Friday, July 10, 2015

Possibly the machines that injected JavaScript in pre-revolution Tunisia

Back in 2011 as the Tunisian Revolution was underway I blogged about JavaScript that was being injected into web pages visited by Tunisian's using HTTP. The JavaScript was designed to steal usernames and passwords of Facebook and Google Mail users.

With the release by Wikileaks of the archive of email from Hacking Team it's possible to lift the lid on this just a little.

Ten days before my blog post there was an article in Fast Company titled TUNISIAN GOVERNMENT ALLEGEDLY HACKING FACEBOOK, GMAIL ACCOUNTS OF DISSIDENTS AND JOURNALISTS which talked about this piece of JavaScript. This news article is discussed briefly by folks within Hacking Team.

One engineer comments on the JavaScript being injected by sending out a quotation just followed by the smiley ":P". Another responds in English "Truly remarkable" and finally someone responds "La foto l'ha fatta un nostro tecnico con cellulare!!!" (Photo take by one of our engineers with his cellphone).

The photo appears to show three servers labeled Facebook, GMAIL, Hotmail and named ATI.jpg (ATI is the Agence Tunisienne d'Internet; the Tunisian Internet Agency). I wonder if these are the servers that were injecting this JavaScript or receiving the purloined login credentials. It's not 100% clear.

It's unclear from the mails if Hacking Team was involved in this interception and another email discussing the topic of Internet restrictions in Tunisia says "Alcune di queste misure restrittive potrebbero essere state implementate da RESI." ("Some of these restrictive measures could have been
implemented by RESI")

But the photograph is eerie.

1 comment:

Aaron Huslage said...

I've seen all of this equipment. These are offload servers for larger proxies...which I have the configurations for.