ASIO, NT Police, NSW Police named in Hacking Team emails

The Australian Security Intelligence Organisation (ASIO) was allegedly interested in using products from surveillance software company Hacking Team as recently as November last year, according to emails leaked from the Milan-based company.

Hackers on Monday uploaded a 400GB torrent file containing the sensitive documents, tweeted a link to the file using Hacking Team's own Twitter account, and also posted screenshots of internal company emails and secret deals with governments around the world.

Hacking Team develops spyware and malware designed to infiltrate a variety of devices and platforms, and sells its services to governments and businesses worldwide.

Early assessments of the company's receipts and client lists only linked Hacking Team to the Australian Federal Police (AFP). However, on Thursday, WikiLeaks made Hacking Team's entire email archive searchable, revealing a number of other links to Australian government organisations.

One email from Hacking Team's Singapore salesperson representing the company in the Asia-Pacific region, Daniel Maglietta, said Canberra-based surveillance firm Criterion Solutions was interested in products from Hacking Team for ASIO as recently as in November last year.

Criterion Solutions' Andrew Windsor first had to sign a non-disclosure agreement after initially expressing interest in October 2014.

"I represent a small firm in Australia that sells niche capabilities to a number of Australian government agencies, and I have a government client interested in your technology," Windsor said in his email to Hacking Team.

ZDNet has attempted, but has been unable, to reach ASIO for comment.

Victoria's Independent Broad-based Anti-corruption Commission (IBAC) -- the state government agency charged with investigating corruption -- is also named in the emails as being interested in Hacking Team products as recently as May this year.

In November, IBAC began inquiring about Hacking Team's flagship Remote Control System and its ability to help IBAC increase its "capabilities for fighting crime in our jurisdiction".

IBAC eventually sought to schedule a demonstration of the surveillance system in May this year. An IBAC spokesperson, in "the only comment IBAC will be making" on the matter, told ZDNet in a statement that it had not made a purchase from Hacking Team.

"IBAC is not a client of Hacking Team, and has never purchased any of its services," the spokesperson said.

The emails also reveal, as suspected, that the Australian Federal Police ceased being a client of Hacking Team after 2011.

According to invoices, the AFP initially allegedly paid the company €245,000 over 2009 and 2010 to target five individuals. In a follow-up email in 2011, Hacking Team sought a maintenance fee of €49,000, but the AFP informed the firm that it did not want to extend the contract.

The AFP has refused to confirm whether it has used Hacking Team's services.

Another email reveals that the AFP was frustrated at being unable to successfully use a backdoor to Mac OSX.

"Our testing of the Mac OSX backdoor has failed continuously on the different hardware and OS versions we have attempted," Brett Gray, a member of the AFP's data technical field team, told Hacking Team in an email.

"We have tested the Win 64-bit version, and this appears to function correctly. We are testing the Blackberry now and will let you know the results.

"We will not contemplate purchasing the Mac OSX backdoor until we have physically tested a working system."

Hacking Team recommended using the Remote Control System's Exploit Portal, which allows users to "create malformed versions of common file formats" such as PDFs and .doc to create a vulnerability in the target machine that opens the file.

Hacking Team also "constantly provides exploit (sic) for vulnerabilities that are public (sic) available or 'zero day'."

The Northern Territory Police expressed interest in Hacking Team products in 2014, while the New South Wales Police expressed interest in products in 2013, according to the emails.

New South Wales Police was already named as a customer of rival software company FinFisher.

A spokesperson for the New South Wales Police said the agency does not use Hacking Team.