6 Ex-Employees Questioned About Hacking Team Breach, Prior Leak

Turns out that in May, David Vincenzetti, CEO of Italian surveillance company Hacking Team, filed complaints against six former employees accusing them of revealing proprietary source code. Now, Milan police are investigating those same individuals for the breach and doxing attack against Hacking Team this month, and have combined the two investigations.

Security researchers have described the company's flagship software, Remote Control System (RCS), the latest version of which is called Galileo, as simply legal spyware. Researchers at Malwarebytes last week called it "basically nothing more than a Remote Access Trojan" -- and quite a sophisticated one, with rich features and a BIOS rootkit.

Although Vincenzetti assured reporters last week that only part of the RCS code had been revealed in the attack, researchers at SensePost reported Thursday that they got RCS up and running.

Leaked emails also revealed that Hacking Team created a "tactical network injector (TNI)," which is a  "piece of hardware ... designed to insert malicious code into Wi-Fi network communications, potentially acting as a malicious access point to launch exploits or man-in-the-middle attacks" that was ruggedized and transportable by drones, according to a report in Ars Technica.

The emails included discussions between employees at Hacking Team and those at Insitu, a subsidiary of Boeing that manufacturers unmanned aircraft about a potentially "integrating [a] WiFi hacking capability into an airborne system."

In addition to the RCS source code, a pile of critical vulnerabilities -- with detailed how-to documents to help Hacking Team customers exploit them -- were exposed in the breach, including several zero-days in Adobe Flash which were then wrapped into exploit kits. 

FireEye has discovered that one of the Flash vulnerabilities, CVE-2015-5122, was used to compromise two Japanese websites then launch further attacks against other Japanese targets, the company disclosed Sunday. Visitors to the compromised International Hospitality and Conference Service Association site were redirected to the compromised Cosmetech, Inc. site, where they were hit with a malicious .SWF file, which would in turn drop the SOGU (a.k.a. Kaba) malware, a backdoor commonly used by Chinese threat actors.

Researchers believe this may be a new SOGU variant -- it was using a previously unknown command-and-control server and a "modified DNS TXT record beaconing with an encoding we have not previously observed with SOGU malware, along with a non-standard header."