Italian surveillance software maker Hacking Team recently claimed that it hasn't lost any customers after the massive leak of its internal data two weeks ago. But it has lost at least one business partner: U.S.-based penetration testing specialist and zero-day exploit broker Netragard.
Over the weekend, Netragard announced that it is terminating its long-time running Exploit Acquisition Program (EAP), citing revelations about Hacking Team's customers as one of the reasons.
Set up in 1999, EAP allowed Netragard to broker the sale of exploits for unpatched vulnerabilities — also known as zero-day exploits — between private researchers and select organizations interested in such computer intrusion tools.
Internal email communications recently leaked from Hacking Team revealed that the Milan-based company had a business relationship with Netragard and bought at least one zero-day exploit through its program.
Hacking Team developed a remote computer surveillance program called Galileo or RCS and sold it to law enforcement and other government agencies from around the world. As part of the package the company also offered zero-day exploits that could be used to silently install its program on systems targeted for surveillance when their owners visited a particular website or opened a certain document.
On July 5 one or more hackers leaked over 400GB of email communications, source code, documentation, client lists and other internal files stolen from Hacking Team. Researchers have found four zero-day exploits in the data cache so far, three for Flash Player and one for Windows, prompting Adobe Systems and Microsoft to release emergency fixes.
Other files revealed that Hacking Team sold its services to governments with a track record of violating human rights, including Egypt, Sudan and Ethiopia; this apparently enraged Netragard.
"The breach of HackingTeam is a blessing in disguise," said Netragard's CEO Adriel Desautels in a blog post soon after the leak. "The breach exposed their customer list which contained a variety of questionable countries known for human rights violations. Their customers are the very same customers that we've worked so hard to avoid. It goes without saying that our relationship with them is over and we've tightened our vendor vetting process."
However, it seems that severing ties with Hacking Team was not enough and the incident served as a wake-up call for Netragard, which is now stepping away from the exploit selling business.
"We've decided to terminate our Exploit Acquisition Program (again)," Desautels said in a new blog post over the weekend. "Our motivation for termination revolves around ethics, politics, and our primary business focus."
The Hacking Team breach proved that Netragard cannot sufficiently vet the "ethics and intentions" of potential zero-day exploit buyers, Desautels said. "While it is not a vendor's responsibility to control what a buyer does with the acquired product, HackingTeam's exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."
Sign up for CIO Asia eNewsletters.