Hacking the hackers:

Revealing surveillance in Sri Lanka

It was sometime in April 2013, that I wrote my last blog post. Titled 'And Then They Came For Us', or something along those morbid lines, the piece was a commentary of sorts based on tweets, photographs and Facebook updates sent out by friends attending a peaceful vigil at the center of Colombo, when marauding monks disrupted their activity.

In the aftermath, as a mini-war broke out online with images of participants shared at a furious rate by the disruptors, accompanied with vicious, inflammatory and inciteful comments, I began the quiet job of dismantling my blog and cleaning out my 'online footprint'. It was not just that I was disturbed at the way hate spewed forth online; the Government' s increasing interest in the world of the wide web had me convinced it was a matter of time before public example would be made of online activists.

Former Fisheries Minister Rajitha Senaratne, a friend of the Rajapaksa family for more than 40 years, said a core group of party leaders had planned to defect in secret - swapping their telephones for ones they trusted not to be tapped, speaking in code and via group chats on Viber, a mobile app. As noted on the Wikipedia entry on The Hacking Team, the company is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies.

Its remote control systems enable governments to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers.

The company has been criticized for providing these capabilities to governments with poor human rights records."

Capacity to intrude

In 2013, Reporters Without Borders warned that The Hacking Team, amongst other similar companies called 'digital mercenaries', all sold products used to commit violations of human rights and freedom of information. "If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens."

In early July, The Hacking Team itself got hacked, and around 400 GB of internal emails were dumped online. This was far too much data to download and sift through especially from Sri Lanka. On July 8, Wikileaks released more than one million emails from this trove through a web- based, searchable portal. This article is based on the email accessed through the Wiki leaks portal.

Unsurprisingly, The Hacking Team was repeatedly approached by Sri Lanka' s intelligence services for its products and services. On July 29, 2013, a representative of a company called S.W. International wrote to The Hacking Team, requesting a description of their system in order to present it to 'Director of the Intelligence Bureau at a personal level'.

After being provided the information, on 14 August 2013, it is noted that the meeting with the Director of the Intelligence Bureau was 'positive', but that in 2013, the allocated budget of capital expenditure for the unit was already utilized.

The conversation is around The Hacking Team' s Remote Control System (RCS) product, described in the product brochure as "the hacking suite for governmental interception". Though final pricing would obviously depend on the exact configuration and services requested, online reports suggest the going price for RCS to be in the region of US$ 48,000.

Sri Lankan moves

The capabilities of RCS are quite remarkable. In March 2014, it is noted in an email to The Hacking Team that the "Sri Lanka Ministry of Defense is planning to develop a electronic surveillance and tracking system of their own in conjunction with a local university."

In what is seemingly a parallel discussion, The Hacking Team is approached in November 2014 by the Sri Lankan Police and the CID. The resulting email thread leads to planning a live demo of The Hacking Team' s product(s) in January 2015. Given the events of 8 January, it is unclear whether this live demo actually went ahead.

In what is yet another discussion with The Hacking Team in May 2013, someone who is purportedly a very dear friend of the Director of the National Intelligence Bureau (NIB) (noted, correctly, in the email as Sri Lanka' s equivalent of the CIA), asks the company to provide information on its products and services to "very urgently move forward" with procurement.

The Hacking Team' s response is rather interesting: "Can you please confirm that National Intelligence Bureau is a different body from Military Intelligence? It would be helpful if you could describe me to what body NIB reports to."

What' s even more interesting is the manner in which proxies associated with or brokers working for the Sri Lankan Government used dummy corporations to hide the money trail. The most revealing information on this score is the exchange between someone called Huzam Usuph and The Hacking Team, in April 2013. As noted by Usuph, One of most important things in selling and dealing with Defense sectors in Sri Lanka is,

I have sold many sensitive technologies and the acquisition has been very confidential to date no media or any one has reported or exposed what interception technologies have been acquired by our intelligence sources. The pushback from The Hacking Team in dealing with what is clearly noted as a dummy corporation is worth reading. It is unclear whether the deal went ahead.

In addition to digital surveillance technologies, The Hacking Team was also approached to secure military equipment for the Commonwealth Heads of Government meeting in October 2013.S.W. International keeps cropping up in The Hacking Team' s email records, and it is unclear what relationship this company enjoys with Sri Lanka' s Ministry of Defence in particular, and other arms of the military and Police in general.