The Cyprus Intelligence Service (KYP) on Wednesday confirmed that it had “in accordance with established practice” strengthened operations with new technical equipment, “following all legal and prescribed procedures”.
The agency had on Tuesday declined to comment on revelations that it had apparently purchased phone surveillance tech from a manufacturer with a poor reputation among privacy advocates. Sigmalive online news portal published a photocopy of an invoice made out to KYP for the purchase of such technology.
The €35,000 invoice is dated December 1, 2014, and made out to the Cyprus Intelligence Service. The sale lists the items as “Android Platform,” “No.5 Agents Software License,” Physical Infection Vectors,” and “Remote Mobile Infections.”
The issuer of the invoice is “HT Srl,” short in Italian for “HT, Società a responsabilità limitata,” or HT Ltd.
It is the designation used by Hacking Team, an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. Reporters Without Borders has listed the Italian firm on its Enemies of the Internet index due largely to Hacking Team’s business practices and their primary surveillance tool Da Vinci.
The local angle follows on from a reveal that has made news headlines abroad.
The invoice forms part of the contents of a 400GB torrent file leaked by hackers after they attacked Hacking Team on Sunday evening. The torrent file features company invoices, internal documents, source code and email communications to the public at large.
Several countries other than Cyprus are listed as customers.
In a written statement, KYP head Andreas Pentaras said only that the agency does not comment on matters touching on national security.
All of KYP’s actions are in accordance with the constitution, the laws and fully respect human rights, the statement added.
In Wednesday’s statement Pentaras said: “This technology is used solely within the national security remit of KYP and the need and importance of maintaining a reliable operational intelligence service due to the circumstances caused by the [Turkish] occupation, but due to modern-day asymmetric threats resulting from the instability in our region.”
He said the recent actions of KYP in tackling international terrorism was self-evident. He was referring to the recent imprisonment of a Lebanese-Canadian man, with links to Hezbollah, who was found in possession of five tones of ammonium nitrate in Larnaca.
“KYP understands and fully respects the need for transparency and accountability,” added Pentaras in his statement. “Our democracy also demands this.”
He said at the initiative of KYP a new comprehensive legal framework that will govern the agency’s operation “and which incorporates best international practices in the field of democratic control of the intelligence services” had already been filed to parliament.
He also urged that issues of national security be respected.
“In any case, KYP expresses its readiness, if called upon, to inform the competent committee of the House of Representatives on the issue in question,” Pentaras said.
He also mentioned that over the past two years, funding for the agency had been cut dramatically due to the financial crisis.
Dino Pastos, a network security analyst, has been tracking the Hacking Team story since it broke.
From information trickling down to him on an hour-to-hour basis, he said that company invoices relating to Cyprus appear to total some €325,000 so far.
The platform suite listed on the invoice published by Sigmalive actively intercepts communications and data on smart phones and tablets, “and pretty much any device connected to the Internet,” Pastos told the Cyprus Mail.
Infected smart phones would have to be factory reset to get rid of the malicious software, he added.
Other invoices he has seen, from the leaked torrent file, relate to exploits on the Windows operating system. These are currently undetectable by anti-virus software.
“The key question is, of course, what KYP is using this technology for,” said Pastos.
“This being a global issue, I’d like to know how the EU’s legal framework will react.”
Pastos will be posting new information as it becomes available to him on his Facebook page, Dino Pastos.