Anatomy of a hack: how a lone black hat took down a global spyware vendor

Hacktivist explains how he brought Hacking Team to its knees

The hacker claiming responsibility for a massive attack on spyware vendor Hacking Team has revealed how he pulled off the infiltration.

The perpetrator described himself as a 'black hat' hacker - one that uses their skills for personal gain, rather than helping companies plug the holes in their security - and goes by the alias Phineas Fisher.

Hacking Team specialises in, as the company puts it, offensive security. It sells tools to break into networks and gather data for covert surveillance, and has sold its products to the FBI and the US Department of Justice, along with a host of Italian government agencies.

Fisher's hack, conducted in July last year, also indicated that Hacking Team had conducted business with oppressive regimes in Saudi Arabia, Bahrain and Sudan, all of whom have been criticised for human rights abuses.

Advertisement
Advertisement - Article continues below

According to the black hat, the firm "helped governments hack and spy on journalists, activists, political opposition, and other threats to their power".

People like the staff employed by Hacking Team, he added, "misuse their talents working for 'defense' contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo".

Fisher released a Pastebin document (which we are not linking to) detailing the entire process through which he infiltrated Hacking Team's network, labeling it "a DIY guide".

According to Fisher, the most common methods of hacking were unfeasible. "I didn't want to try to spear phish Hacking Team," he said, "as their whole business is helping governments spear phish their opponents".

Such an attack would be quickly discovered, he reasoned, and the company's position as an infosec expert meant that its network was unlikely to be compromised by pre-existing bots or malware.

He also added that the company's exposed attack surface was very low, with very few systems connected directly to the internet, and therefore few systems he could try and exploit.

Fisher's only move was to find a zero-day exploit in one of three systems - Postfix (an email transfer agent), Joomla (the CMS system that ran Hacking Team's website), or one of the embedded appliances (a spam filter and two VPNs).

Two weeks of reverse-engineering yielded a remote root exploit for one of the appliances, although Fisher will not disclose further details, as "the vulnerabilities still haven't been patched".

Fisher extolled the virtues of extensive pre-breach preparation, saying: "The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate."

As part of a week of planning, he wrote a series of post-exploit tools, including custom firmware with a built-in backdoor. This meant he only had to use the exploit once, minimising the risk of detection.

Advertisement
Advertisement - Article continues below

Once inside the network, thanks to a vulnerability in its MongoDB database, Fisher found audio and video recordings of Hacking Team's staff at work.

The recordings were captured during testing of the company's Remote Control Software - a spyware tool that is one of its main products. Ironically, Fisher notes, "they were spying on themselves without meaning to".

"Although it was fun," he said, spooling through the recordings "wasn't very useful," so he rooted around until he'd found a backup of the company's Exchange email server.

From this, he was able to extract a local administrator password for the live server containing Hacking Team's emails - "the heart of the company".

As a precaution, Fisher downloaded the emails before he did anything else. This ensured that he wouldn't walk away empty-handed, as "with each step I take there's a chance of being detected".

His worries were unfounded, however. Fisher used tools like keyloggers and other spyware tools to wreak havoc on Hacking Team's network, sniffing around in their personal systems and gaining access to source code and Github repositories.

He ended his guide with a call to arms for would-be hackers. "Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking," he claimed.

"However, most people that call themselves 'ethical hackers' just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked."

"That's the beauty and asymmetry of hacking", Fisher wrote. "With 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win."

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019