia and see you soon.

[HT-PV]

--
[HT-PV]
VP Business Development

Hacking Team
Milan Singapore Washington DC
www.hackingteam.com

email: [XXXXX]@hackingteam.com
mobile: +39 [XXXXXXXXXX]
phone: +39 [XXXXXXXXXX]


FROM
[PV-PS2]
SENT
Wednesday, July 1 2015 08:35
TO
[HT-PV]
CC
[PV-PS1]; [HT-GR]; [PV-MD]; [HT-AS]; [HT-LI]; [PV-PS2]; [HT-MB]
SUBJECT
Re: Demo on the 6th

Hello [HT-PV]

It is also nice to meet you

Regarding the the other Unit (militairy intel)we are looking at one guy, also needs a compact straight forward capabillity brief he can be at the office in Haarlem at 09.00 if we end at 11.00 we have plenty of time to drive to the other location.

bare in mind that I have a threeseat car and we all sit in the front

I will make sure you will be picked up at schiphol

Kind regards / Vriendelijke groet,

[PV-PS2]

Sales & Training Representative

Providence BNLX BV
Postbus 3277
2001DG Haarlem
The Netherlands

T. +31 [XXXXXXXXXX]
M. +31 [XXXXXXXXXX]
W. www.providenceitf.com