Someone Just Leaked The Price List for Cyberwar

A California National Guard soldier assists another analyst during a simulated virus attack at 2014 Cyber Shield exercise.

National Guard Professional Education Center

AA Font size + Print

A California National Guard soldier assists another analyst during a simulated virus attack at 2014 Cyber Shield exercise.

A controversial cyber arms dealer gets hacked, revealing sales to the US military and less savory customers around the world.

On Monday, the Italian company Hacking Team, which produces secret cyber weapons for law-enforcement and government clients around the world, became the victim of an embarrassing public disclosure: more than 400 gigabytes of internal data made its way online in a widely shared torrent file. The group Reporters Without Borders has labeled Hacking Team “an enemy of the Internet,” for the surveillance tools and malware products it provides, with little transparency or accountability, to governments. News of the disclosure brought forth the sounds of schadenfreude from the privacy and tech communities.

So far, the exposed documents have already revealed a few key things about the group, its clients, and the business of cyberwar for hire.

The FBI has spent about $775,000 on the company’s Remote Control Service, or RCS, an eavesdropping system that pulls data from a target computer before it’s encrypted.

Hacking Team purports to sell its services to “law enforcement” but invoices reveal a wide assortment of unsavory clients, including the governments of Russia and Sudan, despite a UN arms embargo against the latter and contrary to previous assertions from company’s president, Christian Pozzi. It’s not clear that the company broke any laws with sales to Sudan, since surveillance software isn’t typically classified as a weapon.

The company had an “action plan” for further expansion into the United States market and listed a Naval Criminal Investigative Service representative as a potential sales target.

A previous disclosure from April showed that the United States Army bought an RCS system for $350,000. The most recent breach adds details: the system went to Fort Meade, but was never used, according to a (typo-ridden) email from Alex Velasco, the third-party contractor who closed the deal on behalf of Hacking Team. “They were never given permission to pull an internet line to their of?ce [sic] to install the system. (ridiculous but true!),” Velasco writes. “They also are interested in the new options that we have developed and want prices. They are not sure when we will be able to install but they believe that it could be in the next few months.”

Most incredibly, the hack brought to light the company’s price list, a blue book for surveillance and malware products. It’s a first-of-its-kind window into the going rate of cyberwar and espionage capabilities. Of the many offenses the company seems to have committed, price gouging seems to be one.

Want to hack into someone’s Windows device to steal Gmail data, turn on the microphone, and take snapshots with the camera? That’s an upfront license fee of €40,000 euros (about $44,200). Microphone recording and keystroke logging on in Mac OS will run you the same amount.

The company also sells what it calls “infection vectors,” or malware, including one product that “allows you to remotely infect Android and BlackBerry smartphones by sending specially crafted messages.” The price for that is €30,000.

Perhaps the strangest product on offer is a software-based AI agent, or “intelligence module,” that does some of the work of a real spy. The module “automatically processes all the evidence to extract and correlate the relevant bits of information, presenting you the overall picture of your investigations as it progress [sic] in time,” all for a price of €220,000.

There are a number of lessons to be learned from the breach.

“The Hacking Team case shows that international rules and controls should be applied more efficiently to private companies which are producing shady cybercapabilities and related technologies, as they are for conventional weapons,” Jarno Limnéll, a professor of cybersecurity at Aalto University in Finland, wrote in the International Business Times.

It also shows that the cyberweapons you build, or buy, can come back to haunt you.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.