Editor's Picks National

Massive data leak reveals shady dealings of South Korean spy agency with Hacking Team

Screen shot of WikiLeaks Hacking Team op
Jon Dunbar
Written by Jon Dunbar

What do the governments of South Korea, Egypt, Ethiopia, Bahrain, Sudan, Nigeria, Saudi Arabia, Kazakhstan, and Uzbekistan have in common? They’re all customers of Hacking Team, a cyber-surveillance company providing surveillance tools allowing governments to spy on their citizens.

It appears that South Korea’s National Intelligence Service (NIS) was secretly purchasing Hacking Team software, and had requested additional software tools that would allow them to hack Kakao Talk conversations and spy on us.

We know this now because Hacking Team were hacked. Unknown hackers got their hands on 400GB of internal documents from Hacking Team, which were made available online via torrent and later posted on Wikileaks. The client list includes a heaping handful of “repressive regimes,” and Korea finds itself among interesting company.

Hacking Team is a controversial company based in Italy, labelled a “Corporate Enemy of the Internet” by Journalists Without Borders (RSF) for selling products that are liable to be used by governments to violate human rights and freedom of information.

“Their products have been or are being used to commit violations of human rights and freedom of information,” says a statement in RSF’s Enemies of the Internet 2013 Report. “If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens. If their digital surveillance products were sold to an authoritarian regime by an intermediary without their knowledge, their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights.”

But Hacking Team remains adamant that they did nothing wrong, even as the 400GB of leaked data continues to spill deeper and dirtier secrets.

“Our technology has always been sold lawfully, and, when circumstances have changed, we have ended relationships with clients such as Sudan, Ethiopia and Russia,” said Hacking Team CEO David Vincenzetti in a statement.

And in an interview with Vice Magazine’s tech magazine Motherboard, Hacking Team spokesperson Eric Rabe claimed “We don’t do business with North Korea.” In that same interview, he also refused to confirm that Uzbekistan is a client — they are.

It’s unforgiveable that Hacking Team would do business with such a repressive regime. But at the same time, should those of us in first-world countries be any happier that they are enabling our governments and police agencies to covertly spy on us? Other more seemingly above-board clients of Hacking Team include Switzerland, Hungary, Luxembourg, and the United States, where Hacking Team products are used by the FBI, the Department of the Army, and the Drug Enforcement Agency (DEA), all supposedly free, democratic countries like South Korea.

In total, 2410 letters mentioning “Korea” were shared on Wikileaks, which may also refer to North Korea or news articles shared between employees.

In letters dated to 2011 and 2012, Hacking Team corresponded with a South Korean man named Huh Son-koo claiming to represent the 5163 Army Division. The mailing address for Unit 5163 was a PO box in Seocho-gu. Correspondence intensified in December 2011, during which month 37 of the 109 e-mails sent from Huh’s Paran.com e-mail address arrived.

The Korean client was interested in purchasing Hacking Team’s Remote Control System (RCS) tool, which would allow them to bypass security systems and monitor people.

“In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security,” Hacking Team says on their website. “Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.”

On December 11, the same day that the Democratic United Party accused the NIS of manipulating public opinion online, Huh thanked Hacking Team key account manager Massimiliano Lupi and wrote, “Yes, the total price is 260,000 euros plus our commissions. I hope that you use 10,000 euros for the customer support when we cannot join that training. … I thank, may be, you have to come for next projects in Korea so that you explain your solution of PC basis.”

On December 19, the day of the election, Huh sent Hacking Team four e-mails.

Just two weeks ago, on July 1 and 2, internal correspondence between VP Business Development Philippe Vinci and staffer Cristian Vardo, identified as in charge of “exploit requests,” confirmed that Hacking Team was still doing business with what they thought was the Korean army.

“Is ska [South Korea Army] Korea?” asked Vinci.

“yes, Ska is a korean client,” replied Vardo.

Just three days after that e-mail, Hacking Team was compromised and all their correspondence was leaked. At first it was reported that Korea’s army was using RCS, which led to speculation it would be used in cyberwarfare against North Korea. But the ROK Army has no 5163 Army Division, and unidentified sources reportedly claimed that the mysterious unit is highly likely to be the NIS.

On March 27, 2014, two Hacking Team employees identified as Serge and Daniel reported on a trip to East Asia to meet with their clients in Korea and Mongolia.

“They also asked about the progress of Kakao Talk which they mentioned is very commonly used in their country,” reported Serge.

“I’ve already informed our R&D team of KakaoTalk,” replied Operations Manager Daniele Milan. “It is being pushed up in the roadmap, although with less priority than other applications. In general, we are getting solid results from exploit developers, hopefully we will be able to provide some remote exploits for Android and other platforms in the near future.”

Following the massive data leak, Hacking Team has advised clients to stop using their tools, as the data of their capabilities and users is now entirely public.

Despite the devastating information leak, Hacking Team intends to build patches for revealed weaknesses and continue doing business with government agencies.

“We at Hacking Team are now dedicated to restoring the ability of law enforcement to fight crime hidden in the new encrypted digital world,” said CEO Vincenzetti on the Hacking Team website.

About the author

Jon Dunbar

Jon Dunbar

Jon Dunbar is a contributing reporter for the Korea Observer working for the Korean office of Cloudbric, an SaaS cybersecurity company. He is the editor of Broke in Korea, the longest-running English-language zine dedicated to the local punk scene. He runs Daehanmindecline.com, a weblog dedicated to the Korean music scene, urban exploration in Korea, cats, and miscellaneous other things.

Click here not to show this pop-up box again.