Anatomy of a hack: how a lone black hat took down a global spyware vendor

Hacktivist explains how he brought Hacking Team to its knees

The hacker claiming responsibility for a massive attack on spyware vendor Hacking Team has revealed how he pulled off the infiltration.

The perpetrator described himself as a 'black hat' hacker - one that uses their skills for personal gain, rather than helping companies plug the holes in their security - and goes by the alias Phineas Fisher.

Advertisement - Article continues below

Hacking Team specialises in, as the company puts it, offensive security. It sells tools to break into networks and gather data for covert surveillance, and has sold its products to the FBI and the US Department of Justice, along with a host of Italian government agencies.

Fisher's hack, conducted in July last year, also indicated that Hacking Team had conducted business with oppressive regimes in Saudi Arabia, Bahrain and Sudan, all of whom have been criticised for human rights abuses.

According to the black hat, the firm "helped governments hack and spy on journalists, activists, political opposition, and other threats to their power".

People like the staff employed by Hacking Team, he added, "misuse their talents working for 'defense' contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo".

Fisher released a Pastebin document (which we are not linking to) detailing the entire process through which he infiltrated Hacking Team's network, labeling it "a DIY guide".

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

According to Fisher, the most common methods of hacking were unfeasible. "I didn't want to try to spear phish Hacking Team," he said, "as their whole business is helping governments spear phish their opponents".

Such an attack would be quickly discovered, he reasoned, and the company's position as an infosec expert meant that its network was unlikely to be compromised by pre-existing bots or malware.

He also added that the company's exposed attack surface was very low, with very few systems connected directly to the internet, and therefore few systems he could try and exploit.

Fisher's only move was to find a zero-day exploit in one of three systems - Postfix (an email transfer agent), Joomla (the CMS system that ran Hacking Team's website), or one of the embedded appliances (a spam filter and two VPNs).

Two weeks of reverse-engineering yielded a remote root exploit for one of the appliances, although Fisher will not disclose further details, as "the vulnerabilities still haven't been patched".

Advertisement - Article continues below

Fisher extolled the virtues of extensive pre-breach preparation, saying: "The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate."

As part of a week of planning, he wrote a series of post-exploit tools, including custom firmware with a built-in backdoor. This meant he only had to use the exploit once, minimising the risk of detection.

Once inside the network, thanks to a vulnerability in its MongoDB database, Fisher found audio and video recordings of Hacking Team's staff at work.

The recordings were captured during testing of the company's Remote Control Software - a spyware tool that is one of its main products. Ironically, Fisher notes, "they were spying on themselves without meaning to".

"Although it was fun," he said, spooling through the recordings "wasn't very useful," so he rooted around until he'd found a backup of the company's Exchange email server.

Advertisement - Article continues below

From this, he was able to extract a local administrator password for the live server containing Hacking Team's emails - "the heart of the company".

As a precaution, Fisher downloaded the emails before he did anything else. This ensured that he wouldn't walk away empty-handed, as "with each step I take there's a chance of being detected".

His worries were unfounded, however. Fisher used tools like keyloggers and other spyware tools to wreak havoc on Hacking Team's network, sniffing around in their personal systems and gaining access to source code and Github repositories.

He ended his guide with a call to arms for would-be hackers. "Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking," he claimed.

"However, most people that call themselves 'ethical hackers' just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked."

"That's the beauty and asymmetry of hacking", Fisher wrote. "With 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020