Hacker publishes detailed account of his attack on Hacking Team

A hacker known as Phineas Fisher has published a detailed account of his attack on the Italian company Hacking Team in 2015. He describes how he proceeded and what tools he used to loot 400GB of data.

The hacker’s name is likely a pun on the FinFisher malware, which is provided by the German company Gamma International. This company was previously targeted by the same hacker. The recently published story is a translation of a piece originally written in Spanish popped up. The hacker indicates that he has modified his method for this attack, so that he cannot be identified on the basis of his technique. The story starts with a description of the procedure and general tips are given, such as encrypting hard drives as a security measure.

The hacker also discusses his infrastructure, which consists of both stable and hacked servers. In addition, he uses domain names to have a guaranteed tunnel from the hacked network to command and control servers. In order to collect information about the target, the hacker praises the versatility of Google in combination with a number of specific search terms.

After Fisher had gathered enough information, he could begin to penetrate Hacking Team’s network. He chose not to use spear phishing, because the Italian company itself often used this technique of targeted phishing attacks. He also considered buying access from Russian parties, who would have access to virtually all Fortune 500 companies. Hacking Team, however, was too small a party for this approach. He had no choice but to search for hitherto unknown vulnerabilities, or zero days, in the systems present on Hacking Team’s servers, including the content management system Joomla and the e-mail software Postfix.

Ultimately, he chose to look for such vulnerabilities in embedded devices that perform a certain function, such as a router. After two weeks, he found a leak that allowed him to run code remotely on the device using rce. Now that he had access, he could explore the rest of the Hacking Team network. For example, he found an iscsi device that led him to a number of databases. In it, he found backups containing hashed passwords, including from a local administrator. On the basis of that, he came into possession of more passwords.

After this, he was able to download the company’s email and files, after which he made them publicly accessible in 2015 via a torrent file. In total, the hack would have taken him about a hundred hours. After this event, Hacking Team appeared to have stopped, but later there were several indications that the company is still active and selling spy tools to governments and other parties. The Italian government also recently decided that the company can only target European governments.