cryptostorm's hacking.technology #HackedTeam mirror
Back in the hot days of midsummer, someone did a little number on the assholes at Italian malware-munitions purveyors "Hacking Team." That someone, or someones, exfiltrated about 400 gigabytes of data from their internal systems: email spools, source code, training materials, more or less the whole crown jewels by the look of things.
One morning early European time, a .torrent file indexed to this trove appeared on a transiently-available .onion URL, and was available for peering. However, because there were hundreds of thousands of individual files in the torrent, actually pulling the archive via this process was tricky and not really viable for most folks interested in reviewing these data. So it was pretty clear there would be value in creating an HTML mirror of the whole thing - all 400 gigabytes, so a simple web browser could access and study the files.
We decided to make a mirror, and registered the domain hacking.technology to point at it. Because we'd wanted an excuse to use that new .technology TLD, basically. And also because it's easy to remember and so on.
Right away we saw traffic of several hundred mb/second flow out of the newly-created mirror. For some big CDN that might be peanuts, but we live in reality and in reality that's a decent amount of packets to be serving up... and since we've got the capacity here and there in our network to carry that sort of volume, we were happy to see the numbers jump up like that. They have stayed more or less steady since then.
Also right away, we started to see blowback form the hacks at Hacking Team and their lawyer goons. We lost a few servers, early on. So we began to chain in "jump node" proxy inbound VPS instances to shield the underlying servers from easy de-obfuscation by lawyerbot goons and so on. That lessened the pressure on our underlying hardware, and instead we cycled through a whole armada of leased VPS instances... melting them down as fast as we added them.
So we did some work to automate DNS-based failover syntax for the inbound jump node VPSes - that way we could just pull the dead ones from the field of battle, add new ones, and the redundancy of the failover system itself would keep the underlying webservers pointed at the people requesting pages, and so forth.
The whole process has cost us perhaps a thousand dollars of actual resources (or less), and a decent amount of tech staff time to keep it running, harden it against attacks (yes we saw pathetic efforts to "hack" our mirror from various hopeless camp followers of Hacking Team; none amounted to a bean in a hill of beans, frankly), and create systems to ensure the mirror doesn't bog down, get shut down, or otherwise become less useful over time. Since alot of that work we can now apply elsewhere in our own network - for example, the soon-to-be-alpha jump nodes we now offer are a direct outgrowth of those VPS proxies we use in the HT mirror to buffer the underlying servers - it's been a net benefit to everyone.
Since then there's been a few other mirrors come and go. Some are still around, although perhaps not a full copy of the full 400gb of original files (we've not added, removed, or edited anything in the archive itself - nothing), some vanished under lawyer-goon pressure, some got shut down by this or that CDN under suspicious circumstances. Wikileaks now has a nicely-done, searchable index of all the email spools in the archive - really useful, but it's also nice to have the whole thing. Oh, and there's a repository mirror of all the src repos in the dataset itself. That's handy, too.
Meanwhile we'll keep our macro-mirror up and running so researchers have the whole thing at their virtual fingertips, for as long as they need it. Hopefully forever. Because those assholes deserve nothing less... oh and also there's alot of seriously interesting and informative stuff in there about how ethically bankrupt shitheads like them make money from illegal surveillance of dissidents, activists, and citizens worldwide. And help get people tortured to death. And other really evil things.
We've been meaning to do a "real" forum post with lots of details on the clever stuff we've figured out how to do along the way, but time waits for no geek and it never seems to happen. So we finally wrote up this very short "intro" post, to get things going. And the idea is we'll add to it as time allows. At least it's something, and that's more than nothing.
Meanwile, the mirror is pretty active. By our loose estimates (we don't log any traffic to the mirror, obviously, so we're going on not alot of micro-detail in this estimate) we've served up about a petabyte of #HackedTeam mirror files since hacking.technology went up in July. A petabyte: one thousand terabytes. Not bits - bytes. That's nothing to shake a stinky stick at, or anyway we think so. Yay for transparency and yay for the community of counter-surveillance geeks that helps keep these shitbags under the microscope and less able to destroy lives with their destructive digital weaponry.
More to come. Meanwhile here's to the next petabyte of mirror traffic.
~ cryptostorm team