Anatomy of a hack: how a lone black hat took down a global spyware vendor

Hacktivist explains how he brought Hacking Team to its knees

Hacker overlooking a city

The hacker claiming responsibility for a massive attack on spyware vendor Hacking Team has revealed how he pulled off the infiltration.

The perpetrator described himself as a 'black hat' hacker - one that uses their skills for personal gain, rather than helping companies plug the holes in their security - and goes by the alias Phineas Fisher.

Hacking Team specialises in, as the company puts it, offensive security. It sells tools to break into networks and gather data for covert surveillance, and has sold its products to the FBI and the US Department of Justice, along with a host of Italian government agencies.

Fisher's hack, conducted in July last year, also indicated that Hacking Team had conducted business with oppressive regimes in Saudi Arabia, Bahrain and Sudan, all of whom have been criticised for human rights abuses.

According to the black hat, the firm "helped governments hack and spy on journalists, activists, political opposition, and other threats to their power".

People like the staff employed by Hacking Team, he added, "misuse their talents working for 'defense' contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo".

Fisher released a Pastebin document (which we are not linking to) detailing the entire process through which he infiltrated Hacking Team's network, labeling it "a DIY guide".

According to Fisher, the most common methods of hacking were unfeasible. "I didn't want to try to spear phish Hacking Team," he said, "as their whole business is helping governments spear phish their opponents".

Such an attack would be quickly discovered, he reasoned, and the company's position as an infosec expert meant that its network was unlikely to be compromised by pre-existing bots or malware.

He also added that the company's exposed attack surface was very low, with very few systems connected directly to the internet, and therefore few systems he could try and exploit.

Fisher's only move was to find a zero-day exploit in one of three systems - Postfix (an email transfer agent), Joomla (the CMS system that ran Hacking Team's website), or one of the embedded appliances (a spam filter and two VPNs).

Two weeks of reverse-engineering yielded a remote root exploit for one of the appliances, although Fisher will not disclose further details, as "the vulnerabilities still haven't been patched".

Fisher extolled the virtues of extensive pre-breach preparation, saying: "The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate."

As part of a week of planning, he wrote a series of post-exploit tools, including custom firmware with a built-in backdoor. This meant he only had to use the exploit once, minimising the risk of detection.

Once inside the network, thanks to a vulnerability in its MongoDB database, Fisher found audio and video recordings of Hacking Team's staff at work.

The recordings were captured during testing of the company's Remote Control Software - a spyware tool that is one of its main products. Ironically, Fisher notes, "they were spying on themselves without meaning to".

"Although it was fun," he said, spooling through the recordings "wasn't very useful," so he rooted around until he'd found a backup of the company's Exchange email server.

From this, he was able to extract a local administrator password for the live server containing Hacking Team's emails - "the heart of the company".

As a precaution, Fisher downloaded the emails before he did anything else. This ensured that he wouldn't walk away empty-handed, as "with each step I take there's a chance of being detected".

His worries were unfounded, however. Fisher used tools like keyloggers and other spyware tools to wreak havoc on Hacking Team's network, sniffing around in their personal systems and gaining access to source code and Github repositories.

He ended his guide with a call to arms for would-be hackers. "Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking," he claimed.

"However, most people that call themselves 'ethical hackers' just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked."

"That's the beauty and asymmetry of hacking", Fisher wrote. "With 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021