Regeni, i servizi egiziani e Hacking TeamVicino all’autostrada dov’è stato trovato il corpo di Giulio Regeni c’è un importanteufficio della polizia segreta egiziana. La stessa a cui la società milanese Hacking Team havenduto il potente software di spionaggio Rcs in grado di sorvegliare ogni istante della vitainformatica degli obiettivi. Certi affari diventano sempre più imbarazzanti

Il Cairo, quartiere 6 Ottobre. Il fosso polveroso che costeggia la via per Alessandria è illuogo in cui i torturatori e gli assassini di Giulio Regeni hanno abbandonato il suo corpo.Non è un indirizzo qualsiasi. Chi è passato per le sevizie della polizia segreta egiziana quelposto lo conosce bene. Non distante da lì c’è la sede della Ssis, il Servizio investigativo perla sicurezza dello Stato, noto con il nome arabo di Amn alDawla. Tra il 4 e il 5 marzo del2011, quando la “primavera araba” prometteva di spazzare via la dittatura e il climaplumbeo dei militari, la sede della Amn alDawla venne invasa dai manifestanti. Cambiònome, diventando semplicemente Homeland Security. Ma i metodi – raccontano giornalistie attivisti delle organizzazioni per la tutela dei diritti umani – sono rimasti gli stessi.

Per gli informatici della società di spionaggio milaneseHacking Team, la Amn alDawla èsolo un “end user”, l’utilizzatore finale del sistema di sorveglianza GalileoRemote ControlSystem (Rcs), il programma in grado di monitorare l’intera vita digitale dei target:“Pericolosi narcotrafficanti o terroristi”, ha sempre sostenuto l’azienda. “Oppositori egiornalisti” sostengono invece quelle organizzazioni che – come la canadese Citizen Lab –da anni accusano l’azienda milanese di fornire sistemi di spionaggio alle peggiori dittature.

Nella contabilità di Hacking Team risultano le fatture di vendita del potente sistema Rcs, ilsoftware spia in grado di penetrare computer e smartphone, alla società cairota Gnse con

sede in Lebanon Street. I presidenti cambiano, ma i professionisti del controllo e dellarepressione rimangono gli stessi: i contratti di vendita del software Rcs risultano attivi dal2011 al 2015, dall’Egitto di Mubarak a quello di alSisi. Ed è nelle email interne dellasocietà Hacking Team, rivelate in seguito all’attacco informatico subito dall’aziendamilanese nel luglio del 2015, che si profila il vero cliente dell’arma informatica vendutaall’Egitto: “Nota bene: il cliente è Home Land Security e non MoiNational Security –scrive un certo Emad Sehehata il 19 ottobre 2014 – hanno cambiato nome”. Ovverol’exState Security Investigations Service, che ora – sotto alSisi – ha cambiato nomein Homeland Security.

Le atroci sessioni di tortura che hanno portato alla morte Giulio Regeni hanno una manoben identificabile per gli investigatori italiani arrivati al Cairo tre giorni fa: “Professionistipreparati, che puntavano ad ottenere informazioni” spiegano alcune fonti investigative. Ilmodo di agire dell’agenzia utilizzatrice dei sistemi diHacking Team fa parte di quellaquotidiana violazione dei più elementari diritti umani: “Entrano in casa senza mandati –racconta una fonte che chiede l’anonimato – per controllare l’intero hard disk del computersolo perché magari hai scattato una foto di un tramonto vicino al Parlamento”. È troppopresto per capire se quell’agenzia abbia avuto un ruolo nella morte del ricercatore italiano.Certi affari, però, diventano sempre più imbarazzanti. La società Hacking Team,interpellata dal Fatto Quotidiano, non ha inviato nessun commento sulla vicenda.

Andrea Palladino e Andrea Tornago

Il Fatto Quotidiano, 9 febbraio 2016

art

24-FEB-2016 da pag. 64

Settimanale Direttore: Giorgio Mulè nazionale Lettori Audipress 12/2015: 189.686

PANORAMA 33

panorama

SPIE & HI-TECH

Nel luglio 2015 un disastroso attacco di pirati informatici semb rava avere affondato

R IV I N I 'A la pr ima societa italiana del l'anti-spionaggio attivo. Non era cosi : mentre oggi la Procura di Milano e vicina a una svolta nell'inchiesta sugli hacker, ii fondatore David Vincenzetti dice di avere recuperate tutti i suoi clienti italiani ed esteri, forze del l'ord ine in prima fila. «La nostra tecno logia» rivela «ora e ancora piu invisibile. Ma soprattutto inattaccabile».

,....____..,.1E-AM--diMaurizio~Tortorella ------'!

David Vlncenzettl: 12 annl fa ha fonclato Hacking Team, attlva nel controspionaggio. I suol prodottl hi-tech sono usati da governi • pollzle di so Paesl.

I ' - \., '

24-FEB-2016 da pag. 64

Settimanale Direttore: Giorgio Mulè nazionale Lettori Audipress 12/2015: 189.686

PANORAMA 34

112 novembre, un giorno prima della strage parigina dell'Isis, in Alto Adige ii Raggruppamento operativo speciale dei Carabinieri ha smantellato una cellula di sette sospetti jihadisti. II 22 dicembre la Procura di Milano e riuscita finalmente a individuare ii

presunto sicario del giudice torinese Bruno Caccia, ucciso 32 anni fa dalla 'ndrangheta. Poi, dal 7 gennaio al 14 febbraio, sono stati arrestati sei presunti terroristi islamici, da Milano a Venezia, da Bergamo a Brescia. Che cosa unisce tutte queste operazioni? Una sola, sofisticatissima tecnologia di spionaggio informatico, che ha permesso agli investigatori di penetrare nei celluJari e nei computer degli indagati e di trasformarH in perfette rnicrospie ambientali.

panorama

ammette Vincenzetti, nella prima intervista concessa da allora. «Malgrado tutto, chiuderemo ii 2015 in attivo, fatturando sui 7 milioni. E nel 2016 abbiamo deciso di aumentare sensibilmente i prezzi, perche le nostre tecnologie sono uniche».

La manutenzione di cui parla Vincenzetti ha riguardato proprio ii suo gioiello infonnatico, I' Res ( derto anche <<Galileo») cl1e riesce a entrare come un virus invisibile in ceUulari e computer. «Negli ultimi mesi del 2015 abbiamo realizzato tre miglioramenti del prodotco» rivela Vincenzetti «e ora stiamo per rilasciare la versione numero diech>.

Forse Galileo cambiera nome: in azienda si dibaue se si chiamera Phoenix o Archimedes. «L'importante» sorride ii manager «e che abbiamo recuperato la maggioranza dei clienti: le istituzioni governative per cui abbiamo sempre lavorato

Neanche sotto tortura David Vincenzetti arnmetterebbe che quella tecnologia e opera sua: l'uomo sa conservare i segreti. Al suo posto, pen), lo hanno scritto i giomali, sottolineando che quelle indagini hanno usato sistemi d'auacco cosl penetranti da far pensare «proprio al software Res, ii Remote control system della

L'artlcolo di Panorama che net lugllo 2015 raccontava la «cyber guerra» In corso contro la Hacking Team, derubata di 400 gigabyte di dati: un peso informatico pari a 290 film in dvd.

Hacking Team», l'azienda che Vincenzetti ha fondato nel 2003. Altri hanno rivelato che, dopo l'anacco al teatro Bataclan, anche i servizi segreti francesi hanno bussato alla sua porta: anche loro vogliono dotarsi dei potenti virus antiterrorismo made in Milano, gH stessi adottati da altri 50 Paesi.

Strana vicenda davvero, quella della Hacking Team. Nel luglio 2015 sembrava sepolta sono un disasrro globale, tecnico e d'immagine: che cosa po1eva essere peggio, per la prima azienda italiana nella difesa attiva anti-spionaggio informatico, che venire espugnata da pirati che ne divulgano online codici, segreti e presunti clienti? Invece oggi la Hacking Team e piu forte di prima. «Per tre mesi, ii tempo minimo per ripristinare ii prodotto, le vendite hanno rallentato1>

ci hanno confermato la lorn fiducia». E aggiunge: «Subiro dopo l'attacco, i

maggiori esperti mondiali di sicurezza informatica avevano dichiarato che non saremmo mai riusciti a ripristinare l'invisibilita e l'efficacia di Galileo. Non solo l'abbian10 fatto , ma ii prodotto e ora piu invisibile e piu forte di prima. Negli ultimi mesi abbiamo sviluppato tecnologie totalmente innovative, ancora non presenri sul mercato, che risolvono problemi d'investigazione informatica apparentemente impossibili».

Certo, qualche mistero resta. Soprattutto su un'impressionante sequenza di presunte infedelta aziendali. In un esposto presentato il 6 maggio 2015, esattamente due mesi prima dell'attacco inforrnatico, Vincenz.etti accusava infatti sei tra ex di-

pendenti e consulenti di avere tentato di vendere all'estero, tra Malta e Abu Dhabi, m1a serie di programmi apparentemente in grade di contra stare ii suo Res: insomma, un «antidote» consegnato in mani non sempre raccomandabili. L'ipotesi era che questi ex d!ipendenti avessero sottratto importanti segreti aziendali prima di dimettersi, per poi fare concorrenza sleale alla Hacking Team.

«Lamia impressione» dice oggi Vincenzetti «e che l'aggressione di luglio sia srata proprio una ritorsione, una conseguenza dJi quella nostra denuncia>>. Accusa grave: i pirati sono tra i sei ex dipendenti? «Non posso dirlo con certezza» risponde Vincenz.etti. «Ma e chiaro che chi ha bucato la nostra rete voleva sabotarci. Spero che la magistratura scopra presto chi e stato».

I sospetti hanno qualche fondamento tecnico e logico: «Chi e penetrato nei nostri sistemi non ha cercato nulla a caso: aveva informazioni dettagliate, ha seguito percorsi lineari, non ha dovuto fare nemmeno un tentativo. Proprio come faun ladro che entrain una casa e arriva a colpo sicuro al cassetto giusto e alla cassaforte».

.L'inchiesta della Procura di Milano, intanto, «e arrivata a un punto di svolta» dichiara a Panorama iJ pm Alessandro Gobbns, che non vuole aggiungere altro. Sono stati condotli interrogatori e all'inizio di novembre sono state sequestrate carte in un'azienda torinese creata da due dei sei dJipendenti usciri dalla Hacking Team: si vedra presto se l'incursione giudiziaria ha davvero prodotto risultati.

Se pero quanta affem1a Vincenzetti corrisponde al vero, qualche problema nella scelta dei collaboratori c'e stato: possibile che ne Jui ne i suoi dienti, che pure dovrebbero fare della sicurezza un manrra, avessero verificato l'affidabilita di chi veniva assunto in Hacking Team e ne maneggiava i delicatissimi software? «Errori sono sempre possibilil> ammette Vincenzetti. «Certo, ora stiamo infinitamente piu attenti. Ela nostra rete aziendale, quella su cui oggi lavoriamo, e piu chiusa di quelle militari». •

O RIPRODUZIONE RISERVATA

Open letter to Hacking Team

March 9, 2015March 5, 2015

Sent via email: info@hackingteam.comDear Mr. Vincenzetti and team,

Pursuant to the procedure outlined in your customer policy, the Citizen Lab at Munk School of GlobalAffairs, University of Toronto, is submitting the attached report regarding apparent misuse or abuse ofHacking Team systems and solutions.

As detailed more fully in the report, journalists at the Ethiopian Satellite Television Service (ESAT) inthe United States were again targeted in late 2014, with what appear to be two updated versions ofHacking Team’s Remote Control System (RCS) spyware. Our research suggests that the attacker isthe same governmental entity as that implicated in December 2013 attacks using RCS against ESATjournalists, on which we previously reported. The attacker may be the Ethiopian Information NetworkSecurity Agency.

Hacking Team’s customer policy suggests that the company is capable of exercising wide discretionin ensuring its customers do not employ the technology in a manner that undermines human rights.The policy references contractual restrictions on misuse, as well as “auditing features built into HTsoftware that allow administrators to monitor how the system is being used.” The policy also notesHacking Team investigates potential rights abuses involving its software and “take[s] appropriateaction.” Should Hacking Team decide to cease supporting a particular customer’s installation, “theproduct soon becomes useless.”

The new incidents we have documented, however, suggest that rather than restricting the capabilitiesprovided to the governmental attacker targeting ESAT, Hacking Team may have continued to providesupport for RCS software used by that attacker, including in the form of updates to the software toevade detection.

Quite simply put, after all of the prior reporting surrounding the use of RCS against ESAT journalistsin December 2013 and its human rights implications, how has it come to pass that RCS is againlinked in late 2014 to the same activity? What steps will Hacking Team take to control such apparentmisuse of its technology and prevent the continued targeting of ESAT journalists?

We request that you provide clarification regarding the apparent repeated misuse of RCS againstESAT journalists as soon as possible. The United Nations Guiding Principles on Business and HumanRights detail effectiveness criteria for operationallevel grievance mechanisms established bybusiness enterprises, including transparency: “keeping parties to a grievance informed about itsprogress, and providing sufficient information about the mechanism’s performance to buildconfidence in its effectiveness and meet any public interest at stake.” We encourage Hacking Team

1

2

3

4

5

6

to, at a minimum, inform the journalists affected by these attacks of concrete action taken by thecompany to address the concerns raised in the attached report.

We also note that on February 25, 2015, Hacking Team published a press release regarding itscompliance with Wassenaar Arrangement export controls covering certain surveillance technologies.Given that these controls are manifested in the form of a licensing regime implemented at thenational level, what specific Italian regulations govern Hacking Team’s exports? Under which exportcontrol classification numbers do Hacking Team products fall (e.g., 4A005, 4D004, 4E001.c,5A001.j)? To which countries are exports of Hacking Team products prohibited outright? What, ifany, license exceptions apply to Hacking Team products? How many requests for exportauthorization has Hacking Team made to date?

Finally, we take this opportunity to remind you that we have not yet received any reply from HackingTeam to our letter of August 8, 2014. We reiterate the questions raised in that letter, and requestthat your response to this correspondence address said questions as well.

Thank you in advance for a timely reply.

Sincerely, Professor Ronald DeibertDirector, The Citizen Lab Munk School of Global Affairs University of Toronto

Footnotes

Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customerpolicy. Bill Marczak, Claudio Guarnieri, Morgan MarquisBoire, and John ScottRailton, “Hacking Team andthe Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014,https://citizenlab.org/2014/02/hackingteamtargetingethiopianjournalists/. Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customerpolicy. Ibid. Ibid. See United Nations Guiding Principles on Business and Human Rights, 2011, Principle 31,http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf; see also Shiftand the Institute for Human Rights and Business, European Commission ICT Sector Guide onImplementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, pp. 7382,http://shiftproject.org/sites/default/files/ECHRSG.ICT_.pdf. Hacking Team, “Hacking Team Complies With Wassenaar Arrangement Export Controls onSurveillance and Law Enforcement/Intelligence Gathering Tools,” February 25, 2015, available athttp://www.hackingteam.it/index.php/aboutus (accessed March 4, 2015). Council of the European Union, Council Regulation (EC) No 428/2009 setting up a Communityregime for the control of exports, transfer, brokering and transit of dualuse items, May 5, 2009,

7

8

9

10

1

2

3

4

5

6

7

8

Article 9, http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:0269:en:PDF. European Commission, Commission Delegated Regulation (EU) No 1382/2014 of 22 October 2014amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control ofexports, transfer, brokering and transit of dualuse items, OJ L 371, December 30, 2014, p. 1–212, atAnnex, http://eurlex.europa.eu/legalcontent/EN/TXT/PDF/?uri=OJ:JOL_2014_371_R_0001&from=EN. Ronald Deibert, “Open letter to Hacking Team,” August 8, 2014,

https://citizenlab.org/2014/08/openletterhackingteam/.

9

10

1

The Citizen Lab

Research Brief

March 2015

Hacking Team Reloaded?

US-Based Ethiopian Journalists Again Targeted with Spyware

Authors: Bill Marczak, John Scott-Railton and Sarah McKune

Media coverage: Washington Post, Motherboard, Associated Press, CPJ, BoingBoing,

Boston Globe, Engadget, New Zealand Herald, Miami Herald, CTV News.

Read the statement by Human Rights Watch.

Read our open letter to Hacking Team.

SUMMARY

On February 12, 2014, Citizen Lab published a report

1 documenting how journalists at the Ethiopian

Satellite Television Service (ESAT) were targeted by a governmental attacker in December 2013, with

what appeared to be Hacking Team’s Remote Control System (RCS) spyware.

This report details the events of November 5 and 10 and December 19, 2014, when the same attacker

again targeted ESAT journalists based in the United States with what appear to be two updated

versions of Hacking Team’s RCS spyware.

We link the governmental attacker to Ethiopia. The attacker may be the Ethiopian Information

Network Security Agency (INSA).2

Hacking Team has a customer policy concerning the human rights implications of its products,3 and

claims it investigates and may take action in response to reported cases of abuse.4 The research

findings documented in this report suggest that Hacking Team may have continued to provide

updated versions of its spyware to the same attacker, despite reports of use of the spyware

against journalists.

INTRODUCTION

In November and December 2014, several Washington DC-based journalists with the Ethiopian Satellite

Television Service (ESAT) were targeted, unsuccessfully, with what appear to be two new versions of

Hacking Team’s RCS spyware.5 This report details these attempts to infect the journalists’ computers with

March 2015

2

RCS and monitor their activity.

Our research suggests the involvement of a governmental attacker that may be the Ethiopian Information

Network Security Agency (INSA) . Notably, the attacker appears to be the same entity as that involved in a

December 2013 attack -- also incorporating RCS -- against ESAT journalists based in Belgium and the US, on

which Citizen Lab previously reported.6

Hacking Team (HT) is a Milan-based developer of “offensive security” technology.7 In its customer policy,

Hacking Team encourages direct reporting to the company of apparent misuse of its technology.8 It further

notes that it monitors news for “expressed concerns about human rights abuses by customers or potential

customers,” and that when “questions [are] raised about the possible abuse of HT software in human rights

cases,” it will investigate and “take appropriate action.”9

The November and December 2014 attacks against ESAT, however, call into question the effectiveness of this

policy in preventing use of RCS in a manner that undermines human rights. The December 2013 attack on

ESAT journalists and Citizen Lab’s research regarding that attack were reported on in the media, including on

the front page of the Washington Post.10

Additionally, the Washington Post,11

Human Rights Watch,12

and the

Citizen Lab13

have all contacted Hacking Team about the case.

In spite of these indications to Hacking Team that RCS was deployed against ESAT journalists in December

2013, our current research suggests that Hacking Team RCS software utilized by the attacker remained in

operation and received support -- at a minimum, in the form of software updates -- through November 2014.

BACKGROUND

Ethiopian Satellite Television Service

14 is an independent satellite television, radio, and online news media

outlet run by members of the Ethiopian diaspora. The service has operations in Alexandria, Virginia, as well

as several other countries.15

ESAT’s broadcasts are frequently critical of the Ethiopian government. Available

in Ethiopia and around the world, ESAT has been subjected to jamming from within Ethiopia several times in

the past few years.16

A 2013 documentary shown on Ethiopian state media warned opposition parties against

participating in ESAT programming.17

The Washington Post says this about ESAT:1

The Washington Post reports the main concern of ESAT journalists with respect to spyware:19

As we note in our previous report, the Committee to Protect Journalists (CPJ) reports that Ethiopia jails more

journalists than any other African country besides Eritrea, and says that the Ethiopian government has shut

down more than seventy-five media outlets since 1993.20

CPJ statistics also show that seventy-nine journalists

have been forced to flee Ethiopia due to threats and intimidation over the past decade, more than any other

country in the world.21

"The biggest fear among journalists is that spies have accessed sensitive contact lists on ESAT computers,

which could help the government track their sources back in Ethiopia."

"The news service mainly employs journalists who left Ethiopia in the face of government harassment,

torture or criminal charges. Though avowedly independent, ESAT is viewed as close to Ethiopia’s

opposition forces, which have few other ways of reaching potential supporters."

March 2015

3

A 2013 Human Rights Watch report detailed ongoing torture at Ethiopia’s Maekelawi detention center, the

first stop for arrested journalists and protests organizers. Former detainees described how they were

“repeatedly slapped, kicked, punched, and beaten,” and hung from the ceiling by their wrists. Information

extracted in confession has been used to obtain conviction at trial, and to compel former detainees to work

with the government.22

TECHNICAL ANALYSIS

The remainder of this report provides detailed analysis of the November and December 2014 attacks on

ESAT. First, we examine the December 19, 2014 attack in which ESAT’s Managing Director was targeted

with spyware. We explain the links to Hacking Team RCS and Ethiopia. Then, we compare the November and

December 2014 attacks on ESAT, and conclude that the attacker’s spyware was likely updated during this

period.

December 19, 2014: ESAT’s Managing Director is Targeted

The Managing Director of ESAT, Neamin Zeleke, forwarded us the following e-mail, which he received on

December 19, 2014. The e-mail contains a Microsoft Word document attachment, which he reports that he did

not open:

Figure 1: Spyware sent to Neamin Zeleke, Managing Director of ESAT, promises information on the

upcoming elections.

March 2015

4

The attached Word document (u121Du122Du132B 2007.doc) contains an exploit, which appears to be the

“Tran Duy Linh” MSComctlLib.Toolbar.2 exploit:23

The exploit drops and executes the following payload:

The payload is a PE executable that appears to be protected with VMProtect, a commercial product for

preventing reverse engineering and analysis of executable programs.24

The payload did not run in any of the

virtual machines in which we tested it. We ran the payload on a bare metal sandbox, and observed that it

attempted to communicate with the IP address 46.251.239.xxx.25

Though the contact address for the server is listed in Pakistan, a traceroute shows that it appears to be

geographically located in Germany. The payload is signed by the following code signing certificate:

sha256: b2683b3a214cda3f741fe5ff0850e69420d94174852a194ce9fc5f0db05c1633

sha1: 03ae6619c2e6dc93d1d3cd218db337aa797b480a

md5: 91961aad912dc790943a1cb23b6e8297

sha256: 5509462906e832350ea48f37e2e399669214c90b18023c94949036b254f7a681

sha1: f9bebcc72bf7bb51e3e3cbd002bf7f8eea398f2c

md5: f6a793a177447e3cab4108a707db65cd

inetnum: 46.251.239.0 - 46.251.239.255

netname: POWERFULLSERVERS-1

descr: POWER FULL SERVERS

Serial Number: 4fc13d6220c629043a26f81b1cad72d8

Issuer CN = Certum Level III CA

OU = Certum Certification Authority

O = Unizeto Technologies S.A.

C = PL

Subject E = meicunge@gmail.com

CN = Open Source Developer, meicun ge

O = Meicun Ge

C = CN

March 2015

5

The signature is reported as valid by Windows:

Figure 2: The spyware is signed by a certificate purportedly issued to “Meicun Ge” in China.

Windows accepts the signature as valid.

The following two samples found in VirusTotal are signed by the same certificate:

Links to Hacking Team RCS

The spyware sent to ESAT on December 19, 2014, shares the same command and control infrastructure as that

utilized in a December 20, 2013 attack against ESAT. The command and control server used in the 2013

attack returned an SSL certificate issued by “RCS Certification Authority” / “HT srl.”

Similar SSL certificates were returned by servers registered to Hacking Team.26

We traced the 2013 server to

a broader command and control infrastructure, which includes the server used in the 2014 attacks. Below, we

explain how we mapped out this infrastructure by examining SSL certificates shared between servers, and by

e5cc130dbea95c78cf88807852fad7dcca3a1d6bd7ec86488b6157ba3451a0c9

299f1f25c268d814a85b37fb36e83b891b094baee95c8b739c04b5c134db84c8

March 2015

6

conducting IPID testing.

In our previous work,27

we showed that Hacking Team’s clients – which, according to HT, are governments or

government agencies28

-- appear to use one or more fixed circuits of “proxy servers” to exfiltrate data from

computers infected with RCS, through third countries, before reaching an “endpoint.”

The endpoint appeared to represent the spyware’s government operator. Leaked Hacking Team documentation

refers to proxies as “anonymizers”29

and data endpoints as “collectors,”30

consistent with our understanding.

Figure 3: Hacking Team documentation obtained after our previous work is consistent with our

understanding of the architecture of Hacking Team’s hidden infrastructure.31

Several RCS servers that we identified in our previous work use a global sequential IPID. If a server has a

global sequential IPID, we can measure whether it sends packets during an interval. We sent probes to each

RCS server with a global sequential IPID, and measured the value of the IPID before and after each probe.

Since this test yielded consecutive IPIDs from each server, we concluded that each RCS server with a global

sequential IPID was an endpoint, i.e., it was not sending the probes onward to yet another server.

We then traced proxy servers to these endpoints by sending a probe to each proxy (which each proxy

forwarded to its endpoint), and inspected IPID values of each endpoint, before and after each probe, to see

which one received our probe and responded to the proxy. If an endpoint received a probe we sent to a proxy,

our test would show a gap in the endpoint’s IPID sequence. More details are available in our previous work.32

March 2015

7

Figure 4: Command and control infrastructure shared between targeted digital attacks conducted

against ESAT in December 2013, November 2014, and December 2014.

We used this IPID testing technique on 46.251.239.xxx, the command and control server used in the

December 19, 2014 attack on ESAT. The technique showed that 46.251.239.xxx is apparently a proxy for

216.118.233.xxx, an RCS server we had previously identified.

We had previously identified 216.118.233.xxx as an RCS server, as it matched one of our server fingerprints

(gleaned from servers registered to Hacking Team)33

as recently as April 7, 2014, according to Shodan.34

VSC Satellite Co. VSC-IPOWN1 (NET-216-118-224-0-1) 216.118.224.0 - 216.118.255.255

Private Customer VSC-ARIAVE (NET-216-118-233-0-1) 216.118.233.0 - 216.118.233.255

March 2015

8

Figure 5: The Hacking Team RCS fingerprint matched by 216.118.233.xxx, represented here as a Ruby

boolean expression.

Most RCS servers we previously identified have now been updated so they no longer match the fingerprint.

Using our IPID testing technique, we further determined that 68.233.232.xxx/31 are also apparently proxies

for the same server, 216.118.233.xxx.

The servers 68.233.232.xxx/3135

returned an SSL certificate,

8bc376be903e5b6d2cb68f2432ed93200bffd428,36

matching our fingerprint for Hacking Team RCS

certificates.37

The same SSL certificate (8bc376be903e5b6d2cb68f2432ed93200bffd428) was returned38

by

176.74.178.202 and 176.74.178.203. These same servers earlier returned39

a different SSL certificate,

a7c0eacd845a7a433eca76f7d42fc3fedf1bde3c, that matched our fingerprint for Hacking Team RCS

certificates.

This same SSL certificate (a7c0eacd845a7a433eca76f7d42fc3fedf1bde3c) was returned40

by 46.4.69.25, the

IP address of the proxy associated with the December 20, 2013 attack on ESAT, which as described in our

prior report incorporated spyware that appeared to be Hacking Team RCS.41

Since the 2013 and 2014 attacks on ESAT share the same command and control infrastructure, it appears that

both attacks were carried out by the same attacker(s). Figure 4 summarizes the explanation above.

Links to Ethiopian Government and INSA

The same e-mail address used in the December 19, 2014 attack on ESAT, fretar19@yahoo.com, was used on

June 30, 2014, to unsuccessfully target ESAT, as well as Dr. Berhanu Nega, Associate Professor of

Economics at Bucknell University.42

We could not identify the type of spyware used in the June 30 attack or

find any related samples, so we do not study it further in this report.

However, our analyses identified that servers at 216.118.233.25243

and 197.156.68.130 were part of its

command and control infrastructure.44

The former is in the same /28 as 216.118.233.xxx, the Hacking Team

RCS server we identified above. 197.156.68.130 is registered to Ethio Telecom, Ethiopia’s state-owned

telecommunications company.

Since both the December 19, 2014 attack and the June 30, 2014 attack were launched from the same e-mail

address, the attacker in both cases appears to be the same. Since the second attack is linked to an Ethio

Telecom address, the attacker appears to be linked to Ethiopia.

/HTTP\/1.1 200 OK\r\n(Connection: close\r\n)?Content-Type: text\/html\r\nContent-[lL]ength: [0-

9]+\r\n(Connection: close\r\n)?(Server: Apache.*\r\n)?\r\n/ =~ banner and

/Connection: close\r\n/ =~ banner and

/Apache\/2.[0-9].[0-9] \(Unix\) OpenSSL\/1.0.0g Server/ =~ banner

network:Network-Name:Primary Assignments VPS's - 68.233.232.0/24

network:IP-Network-Block:68.233.232.0 - 68.233.232.255

network:Org-Name:Hivelocity Ventures Corp

March 2015

9

An individual not affiliated with ESAT was successfully infected by the same attacker45

in January 2014. The

victim noted ongoing unauthorized access to one of his GMail accounts from 216.118.233.250,46

most

recently in October 2014. The attacker may have stolen the victim’s GMail credentials with the spyware. After

identifying the unauthorized accesses, the victim changed his password.

Figure 6: The GMail account of an individual infected by the same attacker was accessed from an IP

address that hosted a computer called “INSA-PC.” Google incorrectly geolocates the address in France.

We noted that 216.118.233.250 identified itself as “INSA-PC” to Internet scanning service Shodan.47

March 2015

10

Figure 7: Shodan recorded that a computer at IP address 216.118.233.250 identified itself as “INSA-

PC” as recently as December 2, 2014.

In summary, the entity that attacked ESAT on December 19, 2014, appears to be a government, since they

apparently employed Hacking Team RCS, and Hacking Team states that it provides its “software only to

governments or government agencies.”48

The attacker is linked to Ethiopia via an Ethio Telecom address. The

attacker also apparently controls a computer called INSA-PC, because (a) the GMail account of an individual

infected by the attacker was accessed from the same IP address as INSA-PC, and (b) INSA-PC is located in

between two other addresses known to be associated with this attacker. In relation to the Ethiopian

Government, the acronym “INSA” refers to the Ethiopian Information Network Security Agency (INSA).49

Thus, this agency may be behind the attack on ESAT. Interestingly, INSA’s website carries a syndicated

security alert about Hacking Team RCS, with tips on how to avoid being infected.50

A report by Human Rights Watch51

suggests that targeting media organizations is within the purview of INSA:

One individual who was working with Egyptian-owned Nilesat on an unrelated technical issue told Human

Rights Watch that individuals from INSA came and visited him in late 2010 to find the upload frequencies

for Nilesat because they wanted to “jam one foreign station.”

March 2015

11

Attacks on November 5 and 10, 2014

For completeness, we report on the November 5 and 10 attacks on ESAT. ESAT journalists received the

following e-mails on November 5, 2014 and November 10, 2014:

Figure 8: November 10, 2014 spyware e-mail implores “Please save our dad from execution in

Ethiopia.”

Figure 9: November 5, 2014 spyware e-mail promises a “Seminar of interest.”

March 2015

12

Both e-mails contain the same attachments as each other, though with different filenames. The two

attachments are Microsoft Word documents with exploits. In addition to the “Tran Duy Linh” exploit

apparently used in the December 19, 2014 attack, this attack also appears to make use of a CVE-2010-3333

exploit:

Both exploits drop and execute the following payload:

As in the December 19, 2014 attack, the payload is a PE executable that appears to be protected with

VMProtect. We ran the payload on a bare metal sandbox, and observed that it attempted to communicate with

46.251.239.xxx, the same IP address as that involved in the December 19, 2014 attack. As described above,

this IP address is linked to Hacking Team RCS, and a government attacker linked to Ethiopia.

sha256: 47f9a2daa161eeb0f7c88af92d3b346ee140ffbb0c310d0e6fbc7c91d42faace

sha1: b39dcf93c88d202a582ab4a589cacae3e5d6650c

md5: 4faeaed1065815e40bc7c4d9b943f439

Filename 1: Seminar Anti G7 Movement.doc

Filename 2: Please save our dad from execution.doc

Exploit: “Tran Duy Linh” MSComctlLib.Toolbar.2 exploit; no known CVE

sha256: af6137a1fe785cc865ea5ba2310cb81b4c6996f224dda2425d0c5b6995983e3d

sha1: 519bb2b2c3d0c7e67be735c4d384d832fcc89d67

md5: 3a7ef9a8c216bcdbbfecef934196d9c1

Filename 1: change of email address.doc

Filaneme 2: masreja.com ዌብሳይት ጥያቄ ኣስነሳ.doc

Exploit: CVE-2010-3333; this particular exploit seems to require at least Office 2010

sha256: 84f87c6d85211fe7c7f7fb1321e7f4db917bc6a7f2e51b7a8357fb4351b5a58d

sha1: 669246636ec6e3422a81ee2cb77c78c8420f9006

md5: b7f54924450ae0675ce67c5edad1f243

March 2015

13

The payload is signed by the following code signing certificate:

Evasion of Detekt as a mechanism to determine latest RCS version used by attacker

On November 19, 2014,52

security researcher Claudio Guarnieri released his Detekt53

tool, which scans a

computer’s memory to check for active FinFisher and Hacking Team RCS spyware infections. Since we have

samples sent to ESAT before and after that date, we examined each sample against Detekt.

Pre-Detekt RCS samples successfully detected

Detekt is able to successfully identify an infection resulting from the samples sent on November 5 and 10,

2014. The following rules, which search for humorous strings present in RCS, successfully detect this

infection:

Figure 10: Some patterns used by Detekt to find Hacking Team RCS spyware infections.

Serial Number: 55086d0b1a4ee0e271f82dccc75233cb

Issuer CN = COMODO Code Signing CA 2

O = COMODO CA Limited

L = Salford

S = Greater Manchester

C = GB

Subject CN = Jagdeependra

OU = tech

O = Jagdeependra

STREET = r/o sehi kala

L = chirwa

S = rajasthan

PostalCode = 333026

C = IN

$lookma1 = /(O)wning PCI bus/ wide

$lookma2 = /(F)ormatting bios/ wide

$lookma3 = /(P)lease insert a disk in drive A:/ wide

$lookma4 = /(U)pdating CPU microcode/ wide

$lookma5 = /(N)ot sure what's happening/ wide

$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide

March 2015

14

Post-Detekt RCS samples are not detected

However, Detekt fails to detect an infection resulting from the sample sent on December 19, 2014, as these

strings are not present. The nonpresence of the strings is indicative of an update to the software from Hacking

Team in response to Detekt. According to leaked Hacking Team RCS documentation, installation of RCS

updates requires a user license file from the company.54

Moreover, Hacking Team states that without its

continued support to a client, its product “soon becomes useless.”55

A Timeline of ESAT and Hacking Team

The latest attacks are part of an ongoing campaign against ESAT that stretches back to at least December 20,

2013. We provide a brief timeline of the attacks below:

Figure 11: Timeline of Hacking Team spyware-related activity by governmental attacker linked to

Ethiopia.

March 2015

15

CONCLUSION

Dissidents and others fleeing repressive regimes have long found a degree of protection by seeking refugee

status in the West. Throughout the 20th century refugees from political persecution have established thriving

diaspora communities where they have been able to continue their activity without fear of physical

persecution. For at least as long, the security services from the countries they left have attempted to monitor

and sometimes interfere with their activities.

We have documented a year-long campaign of spyware attacks against journalists at ESAT, using what

appears to be Hacking Team’s RCS spyware. Many of the journalists targeted in these attacks are legally

considered US persons, and located in the US.

In its customer policy, Hacking Team notes:

The policy suggests that Hacking Team will cease support for its technology when a client violates terms of its

contract by failing to abide by applicable law. The lawfulness of government targeting of individuals based in

the US with spyware, however, is in question; for example, a lawsuit brought by a US citizen against the

government of Ethiopia in February 2014 claims that such actions violated the US Wiretap Act [18 U.S. Code

§ 2511(1)( a )].58

Hacking Team has also publicly stated that they investigate abuses reported in the press and sometimes take

action:

• December 20, 2013 -- ESAT journalists targeted with what appears to be Hacking Team spyware

• February 11, 2014 -- ESAT journalists targeted with what appears to be Hacking Team spyware

• February 12, 2014 -- Citizen Lab and Washington Post reveal that ESAT journalists in the US and

Belgium were targeted with what appears to be Hacking Team spyware

• Between approximately February 12 - 17, 2014, and March 25 - 31, 2014 -- We observe no activity

on the Ethiopian Hacking Team infrastructure

• Between April 7, 2014 - April 16, 2014 -- Ethiopia's Hacking Team servers apparently get an update56

• November 5, 2014 -- ESAT journalists targeted with what appears to be Hacking Team spyware

• November 10, 2014 -- ESAT journalists targeted with what appears to be Hacking Team spyware

• December 19, 2014 -- ESAT journalists targeted with what appears to be Hacking Team spyware

"[I]n HT contracts, we require customers to abide by applicable law. We reserve the right in our contracts

to suspend support for our software if we find terms of our contracts are violated. If we suspend support for

HT technology, the product soon becomes useless."We will refuse to provide or we will stop supporting

our technologies to governments or government agencies . . . who refuse to agree to or comply with

provisions in our contracts that describe intended use of HT software, or who refuse to sign contracts that

include requirements that HT software be used lawfully."57

“... we have investigated cases either discovered internally or reported in the press that suggest abuse. We

can and have taken action in such cases, however, we consider the results of our investigations and the

actions we take based on them to be confidential.”59

March 2015

16

Our 2014 report documenting the abusive use of RCS against journalists received widespread media coverage,

and both the Washington Post60

and Human Rights Watch61

corresponded with Hacking Team about our

findings, and received specific responses.

In the wake of our 2014 reporting, we also sent an August 2014 open letter to Hacking Team, which inquired,

inter alia, about investigation by the company into the reported misuse of the software against Ethiopian

journalists in the United States.62

We posed further questions about their due diligence and accountability

mechanisms, while applauding their efforts to incorporate human rights considerations into their customer

policy. We have yet to receive a reply to this letter.

Despite the aforementioned public reports and correspondence, this report shows that the same

attacker appeared to be receiving updated versions of the RCS spyware from Hacking Team as recently

as November 2014.

Citizen Lab is sending an open letter to Hacking Team, providing a copy of this report and highlighting our

reasons for concern from these latest findings. Hacking Team has recently announced that it is “complying

fully”63

with export controls adopted within the framework of the Wassenaar Arrangement, which includes

language covering “intrusion software.”

Still, our findings suggest continued reasons for concern about the effectiveness of the mechanisms Hacking

Team has in place to ensure respect for human rights in the use of their products.

ACKNOWLEDGEMENTS

Thanks to ESAT, Irene Poetranto, Adam Senft, the Electronic Frontier Foundation, and Nicholas Weaver.

FOOTNOTES

1 Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the

Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014, https://citizenlab.org/2014/02/hacking-

team-targeting-ethiopian-journalists/. 2 http://www.insa.gov.et/.

3 Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy.

4 Citizen Lab, 2014, “Open Letter to Hacking Team,” https://citizenlab.org/2014/08/open-letter-hacking-team/.

5 Hacking Team, “The Solution,” http://www.hackingteam.it/index.php/remote-control-system.

6 Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the

Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014, https://citizenlab.org/2014/02/hacking-

team-targeting-ethiopian-journalists/. 7 Hacking Team, “About Us,” http://www.hackingteam.it/index.php/about-us

8 Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy

9 Id.

10 Craig Timberg, “Spyware lets regimes target U.S.-based journalists,” Washington Post, February 13, 2014,

http://www.washingtonpost.com/wp-srv/tablet/20140213/A01_SU_EZ_DAILY_20140213.pdf. 11

Craig Timberg, “Foreign regimes use spyware against journalists, even in U.S.,” Washington Post, February

12, 2014, http://www.washingtonpost.com/business/technology/foreign-regimes-use-spyware-against-

journalists-even-in-us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.html. 12

Human Rights Watch, “The Know Everything We Do - Appendix 2: Correspondance,” March 25, 2014,

http://www.hrw.org/node/123976/section/12.

March 2015

17

13 Citizen Lab, 2014, “Open Letter to Hacking Team,” https://citizenlab.org/2014/08/open-letter-hacking-

team/. 14

http://ethsat.com. 15

Id. 16

“ESAT Accuses China of Complicity in Jamming Signals,” Ethiopian Satellite Television, June 15, 2011,

accessed February 13, 2014, http://ethsat.com/2011/10/08/esat-accuses-china-of-complicity-in-jamming-

signals. 17

“UDJ Says Expressing Opinion to Media is Not ‘Terror’,” Ethiopian Satellite Television, January 9, 2013,

accessed February 13, 2014, http://ethsat.com/2014/01/09/udj-says-expressing-opinion-to-media-is-not-terror. 18

Craig Timberg, “Foreign regimes use spyware against journalists, even in U.S.,” Washington Post, February

12, 2014, http://www.washingtonpost.com/business/technology/foreign-regimes-use-spyware-against-

journalists-even-in-us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.html. 19

Id. 20

“Ethiopia Arrests 2 Journalists From Independent Paper,” Committee to Protect Journalists, November 5,

2013, accessed February 13, 2014, http://www.cpj.org/2013/11/ethiopia-arrests-2-journalists-from-

independent-pa.php. 21

“Ethiopia,” Human Rights Watch, accessed February 13, 2014, http://www.hrw.org/world-

report/2013/country-chapters/ethiopia. 22

“They Want a Confession,” Human Rights Watch, October 17, 2013, accessed February 13, 2014,

http://www.hrw.org/node/119814/section/2. 23

Malware Tracker Blog, “Tomato Garden Campaign: Part 2 - An Old “New” Exploit,” June 7, 2013,

http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-part-2-old-new.html. This exploit was first

observed employed against “Tibet and China Democracy activists.” 24

http://vmpsoft.com/. 25

We redact the last octet of any IP address that we suspect is an active spyware server. 26

Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the

Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014, https://citizenlab.org/2014/02/hacking-

team-targeting-ethiopian-journalists/. 27

Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Mapping Hacking

Team’s Untraceable Spyware,” Citizen Lab, February 17, 2014, https://citizenlab.org/2014/02/mapping-

hacking-teams-untraceable-spyware/. 28

Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy. 29

“Anonymizer” is defined on page x of the Hacking Team manual RCS 9: System Administrator’s Guide as

“Protects the server against external attacks and permits anonymity during investigations. Transfers agent data

to Collectors.” https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/rcs-9-sysadmin-

final.pdf. 30

“Collector” is defined on page xi of the Hacking Team manual RCS 9: System Administrator’s Guide as

“Receives data sent by agents directly or through the Anonymizer chain.”

https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/rcs-9-sysadmin-final.pdf. 31

Hacking Team, “RCS 9: System Administrator’s Guide,”

https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/rcs-9-sysadmin-final.pdf. 32

Page 8 of Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Mapping

Hacking Team’s Untraceable Spyware,” Citizen Lab, February 17, 2014,

https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/. 33

https://github.com/citizenlab/spyware-scan/blob/master/ht/http/sonar-http/sonar-http.rb#L24-L32. 34

http://www.shodanhq.com/host/view/216.118.233.xxx. 35

This is based on data from the Sonar SSL scans, available at: https://scans.io/study/sonar.ssl; between

March 31, 2014, and April 7, 2014. 36

SSL certificates in this report are identified by their SHA1 fingerprint.

March 2015

18

37 https://github.com/citizenlab/spyware-scan/blob/master/ht/ssl/sonar-ssl/sonar-ssl.rb#L33-L47.

38 This is based on data from the Sonar SSL scans, available at: https://scans.io/study/sonar.ssl; on March 31,

2014. 39

Id. Between October 13, 2012, and February 10, 2014. 40

Id. Between October 30, 2013, and January 20, 2014. 41

Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the

Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014,https://citizenlab.org/2014/02/hacking-

team-targeting-ethiopian-journalists/. 42

http://www.bucknell.edu/x45100.xml. 43

Different from 216.118.233.xxx. 44

The spyware only attempted direct communication with 46.4.128.158 and 78.46.234.155. These two IPs

returned a highly distinctive self-signed Google SSL certificate

(25b734a9170e683bd05d66a7d3d8502232bb6b5f). The only other IPs in /0 that returned this certificate were

216.118.233.252 and 197.156.68.130. Thus we assume these two IPs are part of the spyware’s command and

control infrastructure. 45

We judged the attacker to be the same since the infection communicated with 46.4.69.25. The infection

appeared to be Hacking Team RCS. 46

Different from 216.118.233.xxx. 47

https://www.shodan.io/host/216.118.233.250. 48

Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy . 49

http://www.insa.gov.et/. 50

Ethio-CERT, “Legal Spyware Works on Both Android and iOS,”

http://ethiocert.insa.gov.et/web/guest/news/-/asset_publisher/nU0q/content/legal-spyware-works-on-android-

and-ios. 51

Human Rights Watch, “‘They Know Everything We Do’: Telecom and Internet surveillance in Ethiopia,”

March 2014, https://www.hrw.org/sites/default/files/reports/ethiopia0314_ForUpload_0.pdf. 52

https://twitter.com/botherder/status/535252116622041088 53

https://github.com/botherder/detekt. 54

Page 13 of the Hacking Team manual RCS 9: System Administrator’s Guide

https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/rcs-9-sysadmin-final.pdf. 55

Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy. 56

The last time Shodan recorded the servers matching our old scanning fingerprint was April 7

(http://www.shodanhq.com/host/view/216.118.233.xxx). The April 16 Sonar HTTP scan did not record the

fingerprint (https://scans.io/study/sonar.http), yet the server continued to be reachable. The disappearance of

this HTTP fingerprint is consistent with behavior we saw on other RCS servers. 57

Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy. 58

Electronic Frontier Foundation, “Kidane v. Ethiopia,” https://www.eff.org/document/complaint-32. 59

Citizen Lab, 2014, “Open Letter to Hacking Team,” https://citizenlab.org/2014/08/open-letter-hacking-

team/. 60

Craig Timberg, “Foreign regimes use spyware against journalists, even in U.S.,” Washington Post, February

12, 2014, http://www.washingtonpost.com/business/technology/foreign-regimes-use-spyware-against-

journalists-even-in-us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.html. 61

Human Rights Watch, “The Know Everything We Do - Appendix 2: Correspondance,” March 25, 2014,

https://www.hrw.org/node/123976/section/12. 62

Citizen Lab, 2014, “Open Letter to Hacking Team,” https://citizenlab.org/2014/08/open-letter-hacking-

team/. 63

Hacking Team, “About Us,” http://www.hackingteam.com/index.php/about-us.

ANSA

GRAZIA LONGO 26/02/2016

Ieri, davanti all’ambasciata egiziana a Roma, il sitin per chiedere la verità sulla morte di Giulio Regeni

ROMA

Non solo martoriato con una tortura lenta e prolungata, ma offeso anchedopo la morte. Non si ferma la girandola di depistaggi, da parte diinquirenti ed esponenti del governo egiziani, sulla drammatica fine diGiulio Regeni, a un mese dal suo sequestro, il 25 gennaio scorso. Circolanole tesi più disparate e oltraggiose: vittima di un incidente stradale o di unavendetta personale, vicino al mondo degli spacciatori, omosessuale. Tutto falso. Tutto infondato. Nessun elemento, al contrario, emerge dalCairo sulla pista politica del delitto del ricercatore dell’Università diCambridge, con molta probabilità sospettato di essere una spia inglese perle inchieste nel mondo sindacale autonomo oppositore al regime di Al Sisi .Pista invece suffragata dall’esame del suo computer, unico elemento reale,concreto, in mano ai nostri inquirenti. «Non vorrei sembrarti paranoico, ma ho paura di essere stato schedato»scriveva Giulio in un’email ad un amico pochi giorni dopo l’infuocataassemblea sindacale degli ambulanti dissidenti dell’11 dicembre scorso.Preoccupazione che trova riscontro anche nella testimonianza che duecolleghi ricercatori hanno fornito al pm titolare dell’inchiesta, SergioColaiocco, durante l’interrogatorio alla procura di Roma. Inquell’occasione i ragazzi riferirono del timore di Giulio dopo essersiaccorto di essere stato fotografato durante quella riunione ad inviti. «Non sitrattava né di un reporter né di un ambulante o un sindacalista» avevaspiegato il giovane friuliano agli amici. Di qui il timore di essere stato

Giulio Regeni: “Temo di essere stato schedato, chi miha fotografato non era un reporter”L’ultimo messaggio del ricercatore ucciso al Cairo a un amico. E intanto l’autopsiarivela: 20 fratture sul suo corpo e niente scariche elettriche sui genitali

preso di mira da qualcuno vicino agli apparati della polizia. Da qualcunoche voleva documentare la sua partecipazione, la sua attenzione agliambienti dei dissidenti vicini ai Fratelli musulmani. Da qualcuno chevoleva, appunto, «schedarlo», come ha lui stesso confidato ad un amico viaemail. Il materiale del computer è ricco e articolato: la polizia scientifica lo staanalizzando minuziosamente, ed è probabile che possa rilevare molto sullericerche di Giulio per conto dell’Università di Cambridge, di cui eradottorando, e dell’American University del Cairo di cui era visiting scholar.Tutti gli altri dati indispensabili alle indagini video, tabulati telefonici,verbali restano invece nelle mani degli egiziani. Custoditi meglio che inuna cassaforte. Al momento, nonostante le pressioni politiche del ministrodegli Esteri Paolo Gentiloni, il pool investigativo dei carabinieri del Ros e ipoliziotti dello Sco in trasferta al Cairo non ha ricevuto nulla. Neppure ilreferto della prima autopsia eseguita in Egitto che, dalle indiscrezionitrapelate dal Cairo, differirebbe in diversi aspetti da quella eseguitaall’Università La Sapienza dal professor Vittorio Fineschi. L’esito dei test più approfonditi deve ancora essere depositato, intantoalcune indiscrezioni rivelano che non sono sette, ma oltre venti le fratturesui resti del ricercatore friulano. Fratturate le mani, i piedi, le braccia, legambe e le scapole. A dimostrazione di brutali sevizie protratte perestorcere segreti che il povero Giulio non possedeva. Smentite invece le scariche elettriche ai genitali. Ma perché allora gliegiziani insistevano su questo punto? Forse per accreditare una punizionematurata in ambienti omofobici? Nulla di più falso. Giulio Regeni nonfaceva uso di stupefacenti e ha sofferto molto prima di perdere la vita, tra il30 e il 31 gennaio. Gli sono state strappate un’unghia della mano e una delpiede, mozzate le parti superiori delle orecchie, numerosi tagli (con unpunteruolo o un taglierino) sono stati inferti su torace, braccia, gambe e lapianta dei piedi. Su una coscia c’è un segno compatibile con la bruciaturadi sigaretta. Mistero su chi abbia fatto tutto questo. E affinché la verità nonvenga insabbiata, ieri pomeriggio una delegazione di Amnesty InternationalItalia ha incontrato l’ambasciatore egiziano a Roma. Ma il giallo, oltreall’imbarazzo diplomatico per la scarsa collaborazione del Cairo, restairrisolto.

Esteri

Caso Regeni, i pmromani: "Uccisoper le sue ricercheda professionistidella tortura"

(ansa)

Indiscrezioni di fonti interne alla Procura. Escluse tutte le ricostruzioni offerte dal Cairo. Chiesta copia dellapassword per accedere agli account del ricercatore

26 febbraio 2016

ROMA Giulio Regeni è stato ucciso da professionisti della tortura, persone esperte in crudeltà. Arriva dalla procura di Roma una pietratombale sulle ricostruzioni alternative fornite dall'Egitto per la morte del ricercatore italiano. Non un delitto di strada, non un incidentestradale, nemmeno un delitto legato al mondo della droga.

La direzione che sta prendendo l'indagine è rivelata da indiscrezioni interne alla procura, visto che ancora manca una presa di posizoneufficiale. Ma la linea è chiara: il movente dell'omicidio del ventottenne ricercatore friulano, come già emerso, sarebbe da ricercarenell'ambito della sua attività di studio in Egitto.

LEGGI / La campagna di Amnesty con Repubblica

Sarebbero da escludere, secondo la procura di Roma, tutte quelle ipotesi circolate filtrate nelle ultime settimane dall'Egitto secondo cuiGiulio Regeni sarebbe stato ucciso da criminali di strada o per una questione legata ai rapporti intrattenuti dal giovane nel quartiere delCairo in cui viveva. Il fatto che sia stato torturato inoltre escluderebbe la pista della criminalità di strada.

In base agli elementi raccolti fino ad ora, spiegano le fonti della procura, è possibile affermare che Regeni facesse una vita piuttostoritirata al Cairo, non aveva avuto contatti con persone equivoche e che le sue conoscenze e frequentazioni fossero limitate all'ambienteuniversitario. Inoltre, dai primi esiti degli esami tossicologici sarebbe emerso che Regeni non faceva uso di droghe.

Non emergono poi legami di Giulio Regeni con servizi segreti e tantomeno che i dati raccolti nell'ambito delle sue ricerche siano uscitefuori dall'ambito universitario.

Sul fronte degli accertamenti tecnici, la procura di capitolina ha richiesto le password di alcuni profili di Regeni da parte dei responsabilidei social network, ma è ancora in attesa di ricevere queste informazioni. Attraverso l'accesso a queste piattaforme, gli inquirentipotrebbero infatti acquisire i dati gps collegati al telefono mai ritrovato di Regeni. La richiesta arriva nei giorni caldi delle polemiche sullosblocco richiesto dall'Fbi dell'iPhone del killer di San Bernardino e dell'ok di Facebook all'accesso degli inquirenti italiani nell'account dellasorella di Matteo Messina Denaro.

Intanto, per la prossima settimana è atteso in procura l'esito completo dell'autopsia effettuata dal professor Vittorio Fineschi.

"Verità per Giulio Regeni": gli striscioni esposti in Italia

Stampa