Wednesday 3 October 11:30 - 12:00, Green room
Filip Kafka (ESET)
Hacking Team first came under the spotlight of the security industry following its damaging data breach in July 2015. The leaked data revealed several 0-day exploits being used and sold to governments, and confirmed suspicions that Hacking Team had been doing business with oppressive regimes. But what happened to Hacking Team after one of the most famous hacks of recent years?
Hacking Team’s flagship product, the Remote Control System (RCS), was detected in the wild at the beginning of 2018 in 14 different countries, including some of those that had contributed to previous criticism of the company’s practices. We will present the evidence that convinced us that the new, post-hack Hacking Team samples can be traced back to a single group – not just any group, but Hacking Team’s developers themselves.
Furthermore, we intend to share previously undisclosed insights into Hacking Team’s post-leak operations, including the targeting of diplomats in Africa, to uncover the digital certificates used to sign the malware, and to share details of the distribution vectors used to target the victims. We will compare the functionality of the post-leak samples with that in the leaked source code. To help other security researchers, we’ll provide tips on how to efficiently extract details from these newer VMProtect-packed RCS samples. Finally, we will show how Hacking Team sets up companies and purchases certificates for them.
Joe Slowik (Dragos)
Martijn Grooten (Virus Bulletin)