A firm that sells hacking tools to governments just got royally hacked

On Sunday night, an Italian firm that specializes in hacking people got a taste of its own medicine. Financial documents, emails, and other business files belonging to Milan-based Hacking Team were published online, by, according to Motherboard, the same vigilante hacker who previously compromised FinFisher, another Europe-based firm that sells hacking exploits to governments.

Hacking Team does both “defensive” and “offensive” cyber work for a long list of clients that includes governments, police forces and intelligence agencies, to whom it sells hacking exploits and “remote control systems” designed to help those agencies collect data from citizens. Hacking Team has been accused for years of working with repressive regimes, frequently appearing in reports from Citizen Lab, which tracks “unethical” spyware deployment used to target the computers and smartphones of journalists and human rights activists.

A customer list included in the leak reveals that Hacking Team is working with many state agencies. A document from this year lists active contracts with police forces and intelligence agencies in Azerbaijan, Chile, Colombia, Ecuador, Egypt, Ethiopia, Kazakstan, Mexico, Panama, Saudi Arabia, and even the U.S. (with the FBI and the Drug Enforcement Agency; a contract with the DoD is listed as “inactive”). The most controversial customer on the list is Sudan’s National Intelligence Security Service. The contract which started in 2013, is listed as active but “not officially supported.” The last maintenance date for the Sudanese intelligence agency is December 2014.

As the International Business Times notes, “A UN arms embargo on Sudan, which is incorporated into EU and UK law, bans the export of ‘arms and related material’ to the country. The Sudan embargo also prohibits technical assistance, brokering services and other military-related services.”

Also included in the breach is a letter that Hacking Team CEO David Vincenzetti wrote to the United Nations this year saying it “does not have business relations” with Sudan. In the letter, Vincenzetti also notes that he does not consider the technology that Hacking Team sells to be “a weapon.”

Hacking Team hasn’t responded to Fusion’s request for comment about the breach.

One of the more personally embarrassing appearances in the hack was a list of the password credentials of a Hacking Team employee, including passwords for various sites (such as LinkedIn, Twitter, and Facebook) and server credentials. That employee’s Twitter account was hacked before being deleted. The employee, who is listed on LinkedIn as Hacking Team’s senior system and security engineer reused passwords frequently across sites, most commonly using a variation of the word “password” — which, for a supposed hacking expert, is a pretty bad rookie mistake.