A combined 1.83 terabytes of data has been leaked from two digital forensics companies. The information on Israeli platform Cellebrite and its Swiss competitor MSAB has been passed onto a hacktivism collective by an anonymous whistleblower.
Hacktivism gang Enlace Hacktivista and non-profit whistleblower news site Distributed-denial-of-Secrets (DDoSecrets) have published the information in full. The companies say no sensitive data was leaked and their systems remain secure.
Spyware data leaked by whistleblower to hacktivists
Enlace Hacktivista, which is thought to operate out of central and Latin America, said in a brief statement: “An anonymous whistleblower sent us phone forensics software and documentation from Cellebrite and MSAB. These companies sell to police and governments around the world who use it to collect information from the phones of journalists, activists and dissidents. Both companies’ software is well documented as being used in human rights abuses.”
So-called ‘phone forensics’ programmes can be used as an advanced spyware similar to Pegasus, developed by another Israeli company, the NSO Group.
Analysis of the data has revealed that 103GB was released from MSAB leaving 1.7 terabytes of data leaked from Cellebrite. It is thought to contain details of the systems themselves, as well as technical documentation and some customer documents, though information on the identify of clients does not appear to be part of the database.
This is the second hacktivism attack on Cellebrite in five months. Last August four terabytes of data was donated to DDoSecrets by the global hacktivism collective Anonymous. The information was made up of the company’s flagship product Cellebrite Mobilology and data from the Cellebrite Team Foundation Server.
The leaked information was only accessible to researchers and journalists upon request from DDoSecrets. They do not appear to have exhibited the same level of caution this time around.
What is Cellebrite and MSAB?
Cellebrite is best known for its flagship product Universal Forensic Extraction Device (UFED) which unblocks mobile phones and other devices by bypassing passwords and encryption. It then extracts data to be analysed by another product called Physical Analyser. This allows operators to analyse data and prepare reports.
The website of Cellebrite’s parent company, the Sun Corporation, reveals that the UFED has been sold to police, military, law enforcement agencies and secret services in more than 150 countries.
A Cellebrite spokesperson said: “We are aware of the post. To be clear, we were not hacked. There was no sensitive information exposed. Additionally, neither Cellebrite’s systems nor customer information were jeopardized.
“The post contains files that are available to Cellebrite customers and will not work without an active license. The overwhelming majority (1.4 of the 1.7 TB) of the files are world maps and translation packs, which were likely included to inflate the size and gain undue attention.”
MSAB describes itself as a “world leader in forensic technology for extracting and analysing data in seized mobile devices. Its software was allegedly used in Myanmar during the military coup of 2021, where 860 protesters and bystanders were killed by security forces, with thousands injured and political prisoners apparently tortured MSAB does not deny its tools were sold to Myanmar, but says it did so legally when the country had an operating democracy.
The company has offices in the USA, Canada, the UK, Europe, Asia and Australia and its software is in use by clients including the UK police.
A spokesperson claimed reports of a leak are “incorrect”. They said: “MSAB has not been hacked. All customer data is safe, and so are all systems, code, or information internal to MSAB.
“What has happened is simply this: An unauthorised party, using stolen customer credentials, logged in to a customer account and downloaded whatever product releases that particular customer was entitled to. Note that this does not include any license files that are needed to activate and actually use the products. Our systems and customer data remain well protected.”