24 February 2015 Project Patti Prepared for: Hacking Team Srl Report Status: Final Report Piazza della Repubblica, 24 20124, Milan, Italy T +39 02 86998088 kroll.com Private and Confidential Project Patti Private & Confidential Restricted Use Warning This report was prepared by Kroll at the request of the client to whom it is furnished. The client agrees that reports and information received from Kroll, including this report, are strictly confidential and are intended solely for the private and exclusive use of the client only in connection with a business, investment or other commercial purpose. Any other use (including for employment purposes, credit evaluation or insurance underwriting purposes) is strictly prohibited and client has agreed that no such use will occur. Any communication, publication, disclosure, dissemination or reproduction of this report or any portion of its contents to third parties without the advance written consent of Kroll is not authorized. Kroll assumes no direct, indirect or consequential liability to any third party or any other person who is not the intended addressee of this report for the information contained herein, its interpretation or applications, or for omissions, or for reliance by any such third party or other person thereon. To the extent information provided in this report is based on a review of publicly-available records, such information, as presented, relies upon the accuracy and completeness of those records, which have not been corroborated by Kroll. Statements herein concerning financial, regulatory or legal matters should be understood to be general observations based solely on Kroll’s experience as risk consultants and may not be relied upon as financial, regulatory or legal advice, which Kroll is not authorized to provide. All such matters should be reviewed with appropriately qualified advisors in these areas. THIS REPORT DOES NOT CONSTITUTE A RECOMMENDATION, ENDORSEMENT, OPINION OR APPROVAL OF ANY KIND WITH RESPECT TO ANY TRANSACTION, DECISION OR EVALUATION, AND SHOULD NOT BE RELIED UPON AS SUCH UNDER ANY CIRCUMSTANCES. Private and Confidential 2 Project Patti Contents 1. Introduction ....................................................................................................................... 4 2. Executive Summary .......................................................................................................... 6 3. Preliminary Contacts at the ISS Seminar ....................................................................... 10 3.1 Preparation for the Meeting ................................................................................................................. 10 3.2 The Meeting at ISS Seminar ................................................................................................................ 10 3.3 The Follow-up...................................................................................................................................... 11 4. The Meeting of 1 December 2014 .................................................................................. 13 4.1 HT’s products ...................................................................................................................................... 13 4.2 HT’s competitors ................................................................................................................................. 13 4.3 The Relationship between Velasco and HT ......................................................................................... 14 4.4 ReaQta ................................................................................................................................................ 14 4.5 The Follow-up...................................................................................................................................... 15 5. The Meeting of 16 January 2015 .................................................................................... 17 5.1 The Introduction by Velasco ................................................................................................................ 17 5.2 The Presentation by Alberto Pelliccione............................................................................................... 17 5.3 Plans for the Future of ReaQta ............................................................................................................ 18 5.4 The Follow-up...................................................................................................................................... 19 6. The Meeting of 6 February.............................................................................................. 21 6.1 The Participants .................................................................................................................................. 21 6.2 The Capabilities of the ReaQta product ............................................................................................... 22 6.3 The Add-On Investigator Tool .............................................................................................................. 24 6.4 The Follow-up...................................................................................................................................... 24 7. Additional Verifications and Cross-Checks ..................................................................... 25 7.1 Cicom USA.......................................................................................................................................... 25 7.2 Spearhead........................................................................................................................................... 26 7.3 ReaQta ................................................................................................................................................ 28 7.3.1 Corporate information......................................................................................................................28 7.3.2 Media profile ...................................................................................................................................30 Private and Confidential 3 Project Patti 1. Introduction Hacking Team Srl (“HT” or “the Client”) is an Italian company operating in the field of IT security consultancy and management. Within its activities, HT has created and produces a software under the name Remote Control System to attack, screen, gain control of and monitor endpoint personal devices, such PCs and smartphones. We understand that HT mainly works with worldwide law enforcement and intelligence communities. In order to develop its position in the Americas, HT has a contract with Alejandro (“Alex”) Luis Velasco (“Velasco”), US citizen, born in California on 2 August 1964, now residing in Annapolis, Maryland. Under the contract, Velasco conducts business development, consultancy and brokerage activities on behalf of the Client. The contract includes a non-compete clause, based on which Velasco is forbidden to compete under any form with HT for the entire duration of the agreement and for a period of one year starting from the termination of the agreement. In September 2014, the Client uncovered that Velasco has an email account registered in the name of another company, Newco404 LLC (“Newco404”). Based on the Client’s preliminary searches, Newco404 was incorporated on 7 June 2014. The only documentation on file for the company seems to be its one-page long Articles of Organization, with the following information: § The company’s registered agent and organizer is Vincent Audric; § Newco404 is registered at 2811 Bolling Road, Falls Church, Virginia. Reportedly, Newco404 operates in the same sector of activity as HT and its products are in competition with HT’s (e.g. active interception). The Client suspects that Velasco is acting in violation of the non-compete clause and is possibly redirecting HT’s (potential) clients to Newco404 or other competing entities. Moreover, the Client has reasons to suspect that other people from HT with commercial functions in different geographic areas could be somehow involved in the new business of Velasco. The Client’s concerns mainly derive from the serious potential damage that Velasco could produce if he is actually acting in favour of a competitor, possibly even using the name of the Client, in order to attract potential customers. The Client informed us that in August 2014 Velasco attended an important exhibition in Florida as a representative of HT. On its website, Newco404 claims it attended the same event. The Client fears that on this occasion Velasco may have commercialized / advertised Newco404’s products instead of HT’s. In addition to the above, the Client has recently noted a less responsive and committed attitude by Velasco and this behaviour seems to support the Client’s concerns. Private and Confidential 4 Project Patti Given the urgency and the need of finding concrete evidence of Velasco’s breach of the noncompete clause, our investigation has relied on a direct approach to Velasco, supplemented with additional verifications and cross-checks into the entities / subjects identified in the course of the assignment. The interactions with Velasco have been managed and conducted by Kroll Directors in New York Dan Schorr, Robert Addona and Jay Sheridan and by Kroll subcontractor, Kenn Cummins of Capitol Inquiry, Inc., a licenced investigator in Maryland. This reports summarises the set of activities we have conducted and describes the main results of the investigation to date. Private and Confidential 5 Project Patti 2. Executive Summary Kroll firstly met with Velasco at the ISS World Americas seminar in Maryland on 7 October 2014. Kroll Director Robert Addona (“Addona”) introduced Kroll as a global consultancy firm as well as service provider to government agencies; Kroll’s subcontractor and licenced investigator in Maryland, Kenn Cummins (“Cummins”), was at the conference as well and was presented to Velasco by Addona as a local consultant / contractor to Kroll and a possible introducer to law enforcement bodies. The conversation focused on mobile interception and remote control and Velasco pitched HT’s product named “Galileo”. During the conference, Velasco claimed that he had run out of his HT business cards, and wrote down on a piece of paper his HT email address and a cell phone number. In the following weeks, attempts by both Addona and Cummins to contact Velasco via email failed. More specifically, Kroll has never received a response from Velasco regarding the HT product. On 19 November, Cummins finally managed to talk to Velasco via cell phone and a meeting was arranged. Initially scheduled on 2 December, it was then changed to the early afternoon of 1 December. The meeting took place at a bar in Maryland. Kroll Director Jay Sheridan (“Sheridan”) observed from a nearby table but did not participate. During the conversation between Velasco and Cummins, the following main topics were discussed: § Velasco explained the capabilities of Galileo and he was unrelenting in his position that there is no other software offered by any competitor that can match the capabilities of the Galileo system; § Specifically asked by Cummins about possible competitors, including PKI Electronic Intelligence, Shohghi, Digital RF and PicSix, Velasco said that he is personally very close to the owner of PicSix and he used the first name “Max”. He said that he had considered taking PicSix on as a client, but had decided that the legal issues in the US deriving from PicSix’s use of antennas instead of satellites would be insurmountable; § Velasco said that his arrangement with HT does not prohibit him from representing other clients and he did not consider this former consideration of PicSix as a possible client to pose a conflict of interests. However, Velasco stressed twice during the conversation that Cummins should not use the HT email to inquire about his other clients; § At a certain point, Velasco said the meeting was set up to discuss HT’s products but that “if we agree to switch hats,” they could discuss his other clients. Velasco then pulled out a large brochure of another client, ReaQta. Please note that the only time Velasco provided Private and Confidential 6 Project Patti Cummins and Kroll with an HT brochure was at the ISS conference. During subsequent conversations, he never pushed the HT product nor did he provide additional information; § Velasco said that ReaQta has developed software that will block the interception capabilities of Galileo. He said he does not see a conflict between his two clients because he markets Galileo to law enforcement and government agencies, and ReaQta to private corporations. Velasco seemed eager to set up meetings to demonstrate ReaQta, but again stressed that Cummins must use Velasco’s personal email when communicating about this product. Following this meeting, HT expressed the need to understand more about the capabilities of ReaQta, and in particular its reported capability to neutralize Galileo. Moreover, the Client expressed concerns about the identity of the professional figures, both sales persons and technicians, behind the development of ReaQta. From the latter’s website, in fact, it emerged that the Client’s former employee and senior developer Alberto Pelliccione (“Alberto”) is listed as ReaQta’s CEO. 1 Upon the Client’s request, Cummins was therefore instructed to keep the dialogue open with Velasco and arrange a demonstration of ReaQta. On 12 January, Cummins received an email from Velasco’s ReaQta email address. A generic bd@reaqta.com was in copy. Moreover, the signature on the bottom of the email identified Velasco as ReaQta’s Vice President Sales – Americas. The demo took place on 16 January at Velasco’s office in Annapolis. We note that this office is rented and paid for by HT. Both Cummins and Kroll Director Addona participated in the meeting. Alberto joined remotely from Malta. He was introduced by Velasco as a former employee and developer of HT. During the meeting, the following key aspects were discussed: § Velasco indicated that the ReaQta product is designated for large private companies who are trying to protect their intellectual property and information, as well as companies who have had or are looking to prevent major data breaches; § Velasco stated that they are currently working in Singapore, South America, Mexico and the United States. In particular, Velasco said that they had just attend the Asia Conference where the product was very well received; § Alberto demonstrated the feature and capabilities of the ReaQta product named ReaQta – CORE. He specifically mentioned the ReaQta forensic tool named ReaQta Investigator 1 According to Pelliccione’s LinkedIn, he has been a Senior Security Engineer at Intelligence Gathering Solutions since January 2008. Prior to that he was a Journalist at Edizioni Master from 2006 to October 2010 and a Researcher at CNR from 2003 to January 2008. He is based in Milan. A biography of Pelliccione on the website for the Association of Law Enforcement Intelligence Units states that he joined Hacking Team in January 2008 and was in charge of research and development on mobile platforms (http://leiu.org/training/event/speaker/2013/alberto-pelliccione). Private and Confidential 7 Project Patti which reportedly allows IT departments to identify URL information and identify hackers attempting to extract information; § When asked whether ReaQta serves to neutralize the abilities of HT’s Galileo, both Velasco and Alberto laughed nervously. Velasco then said to Alberto, in Italian, “what should I say?”. Alberto finally said that it is “correct” that ReaQta can neutralize the HT software; § When asked whether he was concerned that clients he sold ReaQta to might be the targets of his clients buying the HT software – and, therefore, he might be working for both the “good guys” and the “bad guys” – Velasco answered that it was not his responsibility, nor ReaQta’s responsibility, to vet their clients; § According to Velasco, they expect ReaQta to really take off in April 2015 and they have plans to open offices in New York City, Central and South America; § The cost of the ReaQta product reportedly ranges from $80,000 up to $140,000, with an annual maintenance fee of 15-20 per cent of the contract. During the meeting, Velasco offered to arrange for another demonstration for Kroll at a more convenient location. He mentioned Kroll’s headquarters in New York or alternatively he said that “a colleague” has an office close to Dulles airport where the demonstration could take place. We note that the headquarters of Newco404 LLC, the starting point of this investigation, is located in Virginia, very close to Dulles Airport. The new demo took place on Friday, 6 February, at Kroll’s office in New York. In the days prior to the meeting, Velasco informed Addona that Alberto would not be able to join, but a colleague, “Vince [sic] Audric,” would replace him. We note that Vincent Audric (“Audric”) is the name of the registered agent and organizer of Newco404. On 6 February, three Kroll representatives met with Velasco, while Audric and another individual from Singapore joined the meeting remotely. During the presentation, it was unclear if Audric was a sales person or a software developer. However, he was very well informed about the ReaQta product and was very knowledgeable regarding its technology. The subject from Singapore was called by Velasco directly on his phone and was introduced as “Serge,” the Asia Pacific representative for ReaQta, possibly involved in an installation of the ReaQta product there. It was unclear if Serge was a sales person or a technician. He was very engaged in the presentation and knowledgeable about the technical aspects of the product. Two Kroll representatives at the meeting were able to see Velasco’s cell phone, which Velasco had placed on the table in plain view, and the name that appeared in the screen was “Serge Woon.” This is the name of HT’s representative in Singapore. Private and Confidential 8 Project Patti During the presentation, a series of purported capabilities of the ReaQta product were described. Kroll inquired several times during the presentation for additional information regarding the “add on” Investigator tool. All three subjects were very reluctant to discuss the tool and its abilities to allegedly identify a hacker’s identity. That was in contrast to the first demonstration in January when both Alberto and Velasco were almost bragging about how wonderful the tool was and its abilities to hack into a bad actors’ computer. They indicated that you could place a document in your computer and when the hacker took the document and attempted to open it, the investigator tool would give you a “window” into the hackers’ computer. Additionally, it would be able to capture the IP address of the hacker and identify his or her location. On 11 February, following Kroll’s request for further documentation as promised by Velasco during the meeting, Velasco sent to Kroll the following documents: Data Sheet, Solution Briefing, Hardware requirements, Presentation and an NDA to be signed prior to release a formal proposal and pricing. Velasco also proposed any of the last three days of February to install a trial version of ReaQta on Kroll’s demo environment. On 16 and 18 February Velasco reiterated his proposal to arrange a new meeting at Kroll offices together with ReaQta’s CEO and co-creator Alberto in order to install the trial version and train Kroll on how to use it. Private and Confidential 9 Project Patti 3. Preliminary Contacts at the ISS Seminar 3.1 Preparation for the Meeting Between 6 and 8 October 2014, an important conference / exhibition was scheduled in Maryland, the ISS World Americas seminar (“ISS seminar”) at the Bethesda North Marriott Hotel & Conference Centre (5701 Marinelli Road Bethesda, Maryland). HT was a sponsor and both Velasco and a team from HT were expected to attend. Given the type of products involved and the specific market to which they are dedicated, we acknowledged that the ISS seminar was the best occasion to approach Velasco. It was unlikely that he would expose himself and immediately propose Newco404’s products, but the exhibition allowed us to create the contact and then proceed with a proper follow-up. Our team was composed by a Senior Director from Kroll, Robert Addona (“Addona”), and Kroll’s subcontractor and licenced investigator, Kenn Cummins (“Cummins”). The presence of a licensed investigator in Maryland was of key importance in view of the possible affidavit / testimony. In fact, we could not record any conversations with Velasco as Maryland is a so-called “two-party consent” state, meaning that recording requires the consent of the two - or more - parties involved in the conversation. Addona and Cummins privately and confidentially met the Client in Maryland on Monday 6 October for a detailed briefing re: the products, the key questions to ask, the specific approach to follow. 3.2 The Meeting at ISS Seminar On Tuesday, 7 October, Addona and Cummins, whose names had been added by the Client to the list of ISS exhibition’ attendees, approached Velasco at the Conference Centre. The approach went as planned and the Kroll team had a very good and natural / easy conversation with Velasco. Addona introduced Kroll as a global consultancy firm as well as service provider to government agencies; Cummins was presented as a local consultant / contractor to Kroll and a possible introducer to law enforcement bodies. As per the Client’s instructions, the conversation focused on mobile interception and remote control. Velasco did not pitch another product and stuck to HT’s remote control product named “Galileo.” However, when specifically requested to share his business card, he claimed that he had run out of them. He then wrote down his email addresses and a cell phone number, (301) 332-5654, on a pad that he had with him. The contact was left open for future meetings and conversations. In particular, Cummins engaged to follow up with Velasco for potential cooperation. Private and Confidential 10 Project Patti NOTES: the Client confirmed that during the Conference Velasco actually ran out of his HT business cards. 3.3 The Follow-up The email address provided by Velasco during the conference proved to be incorrect and the first emails Cummins sent bounced back. More specifically, the first email was sent on 17 October to 2 the following email address: a.velasco@comcast.net. Cummins called Velasco after the email bounced back but he did not receive any answer. Cummins sent the email again on 24 October but it bounced back as well. 3 On 24 October 2014, Cummins called Velasco and spoke to him for about 15 minutes. After Cummins reminded Velasco of their meeting at the conference, Velasco recalled the conversation. When Cummins asked for the email address again, Velasco said it was on his business card. Cummins reminded him that he did not have any cards with him at the conference, and Velasco recalled that as well and said that at the conference he might have mixed his email addresses up. During this conversation, Velasco stated his email addresses were as follows: § velasco@comcast.net § a.velasco@hackingteam.com Velasco said that he was in Miami, Florida. He added that we would travel through 7 November and would be back in Annapolis the week of 10 November. He said that he would send to Cummins an email with a proposed time and date for a meeting in Maryland. NOTES: The Client confirmed that Velasco was at an exhibition in Florida on behalf of HT and following this he would go to visit his mother who was sick. Later, the Client discovered that Velasco did not go to visit his mother but was on vacation with his family in Mexico. On 18 November 2014 Cummins wrote to Velasco at a.velasco@hackingteam.com. The subject of the email was “Kroll Needs your services.” Cummins received the notification that Velasco read 4 the email on the same day at 2 PM but he never received any answer. Kroll Director Addona sent an email on the same date 18 November to Velasco at 5 a.velasco@hackingteam.com. Addona did not receive any notification that the email had bounced back and Velasco never responded to the email. Even after Cummins spoke with Velasco, the latter never followed up with Kroll as a possible opportunity for HT. 2 Attachment a – 141017 Email 3 Attachment b – 141024 Email 4 Attachment c – 141118 Email 5 Attachment I – 141118 Email Private and Confidential 11 Project Patti In Mid-November, neither Addona nor Cummins had yet heard back from Velasco. Please note that Kroll has never received a response from Velasco regarding the HT product. On 19 November, Cummins received a text message from Velasco. Velasco stated that he was in a meeting and he would give him a call when he was done. It appeared based on numerous attempts to contact Velasco via email, he preferred to communicate via text and cell phone conversations. 6 Finally, on 19 November, Cummins had a conversation via text message with Velasco, in which a meeting was arranged for Tuesday, 2 December, in Annapolis, Maryland. On Monday, 1 December, shortly before 12:00 PM, Velasco called Cummins to inform him that he would need to re-schedule the meeting because early on the day after he was traveling to Mexico City on business together with some managers of HT. Cummins gave his availability to move the meeting to the same afternoon of 1 December, rather than wait until Velasco returned from Mexico. In the early afternoon of 1 December, Kroll Director Jay Sheridan (“Sheridan”) arrived in Maryland and met with Cummins prior to the meeting in order to work out logistics. 6 For the thread of text messages between Cummins and Velasco from 19 November until 23 December 2014, please see Attachment d – 141119-141223 Text. Private and Confidential 12 Project Patti 4. The Meeting of 1 December 2014 On Monday, 1 December, at approximately 4:30 PM, Cummins met with Velasco at the bar in the Marriott Waterfront Hotel, located at 80 Compromise Street, Annapolis, Maryland. Please note that the originally scheduled meeting of 2 December had to take place at a different location. The original location was Velasco’s office in Annapolis. The location was subsequently changed by Kroll because Sheridan would not be able to witness the meeting. Sheridan observed the meeting from a nearby table at the bar and did not participate. The meeting lasted approximately one hour. 4.1 HT’s products In explaining the capabilities of HT’s Galileo software, Velasco was unrelenting in his position that there is no other software offered by any competitor that can match the capabilities of the Galileo system. However, he stressed at the beginning of the conversation, and numerous times during the meeting, that Cummins could not get access to the product because the end-user had to be a law enforcement agency or a government entity. Velasco said all paperwork had to be filled out by the end-user, not Kroll. Each time, Cummins reassured him that he understood and that Kroll intended to offer the Galileo software as part of its capabilities when competing for government contracts. Velasco said the system would cost $800,000 for a platform that would allow interception of computers and phones, plus the hardware, which would cost another $30,000. He said HT provides the software, but Kroll would have to purchase the necessary hardware. This level of the program would allow the end-user to have as many as 25 “agents” or computers on which the software could be installed and operated. Velasco said he could provide a stripped-down version for “just under $500,000” that would only have up to 10 agents and would not have all of the capabilities of the higher-priced one. The cost of the program is important because, even though the end-user buys it and can keep it forever, HT requires a 20 percent annual maintenance fee of the original price to keep the software updated and functioning properly. 4.2 HT’s competitors Velasco did not mention any competing products during the conversation, with the exception of Fin Fisher, a company that exhibited at the Bethesda, Maryland conference where Cummins and Velasco first met. He said Fin Fisher is “imploding” and may soon be out of business. Cummins cited competitors while inquiring about a cheaper solution on the market for companies that are Private and Confidential 13 Project Patti not on the level of Kroll. Velasco nodded at the mention of PKI Electronic Intelligence, Shohghi, Digital RF and PicSix. Based on the briefing had with the Client in October, Cummins purposely named PicSix last, and that was the only product that drew a comment from Velasco, who said “I am personally very close to Max, the owner of PicSix.” He said the technology only works on phones, not on computers. During the discussion about PicSix, Velasco mentioned again that he was close to the owner, but only referred to him as “Max.” He said he had considered taking PicSix on as a client, but had decided that the legal issues in the U.S. would be insurmountable. PicSix, he said, works by using antennas, not satellites, and picks up all telephone conversations in an area. Given the controversy over the U.S. National Security Agency’s interception practices, Velasco said that he had decided against forming a relationship with PicSix. Velasco never gave a sales pitch for PicSix. 4.3 The Relationship between Velasco and HT Velasco said that he is not a full-time employee of HT, but a contract employee hired to represent the company in Canada, the U.S., and Central and South America. He stated that HT had expressed interest in hiring him as an employee, but that he preferred to operate as an independent contractor for them and considered HT to be one of his clients. Velasco said his arrangement with HT did not prohibit him from representing other clients, and he did not consider his former consideration of PicSix as a possible client to pose a conflict of interest with his arrangement with HT. Velasco stressed twice during the conversation that Cummins should not use the HT email to inquire about his other clients. He told Cummins to use his personal email address, which he had provided previously. He said he represents other clients through his company, “Cicom USA – but you won’t find it online” (for more details on Cicom USA, please see section 7.1). Cummins told Velasco that the Galileo system might be useful to Kroll because it works with major corporations and government agencies, but that he has small clients who need more affordable solutions. Velasco discussed the possibility of getting the cost of Galileo under $500,000 but said that was about as low as it could go. At one point, Velasco asked what Kroll did, and he did not seem familiar with the company, despite Kroll’s previous effort to become a client of HT via Velasco. 4.4 ReaQta Velasco said the meeting was set up to discuss HT’s products but that, “if we agree to switch hats,” they could discuss his other clients, and Cummins could bring up his needs for clients other than Kroll. Velasco then pulled out a large brochure for another client, ReaQta (for more details Private and Confidential 14 Project Patti 7 about ReaQta see section 7.3). Please note that the only time Velasco provided Kroll with an HT brochure, was at the ISS conference. During subsequent conversations with Velasco, he never pushed the HT product nor did he provide additional information (i.e. white paper, technical guide, promotional materials) for the Galileo/HT product. He said that ReaQta has developed software that will block the interception capabilities of Galileo. He said he did not see a conflict between his two clients because he markets Galileo to law enforcement and government agencies, and ReaQta to private corporations. Velasco seemed eager to set up meetings to demonstrate ReaQta, but again stressed that Cummins must use Velasco’s personal email when communicating about this product. He briefly mentioned a third client, a French company, but said that its products would be much too costly for Cummins’ consideration and needs. Velasco said that his Annapolis, Maryland office was opened for his company Cicom USA, but that he expanded it when HT became his client, and HT pays a major part of the rent. 4.5 The Follow-up After the meeting of 1 December, the Client asked us to try to get a demonstration of the ReaQta product in order to assess whether it actually serves to neutralize the abilities of HT’s Galileo. Moreover, the Client expressed concerns about the identity of the professional figures behind 8 ReaQta. In particular, ReaQta’s website lists Alberto Pelliccione as its founder and CEO. Alberto Pelliccione is a former senior developer of HT who knows HT’s products very well and left the company approximately one year ago. Moreover, the Client knows that Velasco and Alberto Pelliccione do not only know each other for business reasons, but they are close friends. The Client also expressed concerns about the possible involvement of other people from HT’s network and workforce. Therefore, Cummins was instructed to keep the dialogue open with Velasco and arrange a demonstration of ReaQta as soon as possible. During the month of December, Cummins kept on 9 communicating with Velasco via text message. Please note that based on Kroll’s experience working with other vendors who are selling similar products it is very unusual that Velasco was not communicating via email. Most of vendors use emails. With some delay also due to Christmas holidays, in early January 2015 Velasco proposed the demonstration to be conducted on Thursday, 15 January. On Sunday, 11 January, Cummins had a telephone conversation with Velasco where they discussed rescheduling the meeting. On Monday, 12 January, Velasco wrote an email to 7 The brochure is attached to this report (Attachment II – ReaQta Brochure). 8 A print screen of the website https://reaqta.com/ is attached to this report (Attachment III – ReaQta Website). 9 Attachment d – 141119-141223 Text and Attachment e – 150102-150116 Text. Private and Confidential 15 Project Patti Cummins and asked for the confirmation of “a demo of ReaQta Core for Kroll.com” for “first part of next week.” Please note that the email was sent by Velasco using a ReaQta email address (a.velasco@reaqta.com) and a generic bd@reaqta.com was in copy. Moreover, the signature identifies Velasco as ReaQta’s Vice Present Sales – Americas. 10 Cummins asked Velasco to confirm that it was no longer possible to meet on Thursday, 15 January. He wanted to give an update to Addona of Kroll in order to ask him to postpone the meeting to the following week. Velasco informed Cummins that HT engineers would come to the U.S. for demonstration of HT products to another client on Thursday, 15 January. He added that in the last hour it seemed that the demo would be cancelled. In this case, the ReaQta demo could be confirmed for Thursday. Otherwise, they had to “plan differently”. Velasco said: “The HT tech that does the demos with me and carries the equipment will be in town. If you are open to an HT demo that I can almost confirm. Not the reaqta demo.” Cummins answered that they could move the ReaQta meeting to Friday, 16 January, or Monday, 19 January. Cummins also said that he was interested in learning more about HT, for his clients as well as Kroll. Basically, Cummins agreed to arrange a meeting with HT for Wednesday or Thursday, and then work on the arrangement of the ReaQta demo. On 13 January, Velasco wrote to Cummins and informed him that the HT meetings had been moved to the end of the month, so he could confirm the meeting with Kroll for the ReaQta demo on Friday, 16 January, at his office in Annapolis. He added: “I can do a simple demo of HT if you are still interested and have time. But prefer not to mix the two in same sitting.” Cummins confirmed his interest for the HT product and gave his availability to schedule a meeting with HT engineers for the end of the month. In the meantime, the ReaQta demo was arranged for Friday, 16 January, around noon time. 11 Please note that Cummins never received a proposal from Velasco in order to schedule the HT demo. NOTES: In the meantime, the Client informed us that they were in fact arranging a presentation in the US for another client and that they had received the following email from Velasco: “I am also working on a meeting with Kroll.com who has reached out to us from ISS. They called me last week and requested a meeting. Although they would not be the final client they do have contacts that reach deep into US Gov. It was being suggested that they come to the Annapolis office for a demo on Wednesday or Friday.” The other client later cancelled the meeting with HT and, subsequently, HT engineers decided to postpone their trip to US. 10 Attachment f – 150112 Email. 11 The entire flow of emails between Velasco and Cummins is attached (Attachment g – 150112-150113 Email). Private and Confidential 16 Project Patti 5. The Meeting of 16 January 2015 5.1 The Introduction by Velasco On Friday, 16 January, Senior Director Addona of Kroll (who had already met Velasco at the Bethesda Conference in October) and Cummins met with Velasco at his office located at 1997 Annapolis Exchange Pkwy, Suite 300, Annapolis Maryland. The purpose of the meeting was to receive a demonstration of the ReaQta product that is being sold by Velasco. Also involved in the demonstration was an individual later identified as Alberto Pelliccione (“Alberto”). Velasco introduced Alberto as a former employee of HT and a developer of products for HT. The meeting began at approximately 12:05 PM, with Velasco providing a brief overview of the demonstration to be given by Alberto remotely from Malta. Velasco indicated that the ReaQta product is specifically designed for large private companies who are trying to protect their intellectual property and information, as well as companies who have had or are looking to prevent major data breaches, such as Sony, Target, etc. Velasco went on to say that ReaQta is far superior then some of the products that are already on the market today including, Fire Eye and Bromium. Additionally, this product is available to the private sector, so everyone has access to it. Velasco also stated that they had just attended the “Asia Conference” where the product was well received and indicated that clients were dropping their current provider and going with the ReaQta product. Velasco stated that he has partnered up with Alberto and is very excited about the product and sees large growth potential in the market place. Velasco went on to say that they are looking to expand and are currently working in places like Singapore, South America, Mexico, and the United States, including Washington and Maryland. At this time, Velasco turned over the presentation to Alberto, who demonstrated the features and capabilities of the ReaQta product. 5.2 The Presentation by Alberto Pelliccione Alberto prepared a power point presentation which laid out the following features of ReaQta: § The name of the product is ReaQta – CORE; § The software is installed at the end user point, not in the network server, which means each individual computer has protection; § The software identifies all exploitation attempts, blocks them, identifies them and then analyses the threat. This is all done in real time with real time notifications; § The product protects against “data exfiltration” because the information is encrypted; Private and Confidential 17 Project Patti § The software runs outside of the operation systems; § The ReaQta forensic tool (ReaQta Investigator) allows the IT department to identify URL information and identify the hacker who is attempting to exfil information; § There is a dash board that provides real time information for all users; § The software develops a “profile” of each user in order to determine if there is activity outside the profile being performed on the end users machine; § The protection system is undetectable and can be customized to each user; During the demonstration, Alberto mentioned that he was very familiar with the HT product because he used to work there. He went on to say that the ReaQta product was superior to anything that’s out on the market today. When asked whether ReaQta serves to neutralize the abilities of HT’s Galileo, both Velasco and Alberto laughed nervously. Velasco then said to Alberto, in Italian, “what should I say?”. Alberto finally said it is “correct”’ that ReaQta can neutralize the HT software. When asked whether he was concerned that clients he sold ReaQta to might be the targets of his clients buying the HT software – and, therefore, he might be working for both the “good guys” and the “bad guys” – Velasco answered that it was not his responsibility, nor ReaQta’s responsibility, to vet their clients. However, most of the clients they are pitching to or would like to pitch to are well known corporations. 5.3 Plans for the Future of ReaQta After Alberto signed off, Velasco again repeated that he expected ReaQta to really take off this year, and he hoped to be moving his office elsewhere, perhaps to New York City. He also said that ReaQta plans to open an office in Central and South America in the next six months, and is looking at Colombia and Panama as possible locations. Everything at the moment is being run out of Malta. The company presently is signing up clients and plans to officially launch in April. When asked about cost, Velasco said the cost of the ReaQta product would range from $80,000 up to $140,000 for the large clients, with an annual maintenance fee of 15-20 percent of the contract. Velasco said he could arrange for another demonstration for Kroll at a more convenient location. Velasco mentioned that “a colleague” has an office close to Dulles airport in Washington, D.C. and that the meeting could be held there. When asked if he had a ReaQta business card, Velasco apologized for not having any cards. After the demonstration, Velasco invited the Kroll investigators out to lunch at a nearby restaurant. During lunch, he portrayed Alberto as one of the “original developers” for Hacking Team products. Velasco stated that Alberto worked for HT for years and “Alberto knows everything there is to know about Hacking Team.” Velasco also said that he admired Alberto for Private and Confidential 18 Project Patti his entrepreneurship and that “Alberto found a niche and a need in the market and he took a chance.” During the lunch, which Velasco bought with the intent of billing a client, Velasco said “there is an issue with Hacking Team.” When asked what the issue was, he said his higher-ups at HT were not convinced that Kroll would qualify to be a client of HT because of the end-user issue. Velasco has raised this issue before, and each time, we assured him that the end user would be a qualified government agency or law enforcement agency. Velasco asked Investigator Addona, what opportunities he sees for ReaQta. Investigator Addona responded by saying that the product appeared to be very promising and impressive and if it does what it says it does, both Kroll and their private clients may be interested and the opportunities could be endless. Velasco appeared to be very pleased with this response. Investigator Addona indicated that he would speak to his IT team to see if they would be interested in seeing the product as well. Velasco stated that he would be willing to come to New York to provide the demonstration and possibly allow Kroll to use the product on a trial basis. 5.4 The Follow-up As described above, during the meeting of 16 January Velasco said he could arrange for another demonstration for Kroll at a more convenient location, even at Kroll’s headquarters in New York. Alternatively, he specifically mentioned that “a colleague” has an office close to Dulles airport where the demonstration could take place. Velasco also added the he would be willing to allow Kroll to use the product on a trial bases. We note that the headquarters of Newco404 LLC is located in Virginia, 2811 Bolling Road, very close to Dulles airport (approximately 20 minutes by car). The fact that Velasco proposed to arrange a new demonstration there with “a colleague” made the follow-up necessary. We agreed with the Client to proceed as follows: § Arrange the new demonstration in Virginia or New York and try to record it as both are “one-party consent” states; § Ask for some details about the presence of ReaQta’s sales team in other regions, in particular Singapore, where HT’s representative Serge Woon is suspected of being involved in parallel activities; § Try to get the trial version of ReaQta; § Ask Velasco for a formal proposal for the acquisition of some licences of ReaQta. Private and Confidential 19 Project Patti Prior to any requests by our side, on 21 January Velasco (from the email address a.velasco@reaqta.com) wrote to Addona and Cummins. Velasco said: “I have talked to the team about the POC at your office and they are just waiting for a confirmation from you. Do you have any questions or need any other information? Please let me know if you need anything from me, I will be happy to help.” 12 The new demonstration was scheduled on Friday, 6 February, at Kroll’s office in New York. While Velasco was expected to be physically present, Alberto was supposed to remotely join from Malta. Prior to the meeting, Velasco informed Addona that Alberto would not join and an individual named “Vince [sic] Audric” would participate in his place. Please note that Vincent Audric is the name of the registered agent and organizer of Newco404. The meeting of Friday 6 February was all arranged via email between Velasco and Kroll Director Addona as per the exchanges attached to this report. 12 Attachment IV – 150121 Email 13 Attachment V – 150121-150129 Email Private and Confidential 13 20 Project Patti 6. The Meeting of 6 February 6.1 The Participants On Friday, 6 February 2015, Kroll representatives Dan Schorr (“Schorr”), Addona, and Bill Moylan (“Moylan”) met with Velasco at the Kroll New York Office. The purpose of the meeting was for Velasco to provide Kroll with a demonstration of the capabilities of the ReaQta software. During the presentation, two individuals joined the meeting remotely. One was identified as Vincent Audric (“Audric”) and the second was Serge Woon (“Woon”). Kroll had previously identified Audric as the principal owner of a Virginia-based company called NewCo404. Based on its website, NewCo404 operates in the same sector of activity as HT and its products are in competition with HT’s (e.g. active interception). 14 During the presentation it was unclear if Audric was a sales person or a software developer. However, Audric was very well informed about the ReaQta product and was very knowledgeable regarding the ReaQta technology. Velasco began the presentation with a general overview of the product. Audric then took over the presentation remotely and provided the technical capabilities of ReaQta. During the early part of the demonstration, Velasco called an individual named “Serge” to join the presentation. Velasco described Serge as the Asia Pacific representative for ReaQta. Velasco indicated that Serge was in Singapore, possibly involved in an installation of the ReaQta product. It was unclear if Serge was a sales person or a technician. Schorr and Addona were able to see Velasco’s cell phone, which Velasco had placed on the table in plain view, and the name that appeared on the screen was “Serge Woon”. Woon is believed to be “Serge Wee Shou Woon”, a Senior Security Consultant at HT. This assumption is based on information obtained through open source research, as well as conversations with HT representatives. Woon was very engaged in the presentation and was knowledgeable about the technical aspects of the ReaQta product. Prior to the presentation, Kroll requested to record the presentation slides in order to share them with other cyber colleagues who were unable to attend the demo. Velasco stated that he did not believe he had the capability to record the presentation, in part because it did not use a webinar/webex format. He agreed to send Kroll an electronic copy of the presentation, which he sent via email on Thursday, 11 February (see below for more details). The overall presentation was not very sophisticated. Presentation graphics were primitive and presentation slides did not contain much information specific to the product. In addition, the presenters continually had connectivity/reception problems when seeking input from Woon. 14 A print screen of the website https://www.newco404.com/ is attached to this report (Attachment VI – NewCo404 Website). Private and Confidential 21 Project Patti Velasco offered to provide Kroll with a demo version of the ReaQta software and said that he had no objection to Kroll showing it to clients. Velasco suggested that a ReaQta employee would assist with the installation. 15 6.2 The Capabilities of the ReaQta product From the presentation, Kroll was able to identify the following purported capabilities of the ReaQta product. Following each subject area, we have summarized Kroll’s assessment of its significance. a. Uses a ‘Nano OS’, utilizing ‘Hypervisor’ to function outside of the host operating system a. Sits on top of the CPU b. Programmed in Assembly c. Intercepts IRQ requests d. .1%-3% CPU load This description of the software indicates that it uses the virtualization hardware present in most modern computer systems in order to run the software in a separate virtual machine operating system. The ReaQta software is able to intercept signals from the host operating system to the host hardware in order to monitor and control functions of the host operating system. The use of Assembly language insures fast operation, low CPU overhead, and small memory footprint. When Velasco asserted that the CPU load of the product was between 1% and 3%, Serge interrupted to say that his testing showed a .1% CPU load. The CPU load is crucial to the detectability of the hypervisor virtualization as it is perhaps the only way to detect that a system is running a hardware virtual machine on the host. The collected data is sent from the monitored host to the ReaQta server where it is analyzed and correlated. b. Can observe data coming into or going out of a system, including across SSL or TOR network protocols, and can discover source and/or destination IP addresses This indicates that the product has the ability to access data in transit as it exists unencrypted in memory before being passed to encrypted network protocols, or after having been decrypted by the SSL enabled applications or TOR browser. 15 Typically, a vendor would provide a copy of the software to Kroll and Kroll technicians would install the software in their test environment. Kroll does not permit outside vendors to access Kroll’s secured environment. Private and Confidential 22 Project Patti c. Monitors in 4 ways. a. Identifies malware, including 0-day and targeted attacks, and detects code injection b. Alerts on system behavior indicating attempted exploitation of vulnerabilities with approximately 2% false positives c. Identifies exfiltration of data and destination d. Uses a type of Artificial Intelligence to identify patterns of hardware characteristics or application use to build a baseline and alert on anomalous behavior. This enumeration of the vectors of protection provides some insight into the functioning of the software. The malware component appears to be heuristic or behavior-based, detecting process code injection or other typical malware actions. There is no basis provided for the 2% false positives assertion. However, it is possible that legitimate code injection or antivirus processes may account for 2% of the noted activity. The identification of data exfiltration was demonstrated by a capability to monitor file and network activity by individual processes. The artificial intelligence capability shows that an analytic capability of the data collected by monitoring is built into the system. d. Control of the host system a. Software has ‘access to everything’ b. Policies included in the ReaQta product provide additional security preventing potentially dangerous user actions. Additional policies can be added to address and mitigate any suspicious activity The assertion that the software has complete control of the host system indicates a low level interception of communication between the host operating system and hardware, and the ability to allow or prevent specific user activities through the use of policies configured in the ReaQta product. e. Ghost Environment a. Analysis server will execute/analyse suspect binaries in a sophisticated sandbox environment that is programmed to emulate an actual host, making it difficult for malware to identify the host as a VM test bed (sandbox) and alter its behavior or fail to execute at all. The ‘Ghost Environment’ description provided by Mr. Velasco indicated that the sandbox environment included in ReaQta was able to defeat the ability of sophisticated malware to detect the presence of a virtual machine environment by examining the number of cores in the system, the amount of memory available, and other environmental indicators that would identify the virtual environment to the malware. Private and Confidential 23 Project Patti 6.3 The Add-On Investigator Tool Kroll inquired several times during the presentation for additional information regarding the “add on” investigator tool, which supposedly can help identify and penetrate hackers who are attempting to infiltrate the system REAQTA is protecting. During a previous conversation with Kroll (on Friday, 16 January), Velasco had discussed and promoted the ability of the tool to gain access into an infiltrator’s system and capture the identity of the hacker. However, all three presenters appeared reluctant to discuss the tool during the presentation of 6 February. 6.4 The Follow-up On 10 February, Kroll wrote to Velasco and asked for the additional documentation as already discussed during the meeting (i.e. Technical Guide, White paper, Copy of the presentation, Demo software including the ReaQta investigator tool “add on”, Proposal with pricing). Kroll also asked for information with regard to the network requirements needed to demonstrate the complete features of the ReaQta and Investigator products. Velasco answered: “we are in the process of updating the WhitePaper and Guide” and added that “other impressive improvements and new functions are being added to documentation. We are also looking at our calendars to set up another meeting were [sic] we can perform a POC and set up the demo unit for you.” On 11 February Kroll received another email from Velasco with the following attachments: “Data Sheet, Solution Briefing, Hardware requirements, Presentation.” 16 Velasco stated that before proposals and pricing, they would need a signed NDA (a copy was attached to the email). Moreover, Velasco proposed “any of the last 3 Days in February” to install the demo on Kroll environment. On 16 February Velasco wrote a new email “to follow up on our proposal to visit your office to help install a trail [sic] demo of ReaQta-Core”. He added that the CEO and co-creator of the system, Alberto Pelliccione, would be in New York between 23 and 27 February and they could be at Kroll’s office “to perform the needed task.” On 18 February Velasco wrote to confirm a possible meeting at Kroll’s office between Thursday, 26 February, and Friday, 27 February. Velasco mentioned again that Alberto Pelliccione would be accompanying him to the meeting and they could demo the system to those who were not able to attend the previous demonstration and later could install the demo and conduct a training. Velasco added that it was not easy “getting the co-creator to join us” so he hoped they would be able to arrange the meeting. 17 16 The documents sent by Velasco are attached to this report in a zip file (Attachment VII). 17 The flow of emails cited in the section 6.4 are attached to this report (Attachment VIII – 150210-150218 Email). Private and Confidential 24 Project Patti 7. Additional Verifications and Cross-Checks 7.1 Cicom USA Online research identified a profile for Cicom USA LLC on Manta.com, an online directory of small businesses. The profile states that Velasco is the General Manager of the entity, and it provides the following description: Categorized under Radio and T.V. Communications Equipment. Our records show it was established in 2010 and incorporated in Maryland. Current estimates show this company has an annual revenue of 160000 and employs a staff of approximately 2. The website states that this information comes from “a collection of public records, such as company financials, trade records, business registrations and government registries.” 18 Kroll’s online research also identified an address for the entity at 1997 Annapolis Exchange, Suite 300, Annapolis, Maryland 21401 19 and a phone number, (443) 949-7470. 20 Several websites that gather information about government contracts claim that Cicom USA LLC has received the following contracts: § In 2011, Cicom USA LLC was awarded two contracts by the U.S. Department of Defense for computer systems design services, totaling $365,225. § 21 From 2012 to 2014, Cicom USA LLC was awarded four contracts by the U.S. Drug Enforcement Administration for an interception system, totaling $237,000. 22 We searched an online database of corporate registration information maintained by the Maryland Secretary of State as well as an online database which collects corporate registration records from Secretaries of State across the U.S. We identified a record for Cicom USA LLC which states that the entity was formed on 5 March 2010. The limited liability company’s Articles of Incorporation state that its purpose is to “resell equipment to federal law enforcement agencies.” The corporate records state that Cicom USA LLC’s registration with Secretary of State was forfeited in 2012 due to failure to file property returns. None of the online corporate records associated with Cicom USA LLC name Velasco. 18 http://www.manta.com/c/mr4xtcd/cicom-usa-llc?ftoggle-frontend-prodon=abTests.engagement.rebrand_control&utm_expid=82789632-28.cEgZ_XOVRPaI6jwvn6oKhQ.1 19 This address is also present in records as 1997 Annapolis Exchange, Suite 30, Annapolis, Maryland 21401 20 http://www.manta.com/c/mr4xtcd/cicom-usa-llc?ftoggle-frontend-prodon=abTests.engagement.rebrand_control&utm_expid=82789632-28.cEgZ_XOVRPaI6jwvn6oKhQ.1; http://www.governmentspending.us/contractors/cicom-usa-llc/93730?bcsi-ac-; CA82A8E765621E57=237CA433000000029vh72i4Rcldz1YYq2i2xSse8WKQhAQAAAgAAAPfwGwGEAwAAAAAAAFEAA AA= 21 http://www.governmentcontractswon.com/department/defense/cicom-usa-llc-963322842.asp?yr=11 22 http://www.governmentspending.us/contractors/cicom-usa-llc/93730?bcsi-acCA82A8E765621E57=237CA433000000029vh72i4Rcldz1YYq2i2xSse8WKQhAQAAAgAAAPfwGwGEAwAAAAAAAFEAA AA=; http://governmentpurchaseorders.com/vendor/CicomUSA/234210003.html Private and Confidential 25 Project Patti We searched online databases containing public records for references to Cicom USA and identified none. We also searched an online database of legal records maintained by the Maryland Judiciary and identified no cases naming Cicom USA as a party. 23 7.2 Spearhead We identified a LinkedIn profile for Solon Webb, who was a Management Consultant at Cicom USA from 2007 to 2012 and is currently on the Board of Education for Anne Arundel County. According to his profile, “Cicom USA is a hi-tech joint venture of Cicom Espana and Spearhead ED, LLC.” 24 We conducted online searched to locate information about the relationship between Cicom USA LLC, Cicom Espana and Spearhead ED LLC. In particular: § A commercial database which collects identifying information from public records reports that Velasco has worked as General Manager of Cicom USA LLC from July 2010 to April 2014 as well as at Spearhead Electronic Devices LLC (“Spearhead”) from September 2005 to July 2012; § A Maryland Secretary of State corporate registration record states that Spearhead Electronic Devices LLC was registered on 22 June 2005 at 1017 Hyde Park Drive, Annapolis, Maryland 21403, which is Velasco’s current residence. The record states that the entity’s status was forfeited in 2010 due to failure to file property returns; § An online database containing web domain registration information identified a record stating that Velasco, on behalf of the organization Spearhead Electronic Devices, registered the domain hackingteam.info on 12 March 2014; § Searches for Cicom Espana identified CICOM Network Solutions, a Spain-based information technology company. What relationship, if any, exists between CICOM Network Solutions and Cicom USA is unclear. 25 Research on Google identified several profiles (Manta.com, Zoominfo.com) for Spearhead, containing the following description which appears to be from a website or advertisement for the company: To assist the Military and Federal, State, and local law enforcement agencies with the growing volume of electronic crime, Spearhead Electronic Devices, LLC is dedicated to offering a wide range of law enforcement, tactical surveillance and intelligence products. Headquartered in Annapolis, MD, Spearhead Electronic Devices, LLC has over 15 years of 23 Note that searches for Maryland legal records naming Velasco as a party identified approximately five traffic infractions filed against him as well as divorce proceedings filed in 2008. 24 https://www.linkedin.com/pub/solon-webb/15/629/70 25 http://www.cicom.es/qui%C3%A9nes-somos Private and Confidential 26 Project Patti experience providing the newest, most innovative technology for law enforcement, the military and homeland security. More detailed information can be obtained about how Spearhead Electronic Devices, LLC can help your agency's specific needs by contacting us at 443-949-7470 or emailing info@spearheadedllc.com. Spearheadllc.com is inactive. We also identified an archived publication for AMP’s S-Band Video Transmitter product, for which the local representative is listed as Spearhead. 26 The publication lists telephone numbers 202- 558-5570 and 301-332-5654 and the e-mail address velasco007@comcast.net. A “whois” result on Google identified velasco007@comcast.net as Alex Velasco at his current residence. A search on USASpending.gov and through media reports identified at least 10 government contracts that Spearhead was awarded between 2008 and 2010. These are for computer devices and ADPE software for the Department of Justice (FBI and Federal Prison System), Department of Defense and Department of Homeland Security (Secret Service and Customs and Border Protection). At least one of these was closed in 2013. Searches for litigation, judgments and liens naming Spearhead returned no results. Markmonitor searches for Alex Velasco, Spearhead Electronic Devices, Cicom, his phone numbers, address and e-mail address identified 70 domains registered by the subject. Most of these are inactive or currently owned by other individuals. The domains break down into the following categories: § 27 of these domains are related to fitness or health; one such domain redirects to a YouTube page for Fitness by Damian Velasco. § 10 domains are for a “spy shop” online, with names like “myspydepot.com” and “ispydepothome.com.” § 6 domains are for “media monitoring” in various cities in the U.S.; one such domain is for The Chicago Monitor, a news website that boasts a special “media monitoring system” but does not state specifics of this system (http://chicagomonitor.com/media-monitoringsystem/). This domain is currently owned by another individual. 26 § 5 domains are for Spearhead. § 4 domains are for Hacking Team. § 3 domains are variations of “mortgagedownonline.com.” § 2 domains contain “dhs” (likely, Department of Homeland Security). http://img-srv.dtcbuilder.com/engine/builder/images/1/3/6/4/8/9/file/5.pdf Private and Confidential 27 Project Patti § 2 domains are for Cicom and are inactive. § 10 domains are personal, such as “elizabethalex2012.com,” or ambiguous, such as “thesecretparttwo.com.” These domain registration records also provide the following email addresses for Velasco: alx.velasco@gmail.com and alex@spearheadllc.com. 7.3 ReaQta 7.3.1 Corporate information Reaqta Ltd. was registered on 15 May 2014 under the laws of Malta at Level 3, Theuma House, 302, St Paul Street Valletta, and it has registration no. C 65166. 27 In accordance to the provision of Clause 3 of the Memorandum of Association of the Company, the main objects for which the Company was established are: a. To design, create, develop, sell, license, service, review or offer maintenance of hardware and/or software and/or systems including security hardware, software of systems, to persons or entities in Malta or elsewhere and to provide all types of services related to the above-mentioned activities including but not limited to marketing, promotion, consultancy, operation and distribution, management and operations of content delivery system and devices; b. To provide consultancy, advisory, information and training services about hardware and/or software and/or information technology systems to persons or entities in Malta or elsewhere. The company has an authorized share capital of €30,000 divided into 1,950,000 Ordinary “A” Shares of €0.10 each and 1,050,000 Ordinary “B” Shares of €0.10 each. The main distinction between the two classes of shares is intrinsically linked to restrictions effective for a period of four years from the date of registration of the company as follows: a. The holders of the Ordinary “B” shares are not in the aforementioned period entitled to vote at general meetings; b. The holders of the Ordinary “A” Shares are in the aforementioned period entitled to jointly appoint one (1) director by letter to the Company Secretary. 28 The amount of issued share capital is of 1,950,000 Ordinary “A” Shares and 720,000 Ordinary “B” Shares and subscribed as follows: 27 Attachment IX – ReaQta Certificate. 28 Since the maximum number of directors of the Board is set at three, it is not clear how other directors can be appointed. Private and Confidential 28 Project Patti 1n vol-ma Part-1r Add r1255 Hahn rmiit'y' Fill-.33 SUITE 1. LIMITED Hausa. Hui-cm scan. I: 1656-! Sill GWMH SEN Sill-2 failures I 155ued Paid Mammal Value Fer r: . . . Shares up EUR A mm] 13-3-0 ll'lh??l'u'Ed Pill'i'lr' Hahn-halit- AL H0. Fri-le unis-55932 um CAEALE Fall'j 'h'r'jll,ll" WI SI-mn-Jh up 5hr)?: In ELIE a. TELECIIZI Lam-nuc- Parr-r Ind-?eas Mail-'Jnallt'f anan H0. in. Ifle .1 35 3H5 Duns uumcwm 5am:- Inc] I T. Claw issued ?ald mammal 'u'alue Per rm Share-5 up Share In EUF: InvnI-am'i Parr-g; Muir-e59: Mahanah'r'p FRAHHSEH Emma 3513, new 11d9?314! anon. DSC55416 1 ETECH ELIE CEESS Faurl Mammal 'u'alue Per up Share In UR Uldll?l?l?r I: F'arhr address Nailaraaliw HASGIRD 51 9255:: am SAN min 5111ch RWJAIIO [Thu 9111 Hair-Ind! 'u'dlue Pm urn Sham FUF: Endmaw a mum: Int-allied Part-5i~ ddress Matmnalin- MICHELE m: 1 11m TUHULD wit GIUSEFPE Hil?- (BM rrALv Shann- I 155uerJ Fund Hurnlnal Valua- Per Lv-a" share:- bhare ll'l EIJF: II-Ildlrul'r E- Private and Confidential 29 Project Patti Please note that Tri-Mer Services Limited (registration number C 36968) is a company which is licensed by the Malta Financial Services Authority to act as a fiduciary/trustee in terms of the Trusts and Trustees Act and thus it is likely that it is appearing for and on behalf of a third party beneficiary. The Director of ReaQta is Alberto Pelliccione, holder of Italian Passport number YA5885982 and residential address indicated as Via Casale 7, Milan, Italy. The Company Secretary of ReaQta is David Zahra, holder of Maltese Identity Card Number 26183M and residential address indicated as 239, Triq Il-Kbira, Balzan Bzn 1256, Malta. Other than the Memorandum and Articles of Association, there have been no filings at the Registry of Companies from incorporation to date of this report. 7.3.2 Media profile The website (www.ReaQta.com) has been developing in the course of our investigation. In December 2014, following the meeting between Velasco and Cummins, we visited the website for the first time and it stated: Our team combined the state of the art in Deep Learning with a never seen before system monitoring component to create a powerful solution, capable of detecting and blocking the most advanced threats, overcoming the known limitations of current signatures based detection systems. ReaQta-core is capable of detecting 0-day exploitation attempts and unknown malwares at the very moment of infection, moreover ReaQta-core is capable of detecting the most sophisticated data exfiltration attempts: encrypted and covert channels are immediately identified and analyzed, providing a real time alerting and prevention system for those environments where the highest level of security is required. The website provided a contact form for purchase inquiries. 29 It did not name Velasco. Our online research identified no additional information about ReaQta or Velasco’s affiliation with its products. We conducted searches through an online database of English-language media reports and identified no references to ReaQta. We also conducted research through an online database of web domain registration information and identified no results affiliating Velasco with ReaQta. According to ReaQta’s website, Alberto Pelliccione was its Machine Learning and Artificial Intelligence Expert. There were no additional references to Alberto’s affiliation with ReaQta or to ReaQta or Alberto’s presence in the U.S. Our visit of ReaQta website in February 2014 revealed that the site now lists the company’s officers, although only by first name. They are as follows: 29 https://reaqta.com/contacts/ Private and Confidential 30 Project Patti § Alberto Chief Executive Officer (i.e. Alberto Pelliccione. Pelliccione has a Google + profile which shows that he is connected to Velasco as well as Vincent Audric of Newco404. addition, Velasco and Vicent Audric are connected on Google); 30 In 31 § Frantisek, NanoOS Architect (no other profiles or information identified); § Giuseppe, Research & Development (ReaQta’s ownership structure includes two people named Giuseppe, Giuseppe Bonfa and Giuseppe Massaro); § Giuseppe, Research & Development (same note as above). The website states that the company is located at the address provided above, its phone number is +356 77489802, and its e-mail address is info@reaqta.com. Searches on these contact details do not provide any additional information. The company also has a Twitter account (@reaqta) with no posts and three followers: GiovanniC, Roberto Banfi and Firosky Krystar. Differently from December 2014 when we did not find any connections in the public domain between ReaQta and Velasco, ReaQta and Alex Velasco, representative of ReaQta.com, are now listed as “Newest Members,” on the website for the Chesapeake Regional Tech Council. Velasco’s profile provides the following info: Reaqta.com 1997 Annapolis Exchange Parkway Suite 300 Annapolis Maryland 21403 United States 3013325654 (Phone) Velasco’s is the “corporate primary account” for ReaQta.com, and the profile was last updated on 12 February 2015. 32 30 https://plus.google.com/+AlbertoPelliccione/about 31 https://plus.google.com/106442904683487677168/posts 32 http://www.chesapeaketech.org/members/?id=32969303&hhSearchTerms=%22reaqta%22 Private and Confidential 31 kroll.com