By Elias Hazou
The Cyprus Intelligence Service (KYP) has declined to comment on revelations that the agency apparently purchased phone surveillance tech from a manufacturer with a poor reputation among privacy advocates.
On Monday the Sigmalive online news portal published a photocopy of an invoice made out to KYP for the purchase of such technology.
The €35,000 invoice is dated December 1, 2014, and made out to the Cyprus Intelligence Service. The sale lists the items as “Android Platform,” “No.5 Agents Software License,” Physical Infection Vectors,” and “Remote Mobile Infections.”
The issuer of the invoice is “HT Srl,” short in Italian for “HT, Società a responsabilità limitata,” or HT Ltd.
It is the designation used by Hacking Team, an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. Reporters Without Borders has listed the Italian firm on its Enemies of the Internet index due largely to Hacking Team’s business practices and their primary surveillance tool Da Vinci.
The local angle follows on from a reveal that has made news headlines abroad.
The invoice forms part of the contents of a 400GB torrent file leaked by hackers after they attacked Hacking Team on Sunday evening. The torrent file features company invoices, internal documents, source code and email communications to the public at large.
Several countries other than Cyprus are listed as customers.
In a written statement, KYP head Andreas Pentaras said only that the agency does not comment on matters touching on national security.
All of KYP’s actions are in accordance with the constitution, the laws and fully respect human rights, the statement added.
Dino Pastos, a network security analyst, has been tracking the Hacking Team story since it broke.
From information trickling down to him on an hour-to-hour basis, he said that company invoices relating to Cyprus appear to total some €325,000 so far.
The platform suite listed on the invoice published by Sigmalive actively intercepts communications and data on smart phones and tablets, “and pretty much any device connected to the Internet,” Pastos told the Cyprus Mail.
Infected smart phones would have to be factory reset to get rid of the malicious software, he added.
Other invoices he has seen, from the leaked torrent file, relate to exploits on the Windows operating system. These are currently undetectable by anti-virus software.
“The key question is, of course, what KYP is using this technology for,” said Pastos.
“This being a global issue, I’d like to know how the EU’s legal framework will react.”
Pastos will be posting new information as it becomes available to him on his Facebook page, Dino Pastos.
Meanwhile, MP Demetris Syllouris on Tuesday publicised a letter he has addressed to the justice minister relating to the alleged eavesdropping on phone lines in Cyprus by the US’ National Security Agency (NSA) and the BND, Germany’s foreign intelligence agency.
According to Syllouris, he personally attended a session of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that took place on May 28 and 29 this year.
At that session, claimed Syllouris, one of the participants spoke of a priority surveillance list jointly drafted by the NSA and the BND. The list included three phone number batches in Cyprus which were being monitored for the benefit of NSA.
In his letter, Syllouris asks the justice minister whether authorities here are aware of this, and whether they have given permission for the eavesdropping.
In case the ministry is not informed on the matter, Syllouris asked how authorities are planning to handle it.
Later in the day, KYP’s Pendaras released a short statement:
“Regarding reports surfacing about the monitoring of communications in Cyprus by foreign intelligence agencies, I wish to categorically state that KYP has no knowledge or relation to this matter. In any case, KYP will appropriately investigate.”