Since November 2010, Hungary’s Orbán government has spent over 571,000 euros to purchase highly sophisticated spying technology from an Italian firm called the Hacking Team, and the software is used to bug cell phones and hack into private computers, according to a report published by the liberal 444.hu news site. The data on the Hacking Team’s servers was stolen by a group of hackers this past weekend and ever since, journalists–including a small handful of Hungarian ones–have been perusing a staggering 400 gigabytes of data, to determine which governments had ordered products or services from the firm. According to The Intercept, a news site that focuses on surveillance, spying and hacking related stories, the Hacking Team has a long history of selling software and other products to despotic regimes. For instance, the Hacking Team’s representatives travelled to Bangladesh, in order to sell products to the Rapid Action Battalion, an infamous death squad headquartered in Dhaka. Also according to The Intercept, the Hacking Team sold surveillance software to Belarus in October 2014 for use by the country’s Operations and Analysis Center, which is responsible for monitoring opposition activists and dissenters.
In Hungary’s case, we now know that the Bureau of Information (Információs Hivatal), formerly the intelligence wing of the Ministry of Foreign Affairs, and now under the direct supervision of the Prime Minister’s Office, and the Professional Services of National Security (NBSZ) have paid a total of nine invoices for products and services rendered by the Hacking Team. Starting in September 2012, the Információs Hivatal (IH) has been led by István Pásztor, the former military attaché previously stationed at the Embassy of Hungary in Washington, DC. The IH is responsible for overseeing the security of Hungarian embassies and consulates and for “obtaining, analysing, evaluating and forwarding to the government information obtained abroad or from foreign sources that can be used for national security purposes in Hungary, or which supports Hungary’s interests.” As is highlighted on the IH’s website, the bulk of the organization’s intelligence activity occurs outside of Hungary.
Also according to the IH’s website, while the majority of IH officers work at the organization’s centre in Budapest, others are placed at Hungarian embassies, consulates and in other workplaces outside of Hungary, “where their ties with the IH are concealed.”
So what has IH been purchasing from the Hacking Team, according to the information stolen and released to the public by rival hackers?
The IH and the NBSZ have been primarily concerned with bugging cell phones. IH has been using a piece of technology called the Remote Control System (RCS), as well as an “exploit portal,” purchased from the Italian company. The yearly licensing fee for the RCS is 64,000 euros and Hungary last renewed this in November 2014. NBSZ, which serves as a public procurer for IH, upgraded the RCS software at a cost of 150,000 euros, in order to allow it to bug a wider range of cell phones. Specifically, Hungarian state security officials realized that it was important for their technology to be able to track older, Nokia-type cellular phones, which preceded today’s smartphones. This upgrade, called Symbian, ensures that IH can obtain any data stored on these older phones, and can monitor all telephone conversations.
In 2012, NBSZ purchased a second upgrade for 36,000 euros, which allows it to bug Apple Iphones. What’s interesting about this approach is how the software is custom-made to bug all generations and different brands of cell phones and smartphones. The Orbán government is covering all its bases.
While it is now clear that Hungary has spent at least 571,000 euros on this technology, 444.hu suggests that once all the information stolen from the Hacking Team server is processed and reviewed, the full amount spent will be closer to 1,89 million euros.
The RCS technology is the most important part of this surveillance “package.” The software, also known as Galileo or as DaVinci, is according to the Hacking Team, only sold to government agencies and not to private individuals or companies. But governments have used Galileo to spy on civil rights activists, such as Egyptian journalist Ahmed Mansour. Egyptian authorities have sentenced Mr. Mansour to 15 years in prison in what appears to be a show trial, for his involvement in the Tahrir Square protests of 2011 against then President Hosni Mubarak.
RCS, or Galileo, is a very powerful surveillance software. It includes a keylogger function, which allows for intelligence agencies to track every keystroke entered on an electronic device. It also produces screen shots, uncovers passwords and allows for any file saved on the machine to be copied. But most critically: RCS is able to activate a laptop or desktop computer’s camera, even when it is not in use, to capture discussions and activities going on in the room where the computer is located.
When it comes to computers, IH use phishing attacks, through emails, to plant RCS onto the machines of individuals under surveillance. But this is seen as a relatively rudimentary approach and it requires the target person to “play along.” (He/she has to actually fall for the phishing attack.) That is why NBSZ purchased an “exploit portal” upgrade for use by IH, allowing for Hungarian agents to exploit software/security deficiencies on the target person’s computer.
According to The Intercept, Hungary is considered to be one of the Hacking Team’s top clients. In fact, the Orbán government is currently the firm’s 6th largest client in the world. The top client is Mexico, followed by Italy, Marocco, Saudi Arabia, Chile and then Hungary. The United Kingdom considered purchasing products from the Hacking Team, for use by London Metropolitan Police Services, but the deal never went through, due to British “legal concerns” about “lawful inception.”
Hungary, being this firm’s sixth most important client, apparently does not share these concerns. I strongly suspect that we are only seeing the tip of the iceberg when it comes to this story and how it relates to Hungary’s IH.