Leaks reveal Azerbaijan spent $384,000 on spyware but lacked tech skills to use it

An examination of Hacking Team emails has revealed its Azerbaijani client, the Ministry of National Security, struggled both to understand the spyware it purchased or to use it effectively. Hacking Team regularly expressed frustration at the Azerbaijanis' intransigence and occasionally circulated contentious email exchanges for amusement.

As reported yesterday by Meydan TV, Hacking Team is an Italian cyber-surveillance firm that covertly supplied Azerbaijan's Ministry of National Security with sophisticated malware called Remote Control System. The ministry has denied working with Hacking Team, but has not specifically addressed any of the leaked documents.

Once a device is infected with Remote Control System, the attacker can access all the device's files and use its camera and microphone to spy on the user. Over three years, the Ministry of National Security spent €349,000 ($384,000) on Hacking Team products and licenses.

The Ministry of National Security's contract with Hacking Team began in the summer of 2013. The government's point of contact was a man named Riad, who communicated with Hacking Team using the alias TestWizard. From the tone of the emails, Riad appears to be one person representing a team of Azerbaijani hackers. He does not appear to be technologically sophisticated, and writes in clear, if ungrammatical English.

The initial contract was for ten exploits, or files containing Remote Control System malware. Hacking Team prepared each file, which can be a link to an infected webpage, a word document, or any other file an unsuspecting target is likely to open, and sent them to Riad to pass on to the ministry's targets.

Hacking Team began delivery in May 2013, and Riad and his team distributed the infected links to their targets. There was only one problem: the links were designed only for Google Chrome, a web browser none of the targets used. Riad complained to Hacking Team and received the following response:

 

In other words, the failure was the Ministry of National Security's, not Hacking Team's. Not only did the ministry fail to convince its targets to open the infected links, they also did not bother to research which operating systems and web browsers their targets were using. As infecting a specific computer system without alerting anti-virus software is a complex task, each infected file or link must be tailored specifically to an individual browser or device in order to work properly. As the information Riad provided Hacking Team was either incorrect or incomplete, the “exploits” were functionally useless.

At no point in nearly two years of correspondence does Riad agree to discuss the ministry's strategy for convincing its targets to open Hacking Team's infected links.  The above response was forwarded to at least two Hacking Team employees:

Infected files proved equally difficult for the Ministry of National Security to manage. In order for a Microsoft Office file to act as an effective vehicle for Remote Control System, the target would need to voluntarily override Windows' default setting of opening all files downloaded from the internet in “protected mode”.

In emails, Hacking Team recommends that its clients overcome this obstacle by sending infected files in a compressed .zip or .rar format. Windows will recognize the compressed file as originating online, but not the document contained inside. If the hacker can convince the target to download the compressed file and open the file inside, then the malware should install itself correctly.

As there are very few savvy web users who will decompress and open a file sent by a stranger online, successful hackers need to engage in social engineering - the process of earning the target's trust to the degree they forgo normal security procedures. Common tactics involve pretending to be a friend or acquaintance of the target, sending an “answer” to a question the target never asked, or even developing long-term relationships through social media.

Hacking Team offered to advise their client on social engineering, but Riad never acknowledged their offers. Nevertheless, the responsibility to properly social engineer the targets was the Ministry of National Security's – something it appears to have lacked either the will or the ability to do.

In an email exchange from June 2013, it took several Hacking Team employees a week to convince Riad that spamming targets with large numbers of infected files from unknown email accounts was unlikely to produce results. Riad dismissed Hacking Team's entreaties to develop a social engineering strategy. Instead, he advocated a highly unorthodox, brute force approach where Hacking Team would produce dozens and dozens of infected links and files to bombard targets until they opened one on accident.

Hacking Team refused to comply:

Later in the email exchange, Riad responded:

Hi, Even a good strategy will not help you, if user will see "harmful content" warning trying open the Word file. You should understand that our clients is not a ordinary Internet surfers. They are suspicious and distrustful people. That is why any kind of warning might cancel any prepared strategy. Our management sign the DAP document with the condition that 0-day exploits (without warnings, restrictions, exceptions) will be available for us at any time. We need 0-day exploit available to run on standart common used software without any warnings and hope on your cooperation.

The pattern continued for months. Hacking Team produced exploits for various platforms at Riad's request: Microsoft Office, Android phones, Symbian phones, Blackberries, web browsers, and others. He almost always failed to infect his target's devices, and Hacking Team staff regularly expressed exasperation at his constant complaints. A sample reaction to a typical complaint:

By November 2013, requests for new exploits had stopped, but Riad's technical support emails continued. A 2014 Citizen Lab report on covert surveillance noted that the Azerbaijani Remote Control System user it had discovered and tracked ceased activity around that time. If the Ministry of National Security had successfully infected any computers or phones with Remote Control System, it had stopped  listening.

Riad's complaints to customer service reveal that he lacked even basic technical knowledge. In one instance, after Hacking Team repeated the need for Riad to hide the nature of infected Microsoft Office files by compressing them into .zip files, he manually changed the file's extension from .exe to .zip, rendering it useless:

After November, there is a lull of activity until April 2014, when requests for infected links and Microsoft Word documents pick up again. There are signs that Riad might have been replaced, such as an email from April 9, 2014, where a Hacking Team employee explains to TestWizard (Riad's alias) how infected links work in a level of detail that Riad, who sent more than twenty in the previous year, would not need:

However, TestWizard 2014 continued to make many of the same mistakes of TestWizard 2013. He repeatedly reported technical problems that Hacking Team was unable to replicate, and regularly blamed Hacking Team when targets failed to open files or links. Several dozen files and links were sent out in April, May, and June. It is unclear how many were successful, although a continued stream of technical support questions on surveillance issues indicate that at least a few were.

Despite the relative improvement, an email exchange between Hacking Team and their Israeli-based partners Nice in late 2014 shows the Ministry of National Security was still less than happy with the program, and insisted on “a list of supported exploits and reassurance it will work” before extending the contract. After twenty months, Azerbaijan still believed their lack of success was because of poorly designed Hacking Team products, not their own inability or unwillingness to social engineer their targets. Hacking Team executive Massimiliano Luppi responded with exasperation:

The program continued into 2015, but no attempts were made to expand the scope of its activities and no new files or links were requested. On July 7, Hacking Team advised its customers to stop using its products while it assessed the fallout of the leak.

The Ministry of National Security was Hacking Team's sole client in Azerbaijan, although if not for a few scheduling missteps, the Anti-Corruption Department under the General Prosecutor's office might have purchased Remote Control System as well. A product demonstration planned for Baku in September 2014 was moved to Israel after Hacking Team employees learned Azerbaijan's wait time for visas was longer than expected.

The Anti-Corruption Department canceled the meeting two weeks before it was to take place. Hacking Team's Israeli partner, NICE, explained why:

The “unstable period” Elazar referred to was Operation Protective Edge, the seven-week Gaza-Israel war that killed over 2,100 people. The meeting was never rescheduled.

CORRECTION: Due to inconsistencies in Hacking Team's internal documents, this article originally identified the Azerbaijani client as the Ministry of Defense. The actual client was the Ministry of National Security.