Documenti pubblicati dal governo olandese mostrano i tentativi di intercettare app di messaggistica criptate. Privacy vs indagini della magistratura: il conflitto è ovunque. Ma l’Italia sull’uso degli spyware ha una giurisprudenza tutta sua
December 28, 2021
In 2019, at the International Defence Exhibition & Conference (IDEX), Sheikh Mohammed Bin Zayed Al Nahyan, the Crown Prince of Abu Dhabi (known to the press with the initials Mbz) and Deputy Supreme Commander of the UAE Armed Forces, visited the stand of one of the most important and well-known Italian companies in the military sector, Elettronica SpA, 31.33% controlled by Leonardo, the Italian champion of state-owned defence systems. Mbz was welcomed by the CEO of Elettronica, but also by Eugenio Santagata, who, until the end of 2020, was CEO of another company of the group: Cy4gate.
Described by many as one of the leading actors of the Italian technological world, Cy4gate is en route to conquer two different sectors: IT defence and its “opposite”, i.e. data gathering and allowing intrusions for intelligence and surveillance purposes by the police. At the moment, seven years after its foundation, the company – partially owned by Leonardo through Elettronica – is acquiring an increasingly prominent role in the international scene of defence service providers. Although relatively new, Cy4gate operates in full continuity with state-owned companies, even when it enters into agreements over the sale of unspecified software to countries such as the United Arab Emirates, where technology is used as a weapon of repression.
The investigation in a nutshell
- Cy4gate is part of the Elettronica group: more than 30% of the company is owned by Leonardo. It works in the field of intelligence services, based on Elettronica’s expertise. At the moment, it is undergoing a significant expansion.
- According to internal documents and presentation slides, Cy4Gate’s clients include important companies controlled by the Mubadala sovereign fund: Crown Prince Mohammed Bin Zayed Al Nahyan (Mbz) has appointed some of his most loyal men at the top of this fund.
- Abu Dhabi has a long history of holding shares in Italian companies through its sovereign funds. Some of them have a troubled history, like in the case of Piaggio Aerospace.
- Cy4gate has been active abroad since its very creation: in 2015, it took part in the annual IDEX, one of the industry trade fairs in the Emirates. Among the systems it has exported, there is D-SINT, an intelligence tool that analyses open source information: this instrument is integrated with some controversial wiretapping tools, which can be used for repressive purposes. Information on dual-use goods licences is not publicly available in Italy.
- Cy4gate network also includes the Emirates’ police, which sponsored one of their events. Its main partner was DarkMatter, another company used by the Royal Family to spy on opponents and internal enemies, now owned by people close to Crown Prince Mbz.
- Cy4gate managers include former military officials, such as the Chief Transformation Officer appointed this year, Mr. Andrea Raffaelli, who is a former member of the ROS (Special Operation Section of the Carabinieri) and who attended events in the Emirates on behalf of the Carabinieri.
Business in the Emirates
IDEX is one of the most important defence trade fairs held in the Gulf countries. It hosts companies from around the world that sell armaments and defence technologies. Shortly after its creation in 2014, Cy4gate immediately took part in IDEX 2015; since then, it has continued to attend the fair, together with Elettronica. In an interview with Nation Shield, a newspaper focusing on the military world covering the event, Cy4gate Chief Marketing and Innovation Officer, Mr. Andrea Melegari, said: «There was a lot of interest in Cy4gate. We have scheduled several meetings and are making commitments for further dialogue in the future.»
In the interview, however, Mr. Melegari also praised Elettronica and the activities carried out in the sector of digital warfare: «If it wasn’t for that inherited expertise and strength, we would have never gotten where we are.»
According to what was reported by the Italian newspaper La Verità in February 2019, Cy4gate sold to Sheikh Mohammed bin Zayed Al Nahyan and to the Mubadala fund a platform, a system called D-SINT, which is able to monitor social media, the dark web, and other communication sources, thanks to «artificial intelligence algorithms.» The goal is to extract useful information, ranging from the topics being discussed on the web to the shareholders of specific companies.
The Game of Thrones of the United Arab Emirates
The platform, according to marketing material and presentations by Cy4gate viewed by IrpiMedia, is a useful tool for law enforcement and intelligence agencies, but it also enables companies to monitor social networks, so as to evaluate the performance of their brand or consider acquisitions of other companies. Moreover, as pointed out by La Verità, Mbz «will be in possession of a tool to carry out intelligence activities about himself.» Due to the current unstable health conditions of Emirates President Khalifa bin Zayed Al Nahyan’s, Mbz is considered the de facto sovereign of the Emirates. He has strengthened his position by placing people close to him at the top of state-owned companies – such as Mubadala – in order to control defence and cyber-surveillance activities above all.
Mubadala is among the customers included by Cy4gate in some of the company’s presentation slides. The company – owned by the state – is in fact a group, made up of several entities, ranging from investment funds to companies operating in the fossil fuel sector. One of the most important entities is Mubala Development, a fund managing 243 billion dollars on behalf of the government of Abu Dhabi. Mbz is the Fund’s President.
Mubadala’s Italian passion
The UAE diplomatic network develops through procurement orders, shareholdings, and memoranda of understanding signed by companies and funds representing the government of Abu Dhabi, such as Mubadala, a conglomerate entity specialised in the development of new technologies to be applied especially in the field of defence.
The most dynamic front at the moment appears to be cybersecurity, where Cy4gate is playing an increasingly important role. Mubadala is included in the customer list of the company; according to the company’s financial statements, a state contract is in place ahead of Cy4gate-branded technologies future exports to Abu Dhabi. Relations between Cy4gate and the Emirates started to develop at least three years earlier through Injazat Data System, a company which, at the time, was 100% owned by Mubadala. Today, Injazat Data System is controlled by a company whose shareholders also include the Emirates fund. Injazat deals with cloud, digital transformation, and cybersecurity. In its 2019 financial statements, Cy4gate highlights a «manifest difficulty» in collecting «credit due by the company Injazat Data System for services carried out in 2016.» Injazat also cooperates with Thales, a French multinational among the leaders in the field of defence, aerospace, and security, and a partner of Elettronica Group. In 2013 the French company partnered with Injazat for a state-of-the-art IT security system. In addition, in 2017 Injazat worked with the Ministry of the Interior of the Emirates to set up an intelligent surveillance systems inside its buildings.
Cy4gate told IrpiMedia that Injazat purchased D-SINT, the same platform sold to Mubadala. The platform was configured in such a way as to be designed «for corporate use.»
The Emirates fund Mubadala has been strategically present in Italy for a long time, even in domains not directly connected to cyberspace. In the banking sector, it has invested in Unicredit (at the time of the deal the CEO was Alessandro Profumo, who today works for Leonardo); in the energy sector, it has signed agreements with Eni and Snam, respectively for the reduction of carbon dioxide emissions and to «collaborate on joint investment and development initiatives on hydrogen», as stated in a press release published by Snam. In the security and defence sector, Mubadala signed a MoA with Leonardo to strengthen cooperation for the development of new war aircraft to replace the Emirates fleet.
Despite their long history of cooperation, bilateral relations between Italy and the Emirates have often been stormy. In 2021, the relations cooled to the point that, at the end of June, the Italian military was forced to leave the Al-Minhad base, near Dubai, one of the other seven Emirates. The crisis was sparked by the decision of Giuseppe Conte’s Government, in January 2021, to revoke the licence authorizing the export of Italian bombs to Saudi Arabia, a country at war with Yemen, and to the Emirates, which had officially withdrawn from conflict in 2020, after five years. In August, the Foreign Affairs Committee of the Chamber of Deputies expressed its opinion in favour of relaunching ‘strategic cooperation’ with the Emirates, effectively withdrawing the blockade.
Before this case, in 2018, the development of a drone triggered diplomatic contrasts, which ended up preventing agreements on important procurement orders. Mubadala was one of the protagonists of these contrasts: indeed, in 2006, the fund became one of the stakeholders of Piaggio Aerospace, which includes the industrial structures of Piaggio Aero Industries SpA and Piaggio Aviation SpA. In 2014, Mubadala became its sole owner, giving impetus in particular to the development of a drone: the P.180, also nicknamed Hammerhead.
The project, as reported by specialised site Defense News, provided for Italy purchasing some pieces of this aircraft, which functions without a pilot, despite the opposition of the Italian army, which considered this purchase useless. In the end, the Italian purchase order was withdrawn, triggering a crisis for Piaggio Aerospace, which, in December 2018, became controlled by a government-appointed administrator, upon the Emirates investors’ request. At the moment, the company is looking for buyers: for a long time now, the Emirates fund has been proposing to Leonardo to become a 50% shareholder.
Skeletons in the closet for D-SINT
Apparently, the D-SINT platform purchased by the government of Abu Dhabi did not limit its action to collecting intelligence data as per the brochure. The proof can be found in some emails by Hacking Team (HT), an Italian leader in the field of IT intrusions, which changed its name to Memento Labs after playing a major role in a scandal. The e-mails by HT managers had in fact been published by Wikileaks after the cyber-attack carried out by hacker Phineas Fisher in 2015.
According to this correspondence, Santagata and other representatives of Cy4gate are in close contact with the Milan-based company to organize various presentations and demonstrations of their products to potential buyers. E-mails include references to delegations from Singapore, meetings in Pakistan, and requests for quotes from Qatar.
In an email of May 2015, in the phases preceding the proposal of an offer to a potential buyer linked to Saudi Arabia’s intelligence, Santagata clarifies to David Vincenzetti, then CEO of HT, how the Cy4gate D-SINT software can be integrated into the platform for legal interceptions by Hacking Team, Rcs. Santagata explains this in technical terms and refers to D-SINT as «our suite developed in elt/cy4gate that we call D-SINT.»
Mubadala, the disputed sovereign fund
Elt means Elt Roma and Elt GmbH, two of the companies forming the Elettronica group, together with Cy4gate. Elt GmbH is based in Germany and is active in national security and police activities. Elt Roma, on the other hand, is the historic company from which the Elettronica Group has developed. It deals with intelligence, surveillance, electronic attacks, and, in general, Electronic Warfare. When Santagata writes “elt/cygate”, he reiterates once again that Cy4gate has stemmed from the Elettronica group. This exchange of emails between CEOs suggests that the D-SINT platform, at least in 2015, was able to perform data collection by spyware. i.e. throughout intrusions on a target device, such as that produced by Hacking Team, instead of simply collecting data from the web or from private databases, as stated in the most recent presentation brochure. From an intelligence point of view, being able to analyse all the information directly in a single platform is clearly much faster and more useful.
This capacity is also partly confirmed by an image, published in an article by General Vincenzo Santo for the ReportDifesa website, where the architecture of the D-SINT system is reported. The data being collected and analysed are collected from Twitter, Facebook, Instagram, YouTube, sites in the Deep Web but also data from activities of SIGINT, ELINT, COMINT, or databases provided by customers. These acronyms stand for intelligence activities allowing the collection of information by intercepting signals (Signal Intelligence) which, in their turn, can be connected to communications (Communication Intelligence) or other electronic signals (Electronic Intelligence), such as those signalling the position of ships, or other categories of communication devices used in the military, different from the traditional devices we use daily.
In addition, some old brochures dating back to 2016 – according to the analyses carried out by IrpiMedia – offer detailed descriptions of these types of data: there is data from GSM and satellite communications, data related to the interception of law enforcement and intelligence activities on devices, and audio streams that are converted into text. These additional features are, in some cases, associated with a product called D-SINT Plus.
At the moment, on the Cy4gate website, the only D-SINT-related products being advertised are the two versions of the information dashboard that allows you to view the data. The product is called QUIPO and is offered to both companies and government agencies and law enforcement agencies. Cy4gate told IrpiMedia that the D-SINT platform manages data publicly available online and that the platform «can also be connected to corporate management databases that the customer decides to use as additional sources of information, to integrate the open-source ones». The company also underlines that “the D-SINT platform is not used for lawful interception activities” – that is, interception for policing purposes.
According to Cy4gate, the platform used by Mubadala and Sheikh Mbz does not provide for the possibility of analysing data from interceptions «as these functions have never been developed for the D-SINT system».
Abuse and digital surveillance in the Emirates
Human rights violations have been widely documented in the Emirates for years now. In some cases, repression against activists and minorities of all kinds is also based on a technological surveillance apparatus that has grown over the years thanks to the help of the US and, subsequently, local companies. According to an investigative report by Reuters, since 2009 former US intelligence agents have cooperated with Project Raven, a secret team of computer experts whose task was helping the UAE in the surveillance of other governments and human rights activists. Leveraging on the knowledge gained working for the US intelligence, these people were able to infect computers and smartphones of the Emirates’ “enemies”.
Some members of Project Raven were recruited by cyber security company CyberPoint and, subsequently, in 2016 they found themselves in the position of having to decide whether to return to the USA or agree to work for a new employer: the company DarkMatter, based in Abu Dhabi, one of the most controversial companies in the country. Today, the company is participated by one of the Abu Dhabi government funds, at whose top Sheikh Mbz placed his most trusted men, after some contrast with an adverse faction of the royal family in January 2021.
DarkMatter is known for its unorthodox attempts to recruit computer experts. In one case, documented by The Intercept in 2016, cybersecurity researcher Simone Margaritelli did a job interview with a company representative, who told him about a project aimed at monitoring internet communications in the main cities of the Emirates, for the benefit of national security. Margaritelli retraces the main stages of this story in a post published on his blog and reports one of the objectives of the system as described by the representative of DarkMatter: «Imagine that there is a person of interest at the Dubai Mall, we have already placed all our probes throughout the city, let’s press a button and BOOM! All devices in the mall become infected and traceable.»
According to Reuters, Project Raven operators have also used a platform called “Karma”, which would allow the installation of spyware on the iPhones of hundreds of activists, heads of state, and suspected terrorists. Also according to Reuters , among the most illustrious victims are the wife of activist Ahmed Mansoor; the Emir of Qatar, the sheikh of rival Qatar Tamim bin Hamad al-Thani and Tawakkul Karman, Nobel Peace Prize winner and one of the leaders of the Arab Spring protest movement in Yemen.
In September 2021, three former military members of the United States Intelligence accepted an agreement accounting for more than $1.68 million to settle allegations related to the provision of hacking services to a foreign government, in particular for the work carried out with DarkMatter to infect computers and smartphones around the world, including the United States.
Cy4gate, DarkMatter, and their contacts with the Emirates police
Another controversial element is the connection, albeit indirect, between Cy4gate and DarkMatter. Traces of this connection are found in 2016, when Cy4gate took part in the Future Police Technology conference in Abu Dhabi: the strategic partner of the event was the Emirates Ministry of the Interior. Cyber Security Innovation Partner is DarkMatter, while Cy4gate is a sponsor.
The event is part of the UAE Vision 2021 National Agenda, an initiative that aims to make the Emirates «the safest country in the world.» Among the benefits of being a sponsor of the event, as reported on an archived page of the site, there is the possibility of «expanding one’s network of contacts and potential customers among the UAE police forces» and showing one’s interest in the local market, as well as «building brand credibility in the region.»
It is not clear whether representatives of Cy4gate also participated in the event in 2016. However, the recently appointed (in 2021) Cy4gate CTO Andrea Raffaelli was there at the time in his former role as Commander of the Department of Computer and IT Investigations at the Special Operating Section of the Carabinieri (ROS). In an interview during the event, Raffaelli stressed its importance because «this type of innovation and technology could be very useful in identifying and stopping many criminal threats.»
The company told IrpiMedia that on that occasion «no agreements were signed for future sales.»
The export of dual-use technologies and Cy4gate licences
Although the company denies it, it appears possible to use D-SINT – at least based on past descriptions – also to analyse information collected through third-party spyware. Therefore, D-SINT does not directly intercept but might be able to receive and analyse data collected from spyware developed by other companies. The recent history of abuse in the Emirates should raise concerns regarding these particular customers. Moreover, it seems that the D-SINT platform was not sold only to Mubadala. In an interview dating back to 2017 with the newspaper Nation Shield, Massimo Antonio de Bari, head of the Elettronica Group in the United Arab Emirates, stated that «many companies, even in the United Arab Emirates, are using D-SINT successfully» not only for intelligence activities.
Cy4gate also develops Epeius, its own interception system; however, according to the Intelligence Online magazine, this system is difficult to install without the victims having to click a link, the so-called 0-click attacks.
Over 10 years of (failed) attempts to regulate surveillance export
Both Palantir and, above all, NSO – despite being two of the best-known companies in their respective sectors – are also the emblem of all the risks linked to the management of surveillance technologies: abuse by dictators and governments, indiscriminate collection of information also from social networks, constant monitoring of dissent and protests by activists and citizens. Indeed, technology export regulations have not been able to keep the proliferation of these technologies under control.
2021 was the year of scandals related to the Pegasus spyware, produced by NSO. This software is able to monitor communications, travel, and extract copies of all data stored in smartphones; the Forbidden Stories’ investigative report has shown that it is used against journalists, dissidents, and ministers around the world. The effects of the investigative report are still clearly visible: the latest official victims are six Palestinian activists who were monitored between 2020 and 2021 via Pegasus.
The debate on how to control these surveillance technologies, however, has been going on for more than 10 years now. In 2009, the European Union introduced a regulation that provides for the authorization by individual Member States for the export of “dual-use products” or all those products, including software and technologies, that may have both civilian and military use. The control procedures, the transparency of states, and the definition of the products included in the list have always been weaknesses in the regulation. Therefore, despite the regulation, abuses such as the one related to the software produced by German company FinFisher, which was used against Bahraini activists and documented in 2012, immediately emerged.
In 2014 , the European Commission announced an update of the list of dual-use goods, introducing controls for new categories such as spyware and technologies allowing the monitoring of internet traffic. However, in 2016, Area SpA, a company in Varese that, according to the investigators, had sold technologies allowing it to monitor internet traffic to Syrian secret services between 2010 and 2011, a case which was widely debated in Italy. The Ministry of Economic Development has confirmed, in response to a parliamentary inquiry carried out in 2017, that Area SpA had obtained regular export authorisation, and that those technologies were still not included in the controlled categories set forth according to the 2014 update.
The following year, the Ministry of Economic Development revoked Area SpA’s export licence to Egypt, thanks also to the pressure of civil society organizations. Shortly before that, an Al-Jazeera investigative report entitled Spy Merchants had revealed the tactics used by sector companies to avoid controls, for example by resorting to third companies in countries where it is possible to export and effectively bypassing any checks. Other journalistic investigative reports have confirmed that the control system provided for by export regulations is easy to circumvent: Security for Sale has shown that, from 2014 to 2017, EU Member States have allowed the export of surveillance technologies also to totalitarian countries or countries where freedoms are partially denied.
In the meantime, cases of technology-related abuses have continued to grow all around the world: from Mexico (where there are traces of the activity of the Italian company Hacking Team) to Morocco and Myanmar.
The most recent attempt to regulate this type of product is the update of European regulations on the export of dual-use technologies, adopted by the European Parliament in March 2021, with which the EU has tried to remedy the situation by introducing stronger obligations in terms of transparency for individual Member States concerning the granting of export licences. In addition, broader categories have been included such as technologies for cyber-surveillance and biometric technologies. Human rights associations, such as Access Now, Amnesty International, Committee to Protect Journalists, FIDH (International Federation for Human Rights), Human Rights Watch, Privacy International, Reporters Without Borders (RSF) have immediately stressed, however, that this regulation risks proving still inadequate.
Yet, according to a document describing the features of Cy4gate products, Epeius does not imply these problems, since it includes different ways to infect a device: from remote, relying on malicious links, or by 0-click (a silent installation that does not require victims to click on any link), and even local infections. Similar features are also found in Pegasus spyware, sold by NSO and already involved in abuses in the Emirates.
Cy4gate has specified that it has been granted «Individual Specific Authorizations for each of its foreign customers» since «some of the exported products can be classified as “armament materials”».
This type of authorization, as stated on the website of the Ministry of Foreign Affairs, is issued based on the opinion of an inter-ministerial advisory committee, which is provided from time to time. The application for export must include a copy of the relevant contract and an end-use declaration. IrpiMedia has requested details on the authorizations provided to Cy4gate to the Unit for the Authorization of Armament Materials (UAMA) of the Ministry of Foreign Affairs (MAECI). A spokesman for the Press Office of the Ministry of Foreign Affairs told IrpiMedia that no licences were issued to the company to export their products to the Emirates.
However, in his document Cy4gate does not clarify exactly for which products they have been authorized for export: if, on the one hand, it is easy to include the Epeius software in the category of dual-use products (i.e. products which can be used both in the civil and military fields), for D-SINT the situation is a little bit more complicated. Cy4gate has declared to IrpiMedia that no licence allowing export to the Emirates has been issued because «D-SINT is classified as a “civil good” and does not require any export control», i.e. it is not included in the product types that require an export licence.
In the light of the abuse and digital surveillance cases which have taken place in the Emirates, Cy4gate has replied to IrpiMedia reiterating that «D-SINT has access exclusively to public sources; therefore, as regards the data found on social media, exclusively to public profiles. It is clear that D-SINT does not enable the user to infringe third parties’ privacy rights in any way» and the company reiterates that «Cy4gate strictly complies with the national and international regulations in force on the matter.»
The EU Non-Proliferation and Disarmament Consortium, a group instituted by the Council of the European Union bringing together research centres and think-tanks that deal with regulations on armaments and technologies, has published a study that analyses the new European regulations on the export of dual-use technologies introduced in March 2021. In a table showing when different technologies for digital surveillance were included in the lists of dual-use materials, researchers have pointed out that the EU had included monitoring centres in the list already in 2020. Monitoring centres are systems made available to law enforcement and intelligence agencies to collect, store, and analyse different forms of communication data from various sources. The D-SINT platform appears to include similar features, at least according to past descriptions. If this were still valid, D-SINT should come under the control of the UAMA as a “dual-use” application.
Over the years, stories of system abuse linked to interception and surveillance have also raised the issue of how to make sure that, once the software has been sold and the abuse has been proven, there is a way to stop the abuse and prevent further harm. This was the case with software collecting data from smartphones as seen in the case of Myanmar. If a customer commits abuses using these systems, Cy4gate declares that it is possible to disable the software licence, preventing the receipt of new updates. However, it would be possible to continue to use the system until the licence has expired.