Clues to Malaysia’s electronic surveillance from hacked commercial spyware provider

This post was originally posted on Medium here.

Leaked documents from Milan-based blackhat hacking company Hacking Team confirmed that the Malaysian government has been purchasing services from them. It also revealed that Hacking Team has been working with states like Sudan and Bahrain, among other countries that are known to target domestic political activists.

The Hacking Team write spyware and surveillance technology for governments, intelligence agencies and private corporations. Selling themselves as “[providing] effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities”, Hacking Team provides software solutions for governments to spy on electronic devices and their users.

The Citizen Lab, a Canadian research institute concerned with electronic surveillance, documented how spyware from the Hacking Team assisted Ethiopia’s intelligence body target journalists based outside the country. As Human Rights Watch noted, there are definitely human rights concerns for activists in other countries that purchased contracts for Hacking Team’s software.

However, from Hacking Team’s own customer policy page, they disavow that human rights issues stemming from their software is a concern.

“We review potential customers before a sale to determine whether or not there is objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations.”

One does wonder what their review of the customers in the Malaysian government looked like.

This is Hacking Team’s promotional material for Da Vinci, their flagship remote control system, marketed at interested governments. Stripped of its techno-jargon, it is basically a trojan horse which tricks the victim into opening it. After which, the software is able to track, eavesdrop, and download information from the victim’s infected device.

According to the Citizen Lab, information that it can gather once it is embedded in a device such as a phone or a laptop is extraordinarily intrusive. Installing it, outside of having the physical device, requires social engineering to trick the victim into opening an infected file. Infection may also be through an exploited website or network. The Intercept uploaded a full copy of the software manual and also described other ways that Remote Control Systems from Hacking Team can be installed unobtrusively.

How intrusive are these Remote Control Systems (RCS)? According to theanalytic work done by the Citizen Lab,

RCS also enables government surveillance of a target’s encrypted internet communications, even when the target is connected to a network that the government cannot wiretap. RCS’s capabilities include the ability to copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser. Furthermore, RCS can turn on a device’s webcam and microphone to spy on the target.

From leaked documents uploaded onto the internet by the hackers, it seems like 3 Malaysian government agencies had once or were still employing Hacking Team’s spyware. According to the Client Renewal Document, the Malaysian Anti-Corruption Commission, Malaysian Intelligence and the Prime Minister’s Office has contracts with the Hacking Team (MACC had allowed their contract to laspe for reasons unknown).

The purchase orders and invoices came from Twitter user @SynAckPwn, the source of the Hacking Team document trove. It shows that Malaysian government purchases from Hacking Team were routed through a Malaysian surveillance tech reseller in Shah Alam, Miliserv Technologies. In particular, the invoice mentions Remote Control System licences for MACC in 2011 billed to the same private company.

Purchase order priced at 100 thousand Euros in 2011 on behalf of MACC

Another invoice for 38 thousand Euros for renewing the Da Vinci system in 2013

It is definitely puzzlingly that the Malaysian Prime Minister’s Office (PMO) would be a customer of blackhat software.

Wikileaks may have provided the answer to this puzzle by revealing the existence of a foreign intelligence unit in the PMO. Publicly referred to as the Research Division, which sits under the PMO, is the likely end-user of such software.

Even so, the dates on the invoices may present a problem for the government. In a Bloomberg report from August 2013, the Malaysian government was looking into expanding domestic electronic surveillance to fight graft and was in early-stage talks. According to the report,

Paul Low, the minister in the Prime Minister’s Department of fighting graft, says the government is in early-stage talks and declined to provide specifics about how sweeping any new powers might be or how they’d be used. And it’s unclear to what degree the government is already snooping on its citizens.

However, the invoice issued by Hacking Team to Miliserv Tech for a purchasing a license upgrade for MACC (likely the Malaysian anticorruption body) was dated 30 December 2011. In fact, both invoices found in the document trove were dated before the Bloomberg story. Meaning that even before the Bloomberg story, the Malaysian authorities already had access to sophisticated electronic surveillance systems.

While Malaysians debated the aftermath of the Snowden scandal in 2013 and its repercussions for Malaysia, agencies in the Prime Minister’s Office had already established contracts to add intrusive spyware into its electronic arsenal. Deep electronic government domestic surveillance in Malaysia was likely already a fait accompli by the time the global debate on electronic surveillance raged in 2013.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s