• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack

By Andree Toonk
Posted on July 12, 2015
Updated on March 5, 2020

Share

FacebookTweetLinkedIn

This is a crosspost from our recent acquisition of BGPmon posted here.
As part of the Hacking Team fall out and all the details published on wikileaks, it became public knowledge that Hacking Team helped one of their customers Special Operations Group (ROS), regain access to Remote Access Tool (RAT) clients. ROS recommended using BGP hijacking and Hacking Team helped with the setup of new RAT CnC servers.
In this post we’ll take a closer look at the exact details of this incident and support the wikileaks findings with BGP data.
Raggruppamento Operativo Speciale and Hacking Team
The Raggruppamento Operativo Speciale or ROS is the Special Operations Group of the Italian National Military police. The group focuses on investigating organized crime and terrorism. Hacking Team sells its RAT software known as Remote Control System (RCS) to law enforcement and intelligence agencies, ROS included.
ROS infected and installed the RCS client on the machines of persons of interest (referred to in the emails as targets). These Remote Access Tools can provide ROS with all kinds of information and typically provide the tool’s operator with full access over a victim’s machine. The RCS clients normally need to check in with a server —for example a machine the clients can get their commands (orders) from— and upload stored data, recorded communications, logged keystrokes, etc. to. The wikileaks emails uncovered how after ROS abruptly lost access to one of its RCS servers and worked together with Hacking Team to recover the loss.
Initially, ROS used machines from a provider called Santrex, a well known bulletproof hoster. Brian Krebs dedicates an article about them in Oct 2013
Obviously the RCS clients (also referred to as agents in the wikileaks emails) only work well if they can communicate with the server. If the server becomes unreachable the client essentially becomes an orphan and loses most of its value. This is exactly what happened on July 3rd, 2013 when after nine earlier outages that year, the Santrex IPv4 prefix 46.166.163.0/24 became permanently unreachable. The wikileaks document described how the Italian ROS reached out to Hacking Team to work together on recovering the VPS server that ran on 46.166.163.175. In ROS terminology, the server was called “Anonymizer”. The emails also revealed that this server relays updates to another back end server called “Collector” from which ROS presumably recovers the targets’ data.
Hacking Team proposed to ROS to first work with Santrex to bring the VPS back online, so they could subsequently help reconfigure the RCS server to receive updates from the RCS clients (installed on targets’ devices) but that did not follow through.
A plan then was devised to make the prefix 46.166.163.0/24 reachable again by annoucing it in BGP. Since the prefix wasn’t announced by Santrex (AS57668) anymore, originating it from a different AS should make the network reachable again. The wikileaks documents show how ROS worked with the Italian network operator AS31034 (aka Aruba S.p.A) to get the prefix announced in BGP and bring up a new “Anonymizer” server with the IP address 46.166.163.175. ROS also was hoping that other Italian ISPs wouldn’t filter that hijacked announcement.
When we look at historical BGP data we can confirm that AS31034 (Aruba S.p.A) indeed started to announce the prefix 46.166.163.0/24 starting on Friday, 16 Aug at 2013 07:32 UTC. The wikileaks emails outline how ROS complained to Hacking Team that the IP was reachable only via Fastweb but not yet through Telecom Italia, concluding not all RCS clients were able to connect back to the server immediately, since the prefix was not seen globally. BGP data further confirms this per the visualization below.

BGP Network Graph for 46.166.163.0/24
BGP Network Graph for 46.166.163.0/24

Historical BGP data shows how AS31034 (Aruba S.p.A) started to announce the prefix to its peers via the Milan Internet Exchange and how it became reachable via the peers that then accepted this BGP announcement. The peers below were some of the networks that accepted the announcement and would have had a path to the new ‘fake`RCS server.
AS12874 Fastweb
AS6939 Huricane electric
AS49605 Reteivo.IT
AS4589 Easynet
AS5396 MC-link Spa

After some frustration on ROS’s part due to summer vacation delays, eventually the IP address of the server became reachable again, at least for many Italian networks and the new server was up and running with the same IP address. Hacking Team then stepped in to reinstall and setup a new RCS server on that IP.
Consequently, the RCS clients were able to “sync” back in with the server. On Aug 20th the Raggruppamento Operativo Speciale confirms with Hacking Team that it had indeed recovered contact with 3 of the 4 RAT clients.
Finally on August 22 at 13:35 UTC the prefix is withdrawn again, which would indicate that the operation was successful and the RAT clients were likely configured to use a different server IP.

Source: ripstat.ripe.net. AS31034 46.166.163.175 prefix lifetime.

Conclusion
As the supporting evidence from historical BGP data concludes, the information revealed in the wikileaks documents is factual and the Italian ROS and Hacking Team did work with the Italian network AS31034 (Aruba S.p.A), to announce 46.166.163.0/24 between Aug 16 and Aug 22. in order to regain access to their RAT clients.
This finding further confirms the use of BGP for nefarious purposes similar to the one listed in our blog post earlier this year. BGP hijacks can do serious harm and rapid notification of such an event is essential. BGPmon provides free and premium monitoring services that will inform users in near-real time for events like this.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella