RCS Spyware and Citizen Lab

Remote-Controlled System (RCS) is a piece of spyware sold exclusively to governments by a Milan company called Hacking Team. Recently, Citizen Lab found this spyware being used by the Ethiopian government against journalists, including American journalists.

More recently, Citizen Lab mapped the software and who’s using it:

Hacking Team advertises that their RCS spyware is “untraceable” to a specific government operator. However, we claim to identify a number of current or former government users of the spyware by pinpointing endpoints, and studying instances of RCS that we have observed. We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.

Both articles on the Citizen Lab website are worth reading; the details are fascinating. And more are coming.

Finally, congratulations to Citizen Lab for receiving a 2014 MacArthur Award for Creative and Effective Institutions, along with the $1M prize. This organization is one of the good guys, and I’m happy to see it get money to continue its work.

Posted on February 20, 2014 at 9:19 AM2 Comments


Andrew February 20, 2014 1:37 PM

Our own Nicholas Weaver is there in the Acknowledgements from Citizen Lab!

Fascinating analysis, thank you for bringing this to our attention

Jim February 22, 2014 1:47 PM

HT seem unconcerned about their tool being easily traceable back to them. I understand HT’s marketing argument is that RCS traffic is not traceable to their customers, not to themselves. Still, I fail to see a good reason for deliberately tipping off the victim by spelling out the HT company name in the server certificates presented to the victim machines. Especially because HT openly claims their customers to be exclusively government organizations, and therefore detecting RCS on your machine is strong evidence it is such an actor targeting you, not a random botnet or an attacker with a more mundane purpose of money or identity theft.

From their own website it appears HT have been in this business for more than a decade, so I can’t think this ‘advertising’ feature of their flagship product is an overlooked detail. Any guess at what its intended purpose may be?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.