By Andree Toonk and Dhia Mahjoub
As part of the Hacking Team fall out and all the details published on Wikileaks, it became public knowledge that Hacking Team helped one of their customers Special Operations Group (ROS), regain access to Remote Access Tool (RAT) clients. As first reported here: http://blog.bofh.it/id_456 ROS recommended using BGP hijacking and Hacking Team helped with the setup of new RAT CnC servers.
In this post we’ll take a closer look at the exact details of this incident and support the Wikileaks findings with BGP data.
Raggruppamento Operativo Speciale and Hacking Team
The Raggruppamento Operativo Speciale or ROS is the Special Operations Group of the Italian National Military police. The group focuses on investigating organized crime and terrorism. Hacking Team sells its RAT software known as Remote Control System (RCS) to law enforcement and intelligence agencies, ROS included.
ROS infected and installed the RCS client on the machines of persons of interest (referred to in the emails as targets). These Remote Access Tools can provide ROS with all kinds of information and typically provide the tool’s operator with full access over a victim’s machine. The RCS clients normally need to check in with a server, which is a machine the clients can get their commands (orders) from and then upload stored data, recorded communications, logged keystrokes, etc., to. The Wikileaks emails uncovered how after ROS abruptly lost access to one of its RCS servers and worked together with Hacking Team to recover the loss.
Initially, ROS used machines from a provider called Santrex, a well known bulletproof hoster. Brian Krebs dedicated an article about them in Oct 2013.
Obviously the RCS clients (also referred to as agents in the Wikileaks emails) only work well if they can communicate with the server. If the server becomes unreachable the client essentially becomes an orphan and loses most of its value. This is exactly what happened on July 3rd, 2013 when after nine earlier outages that year, the Santrex IPv4 prefix 46.166.163.0/24 became permanently unreachable. The Wikileaks document described how the Italian ROS reached out to Hacking Team to work together on recovering the VPS server that ran on 46.166.163.175. In ROS terminology, the server was called “Anonymizer”. The emails also revealed that this server relays updates to another back end server called “Collector” from which ROS presumably recovers the targets’ data.
Hacking Team first proposed that ROS work with Santrex in order to bring the VPS back online, so they could subsequently help reconfigure the RCS server to receive updates from the RCS clients (installed on targets’ devices) but that plan did not materialize.
A plan then was devised to make the prefix 46.166.163.0/24 reachable again by announcing it in BGP. Since the prefix wasn’t announced by Santrex (AS57668) anymore, originating it from a different AS should make the network reachable again. The Wikileaks documents show how ROS worked with the Italian network operator AS31034 (aka Aruba S.p.A) to get the prefix announced in BGP and bring up a new “Anonymizer” server with the IP address 46.166.163.175. ROS also was hoping that other Italian ISPs wouldn’t filter that hijacked announcement.
When we look at historical BGP data we can confirm that AS31034 (Aruba S.p.A) indeed started to announce the prefix 46.166.163.0/24 starting on Friday, 16 Aug at 2013 07:32 UTC. The Wikileaks emails outline how ROS complained to Hacking Team that the IP was reachable only via Fastweb but not yet through Telecom Italia, concluding not all RCS clients were able to connect back to the server immediately, since the prefix was not seen globally. BGP data further confirms this per the visualization below.
Historical BGP data shows how AS31034 (Aruba S.p.A) started to announce the prefix to its peers via the Milan Internet Exchange and how it became reachable via the peers that then accepted this BGP announcement. The peers below were some of the networks that accepted the announcement and would have had a path to the new ‘fake’ RCS server.
AS12874 Fastweb
AS6939 Hurricane Electric, Inc.
AS49605 Reteivo.IT
AS4589 Easynet
AS5396 MC-link Spa
After some frustration on ROS’s part due to summer vacation delays, eventually the IP address of the server became reachable again, at least for many Italian networks and the new server was up and running with the same IP address. Hacking Team then stepped in to reinstall and setup a new RCS server on that IP.
Consequently, the RCS clients were able to “sync” back in with the server. On Aug 20th the Raggruppamento Operativo Speciale confirms with Hacking Team that it had indeed recovered contact with 3 of the 4 RAT clients.
Finally on August 22 at 13:35 UTC the prefix is withdrawn again, which would indicate that the operation was successful and the RAT clients were likely configured to use a different server IP.
Conclusion
As the supporting evidence from historical BGP data concludes, the information revealed in the Wikileaks documents is factual and the Italian ROS and Hacking Team did work with the Italian network AS31034 (Aruba S.p.A), to announce 46.166.163.0/24 between Aug 16 and Aug 22. in order to regain access to their RAT clients.
This finding further confirms the use of BGP for nefarious purposes similar to the one listed in our blog post earlier this year. BGP hijacks can do serious harm and rapid notification of such an event is essential. BGPmon provides free and premium monitoring services that will inform users in near-real time for events like this.