Some nine moths ago, a hacker that calls himself Phineas Fisher managed to breach the systems and networks of Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world.
He took off with the company’s internal emails, files and source code, and leaked it all online.
This weekend, he decided to explain how he managed to carry out this attack.
In a Pastebin post, he shared that he exploited a zero-day vulnerability in a embedded device deployed inside the company’s network in order to gain a foothold in the network. (He declined to give more details about the vulnerabilities, as they are still not patched.)
“I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device,” he said, and explained that “the backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities.”
He enumerated the tools he used to sniff the trafic within the network, as well as to scan it, and he found:
- Several MongoDB databases that didn’t require authentication in order to access them
- Backups that shouldn’t have been on that network
- A BES admin password in the backups, which allowed him to unearth other employees passwords and the Domain Admin one
- The Domain Admin password allowed him to access the company’s email server
- Finally, he managed to get access to the stored source code of the company’s surveillance software. He got that by using the “forgot my password” function for the Git server.
All in all, he says that it took him 100 hours of work to do all this and to exfiltrate the crucial data.
This account of the attack also contains other information about hacking techniques and tools, and about ways for hackers for keeping their identity hidden from the authorities, but also reveals more about Phineas Fisher’s motives.
He obviously hoped that the breach and subsequent leak would result in Hacking Team going out of business.
“Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power. And, occasionally, on actual criminals and terrorists,” he noted. “They also claimed to have technology to solve the ‘problem’ posed by Tor and the darknet. But seeing as I’m still free, I have my doubts about its effectiveness.”
“Unfortunately, our world is backwards. You get rich by doing bad things and go to jail for doing good,” he says.
“That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win,” he concluded.
Before successfully breaching Hacking Team, Phineas Fisher compromised UK-based Gamma International, another provider that sells spying software to governments.
Hacking Team might not have been ruined by the breach, but it recently got its global export license revoked by the Italian Ministry of Economical Progress.