Anatomy of a hack: how a lone black hat took down a global spyware vendor

Hacktivist explains how he brought Hacking Team to its knees

The hacker claiming responsibility for a massive attack on spyware vendor Hacking Team has revealed how he pulled off the infiltration.

The perpetrator described himself as a 'black hat' hacker - one that uses their skills for personal gain, rather than helping companies plug the holes in their security - and goes by the alias Phineas Fisher.

Hacking Team specialises in, as the company puts it, offensive security. It sells tools to break into networks and gather data for covert surveillance, and has sold its products to the FBI and the US Department of Justice, along with a host of Italian government agencies.

Fisher's hack, conducted in July last year, also indicated that Hacking Team had conducted business with oppressive regimes in Saudi Arabia, Bahrain and Sudan, all of whom have been criticised for human rights abuses.

Advertisement - Article continues below
Advertisement - Article continues below

According to the black hat, the firm "helped governments hack and spy on journalists, activists, political opposition, and other threats to their power".

People like the staff employed by Hacking Team, he added, "misuse their talents working for 'defense' contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo".

Fisher released a Pastebin document (which we are not linking to) detailing the entire process through which he infiltrated Hacking Team's network, labeling it "a DIY guide".

According to Fisher, the most common methods of hacking were unfeasible. "I didn't want to try to spear phish Hacking Team," he said, "as their whole business is helping governments spear phish their opponents".

Such an attack would be quickly discovered, he reasoned, and the company's position as an infosec expert meant that its network was unlikely to be compromised by pre-existing bots or malware.

He also added that the company's exposed attack surface was very low, with very few systems connected directly to the internet, and therefore few systems he could try and exploit.

Advertisement - Article continues below

Fisher's only move was to find a zero-day exploit in one of three systems - Postfix (an email transfer agent), Joomla (the CMS system that ran Hacking Team's website), or one of the embedded appliances (a spam filter and two VPNs).

Two weeks of reverse-engineering yielded a remote root exploit for one of the appliances, although Fisher will not disclose further details, as "the vulnerabilities still haven't been patched".

Fisher extolled the virtues of extensive pre-breach preparation, saying: "The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate."

As part of a week of planning, he wrote a series of post-exploit tools, including custom firmware with a built-in backdoor. This meant he only had to use the exploit once, minimising the risk of detection.

Advertisement - Article continues below

Once inside the network, thanks to a vulnerability in its MongoDB database, Fisher found audio and video recordings of Hacking Team's staff at work.

The recordings were captured during testing of the company's Remote Control Software - a spyware tool that is one of its main products. Ironically, Fisher notes, "they were spying on themselves without meaning to".

Advertisement - Article continues below

"Although it was fun," he said, spooling through the recordings "wasn't very useful," so he rooted around until he'd found a backup of the company's Exchange email server.

From this, he was able to extract a local administrator password for the live server containing Hacking Team's emails - "the heart of the company".

As a precaution, Fisher downloaded the emails before he did anything else. This ensured that he wouldn't walk away empty-handed, as "with each step I take there's a chance of being detected".

His worries were unfounded, however. Fisher used tools like keyloggers and other spyware tools to wreak havoc on Hacking Team's network, sniffing around in their personal systems and gaining access to source code and Github repositories.

He ended his guide with a call to arms for would-be hackers. "Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking," he claimed.

"However, most people that call themselves 'ethical hackers' just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked."

Advertisement - Article continues below

"That's the beauty and asymmetry of hacking", Fisher wrote. "With 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019

How to protect against a DDoS attack

25 Oct 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020