Detekt scans your Windows computer for traces of FinFisher and
Hacking Team RCS, commercial surveillance spyware.
In spite of these indications to Hacking Team that RCS was deployed against ESAT journalists in December 2013, our current research suggests that
Hacking Team RCS software utilized by the attacker remained in operation and received support — at a minimum, in the form of software updates — through November 2014.
In summary, the entity that attacked ESAT on December 19, 2014, appears to be a government, since they apparently employed
Hacking Team RCS, and Hacking Team states that it provides its «software only to governments or government agencies.»
According to leaked
Hacking Team RCS documentation, installation of RCS updates requires a user license file from the company.54 Moreover, Hacking Team states that without its continued support to a client, its product «soon becomes useless.»
The infection appeared to be
Hacking Team RCS.
These same servers earlier returned39 a different SSL certificate, a7c0eacd845a7a433eca76f7d42fc3fedf1bde3c, that matched our fingerprint for
Hacking Team RCS certificates.
xxx / 3135 returned an SSL certificate, 8bc376be903e5b6d2cb68f2432ed93200bffd428, 36 matching our fingerprint for
Hacking Team RCS certificates.37
Not exact matches
In our previous work, 27 we showed that
Hacking Team's clients — which, according to HT, are governments or government agencies28 — appear to use one or more fixed circuits of «proxy servers» to exfiltrate data from computers infected with
RCS, through third countries, before reaching an «endpoint.»
In November and December 2014, several Washington DC - based journalists with the Ethiopian Satellite Television Service (ESAT) were targeted, unsuccessfully, with what appear to be two new versions of
Hacking Team's
RCS spyware.5 This report details these attempts to infect the journalists» computers with
RCS and monitor their activity.
30 «Collector» is defined on page xi of the
Hacking Team manual
RCS 9: System Administrator's Guide as «Receives data sent by agents directly or through the Anonymizer chain.»
Our 2014 report documenting the abusive use of
RCS against journalists received widespread media coverage, and both the Washington Post60 and Human Rights Watch61 corresponded with
Hacking Team about our findings, and received specific responses.
xxx as an
RCS server, as it matched one of our server fingerprints (gleaned from servers registered to
Hacking Team) 33 as recently as April 7, 2014, according to Shodan.34
29 «Anonymizer» is defined on page x of the
Hacking Team manual
RCS 9: System Administrator's Guide as «Protects the server against external attacks and permits anonymity during investigations.
54 Page 13 of the
Hacking Team manual
RCS 9: System Administrator's Guide https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/
rcs-9-sysadmin-final.pdf.
Despite the aforementioned public reports and correspondence, this report shows that the same attacker appeared to be receiving updated versions of the
RCS spyware from
Hacking Team as recently as November 2014.
31
Hacking Team, «
RCS 9: System Administrator's Guide,» https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/
rcs-9-sysadmin-final.pdf.
Hacking Team was forced to ask its customers to suspend the use of
RCS after about 400 GB of its data was leaked.
A so - called legitimate app called Remote Control System (
RCS) developed by Italian company «
Hacking Team» appears to be spyware that can infect Android, iOS, BlackBerry, Windows Phone, Windows and Mac OS.
Previously unreported samples of
Hacking Team's infamous surveillance tool — the Remote Control System (
RCS)-- are in the wild, and...
Previously unreported samples of
Hacking Team's infamous surveillance tool — the Remote Control System (
RCS)-- are in the wild, and have been detected by ESET systems in fourteen countries.