After a maker of surveillance software was hacked, its leaked documents shed light on a shadowy global industry that has turned email theft into a terrifying — and lucrative — political weapon.
On the morning of May 18, 2014, Violeta Lagunes was perplexed by a series of strange messages that appeared in her Gmail inbox. It was Election Day to choose the leadership of Mexico’s right-wing Partido Acción Nacional, or PAN, and Lagunes, a former federal congresswoman, was holding a strategy meeting in her office in Puebla city. The emails seemed harmless, at least at first. One appeared to come from the account of a trusted colleague. It asked her to download and review a document. Lagunes clicked on the link, but it seemed to be broken, so she wrote back to her colleague and asked him to send it again. Elsewhere in her inbox was an email from Google warning her that someone had tried to log in to her account. Meanwhile, she began to receive phone calls from PAN allies, who claimed that they had received emails from Lagunes’s account that she did not remember sending.
Now Lagunes was worried. Around 1 o’clock, she called the colleague who appeared to have emailed her. She reached him at a restaurant, where he was finishing lunch with other campaign allies. “I did not send you an email,” he insisted. A consultant with the campaign — who asked to remain anonymous in order to preserve his relationships with other candidates — overheard the conversation. He knew of other campaign workers who had been receiving similar messages: emails with vague subject lines, asking the recipient to review a document or click a link. The campaign, he realized, had been hacked.
In the vote for party leader, Lagunes and her allies in Puebla — a two-hour drive southeast from Mexico City — were supporting the challenger, a senator who promised to return the party to its conservative roots. But the incumbent was backed by Puebla’s powerful governor, Rafael Moreno Valle. One of Mexico’s rising political stars, Moreno Valle is close to Mexico’s president, Enrique Peña Nieto, and has forged an alliance between PAN and Nieto’s centrist Partido Revolucionario Institucional, or PRI, long the dominant force in Mexican politics. Since winning the governorship in 2010, Moreno Valle’s opponents say, his ambitions have grown, and he has resorted to increasingly harsh measures to keep Puebla state — including members of his own party — under control. “In the beginning, the governor was low-profile and respectful,” Rafael Micalco, a former leader of PAN in Puebla state, told me. “When he became governor, he transformed. Now he controls the party through threats.”
This race to retain control of the party leadership in 2014 was a crucial test for the governor, who was rumored to be considering a run for Mexico’s presidency in 2018. (This past September, Moreno Valle publicly announced his intent to run.) Clashes between the two camps were especially intense in Puebla, where backers of the challenger, Ernesto Cordero, claimed that the governor was using public money to support the incumbent, Gustavo Madero, though the governor’s office has denied these charges. Shortly before the election, Madero’s campaign manager said that Cordero’s side was trying to undermine the legitimacy of the process. “Their strategy is clear from the outset,” he said in an interview with a Mexican magazine. “ ‘If I win, good. If not, I was cheated.’ ”
“The day before,” the consultant told me, the field network was “motivated and eager to do this work. After the hack, it was very hard to reach them. The few who did answer said that they had received phone calls saying that their lives were at stake. They were worried that if they went out, they or their families would get hurt.”
According to another worker on Cordero’s campaign, who also requested anonymity, citing fear of reprisal, the message to the canvassers was simple and direct: “We know who you are. If you don’t want any trouble, shut down your cellphone and stop your activity.” The worker added: “It’s an authoritarian regime.”
Madero won the election, with 57 percent of the 162,792 votes cast over all. In Puebla, his margin was substantially larger, roughly 74 percent. Cordero’s team decided not to contest the result. They had suspicions about how they were hacked. But it would be another year before any evidence emerged. Their political enemies, leaked documents seemed to show, had built a spying operation using software made by an Italian firm called Hacking Team — just one of many private companies that, largely below public notice, have sprung up to aid governments in surveilling the private lives of individual citizens. The industry claims that its products comply with local laws and are used to fight crime and terror. But in many countries around the world, these tools have proved to be equally adept at political espionage.
On average, an American office worker sends and receives roughly 120 emails per day, a number that grows with each passing year. The ubiquity and utility of email has turned it into a fine-grained record of our day-to-day lives, rich with mundane and potentially embarrassing details, stored in a perpetual archive, accessible from anywhere on earth and protected, in some cases, by nothing more than a single password. In the case of Violeta Lagunes, her email login represented a point of vulnerability, a seam where the digital walls protecting her campaign were at the mercy of her human judgment — specifically, whether she could determine if a message from an apparently reputable source was real or fake. Nearly two years later, John Podesta, chairman of Hillary Clinton’s campaign, was faced with a similar judgment call. An email warned him that someone in Ukraine had tried to access his Gmail account and asked him to click on a button and reset his password. His senior adviser forwarded the email to one of the campaign’s technology experts. “This is a legitimate email,” he replied, in what the expert later would clarify was a simple typing error on his part; he meant to say it was not legitimate. “The gmail one is REAL,” the senior adviser wrote to Podesta and another aide.
And so, like Lagunes, Podesta fell into a trap. The button appeared to lead to an official Google page, but it was in fact a meticulously personalized fake, with a domain address linked to a remote cluster of atolls in the South Pacific. The details were designed to trick Podesta into entering his password. This technique is known as “spear phishing.” It is an especially potent weapon against companies and political organizations because it needs to succeed only one time, against one target. After that, attackers can use the trusted identity of the first compromised account to more easily lure colleagues into opening infected attachments or clicking on malicious links. Not only will a working email password yield years of intraoffice chatter, invoices, credit-card bills and confidential memos; it can often be leveraged into control of other personal accounts — Twitter, Facebook, Amazon — and even access to company servers and internet domains.
The Podesta and Lagunes episodes are far from the only cases in which hackers have used information from stolen emails as a weapon against an entire institution. The 2009 “Climategate” incident, which exposed troves of emails from prominent climate researchers, began when hackers remotely broke into servers at a British university with the help of illicitly obtained passwords. The 2014 hack of internal Sony files, which American officials attributed to the North Korean government, began with a series of spear-phishing emails that attackers then used to dig deeper into Sony’s servers. Each hack yielded the most private thoughts and deeds from the members of each respective organization: their blunt insults, their quashed dissents, their half-baked plans, their smarmy flattery, all chronicled in time down to the hundredth of the second when the author clicked “send.” In an earlier era, the hackers might have had to engage in riskier behavior, like bribery or burglary. Now, in many cases, all they had to do was send along a link.
The White House, C.I.A. and F.B.I. have all claimed that, based on classified evidence, they can trace the hacks of Podesta’s email account (and other hacks of people close to the Clinton campaign) back to the Russian government. But with the rise of private firms like Hacking Team, penetrating the email accounts of political opponents does not require the kind of money and expertise available to major powers. A subscription-based website called Insider Surveillance lists more than a dozen companies selling so-called ethical malware, including Milan-based Hacking Team, the German firms FinFisher and Trovicor and the Israeli company Nice. Compared with conventional arms, surveillance software is subject to few trade controls; a recent attempt by the United States to regulate it under a 41-country pact called the Wassenaar Arrangement failed. “The technology is morally neutral,” says Joel Brenner, a former inspector general of the National Security Agency. “The same program that you use to monitor your babysitter might be used by Bashar Assad or Abdel Fattah el-Sisi to keep track of whomever they don’t like.”
Hacking Team has fewer than 50 employees, but it has customers all over the world. According to internal documents, its espionage tool, which is called the Remote Control System, or R.C.S., can be licensed for as little as $200,000 a year — well within the budget of a provincial strongman. After it has been surreptitiously installed on a target’s computer or phone, the Remote Control System can invisibly eavesdrop on everything: text messages, emails, phone and Skype calls, location data and so on. Whereas the N.S.A.’s best-known programs grab data in transit from switching rooms and undersea cables, the R.C.S. acquires it at the source, right off a target’s device, before it can be encrypted. It carries out an invisible, digitized equivalent of a Watergate-style break-in.
The United States government is almost certainly the world’s most formidable repository of hacking talent, but its most powerful cyberweapons are generally reserved for intelligence agencies and the military. This might explain why, according to company documents, at least two federal law-enforcement agencies have been Hacking Team clients: the F.B.I., beginning in 2011, and the Drug Enforcement Administration, beginning in 2012. The F.B.I. contract paid Hacking Team more than $700,000; the D.E.A. appears to have used the software to go after targets in Colombia.
Documents show that the company has also sold its software to some of the world’s most repressive governments. Some, like those of Honduras, Ethiopia, Bahrain, Morocco, Egypt and Saudi Arabia, are Western allies. Other countries, like Uzbekistan and Turkey, have a more troubled relationship. A few are openly hostile to the West. Between 2012 and 2014, Hacking Team was paid nearly one million euros by the government of Sudan, a United States-designated state sponsor of terrorism. Even more notable, in light of recent events, is the three-year relationship that Hacking Team carried on with the F.S.B., one of Russia’s main intelligence agencies. As with Puebla, Hacking Team used a middleman, a research agency called Kvant, to handle its sales to Russia. Between 2012 and 2014, the agency paid Hacking Team 451,000 euros to license the Remote Control System.
After Lagunes’s call on Election Day, her colleagues rushed from the restaurant back to their local headquarters, a hotel conference room that they had nicknamed “the bunker.” All morning, they had been trying to reach their field network, a group of 40 Cordero canvassers who were working to get out the vote in Puebla state. But the field network seemed to have gone dark. Few of the canvassers were even answering their phones. Hackers, the team concluded, must have found the list of the canvassers’ names and phone numbers — widely circulated by email within the campaign — and begun to intimidate them.