[BreachExchange] The Vigilante Who Hacked Hacking Team Explains How He Did It

[Audrey McNeil]

http://motherboard.vice.com/read/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it

Back in July of last year, the controversial government spying and hacking
tool seller Hacking Team was hacked itself by an outside attacker. The
breach made headlines worldwide, but no one knew much about the perpetrator
or how he did it.

That mystery has finally been revealed.

After eight months of almost complete silence, the pseudonymous digital
vigilante behind the hack has resurfaced, publishing a detailed explanation
of how he broke into the company’s systems and laid bare its most closely
guarded secrets.

The write-up breaks down not only how the hacker, who calls himself Phineas
Fisher, sneaked into Hacking Team’s network and quietly exfiltrated more
than 400 gigabytes of data, but also serves as a manifesto of his political
ideals and the motives behind the hack.

“And that's all it takes to take down a company and stop its abuses against
human rights,” the hacker proclaimed at the end of his guide, which
Motherboard has seen in advance. “That’s the beauty and asymmetry of
hacking: with just 100 hours of work, one person can undo years of a
multimillion dollar company’s work. Hacking gives the underdog a chance to
fight and win.“

Phineas Fisher argued that leaking documents to show corruption and abuse
of power is real “ethical hacking,” as opposed to doing consulting work for
companies who are often the ones that actually deserve to be hacked.

Hacking Team is a Italian company that sells spyware and hacking services
to police and intelligence agencies across the world. Through the years,
researchers have documented several cases where Hacking Team’s tools were
used against journalists, dissidents, or activists.

“I see [Hacking Team’s CEO David] Vincenzetti, his company, and his friends
in the police, military and governments, as part of a long tradition of
Italian fascists,” Phineas Fisher continued, writing in Spanish.
(Vincenzetti often signs his emails with the fascist motto “Boia chi molla“)

Last year, the hacker, who’s been only known as Phineas Fisher, though his
Twitter account’s handle is now “Hack Back,” broke into the corporate
servers of Hacking Team, going seemingly unnoticed for weeks.

In early July of 2015, the hacker culminated his intrusion by leaking
online a massive treasure trove of files containing thousands of internal
documents, emails, and even the source code of the company’s hacking
tools—in other words, Phineas Fisher took everything there was to take,
laying bare all the company’s secrets, including its once closely-held list
of customers.

On the night the hacker published the data, he revealed himself to be the
same person who in 2014 breached Gamma International, a Hacking Team’s
competitor that sells spyware called FinFisher. For months, however, one
big question has remained unanswered: how did the hacker manage to
embarrass and completely own a company whose whole business model depended
exactly on hacking other people?

At the time, the hacker promised he’d soon tell the world. He just wanted
to wait a little time, he said on Twitter, until Hacking Team “had some
time to fail at figuring out what happened and go out of business.”

More than eight months later, Hacking Team is still in business. That’s why
Phineas Fisher decided to come out with the blow-by-blow account of what
happened, “so we can laugh them off the internet for good,” he tweeted.In
his guide, published on Friday, the hacker explained how he used an unknown
vulnerability, or zero day, to get the first foothold into Hacking Team’s
internal network. Given that the bug has still not been patched, however,
Phineas Fisher didn’t provide any details on what the vulnerability is
exactly, or where he found it. (The hacker also declined to comment for
this story.)

After getting in, the hacker said he moved around carefully, first
downloading emails, then gaining access to other servers and parts of the
network. Having gained administrative privileges inside the company’s main
Windows network, Phineas Fisher said he spied on the system administrators,
particularly Christian Pozzi, given that they usually have access to the
whole network. Having stolen Pozzi’s passwords by recording his keystrokes,
the hacker said he accessed and exfiltrated all the company’s source code,
which was hosted on a separate isolated network.

At that point, he reset Hacking Team’s Twitter password using the “forgot
password” function, and on the late evening of July 5, he announced the
hack using the company’s own Twitter account.

The hacker said that he was inside Hacking Team’s network for six weeks,
and that it took him roughly 100 hours of work to move around and get all
the data. Judging from his words, it’s clear Phineas Fisher had a strong
political motivation to attack Hacking Team.

“I want to dedicate this guide to the victims of the assault on the Armando
Diaz school, and all those who had their blood spilled by Italian
fascists,” he added, referring to the bloody raid on the Italian school in
Genoa in 2001, where police forces stormed a school where anti G-8
activists of the Genao Social Forum were housed, resulting in the arrest of
93 activists. The methods of the raid and subsequent detention, however,
were so controversial that 125 policemen were brought to trial, accused of
beating and torturing the detainees.

The hacker also rejected being defined as a vigilante, and chose a more
political definition.

“I would characterize myself as an anarchist revolutionary, not as a
vigilante,“ he told me in an email. “Vigilantes act outside the system but
intend to carry out the work of the police and judicial system, neither of
which I'm a fan of. I'm clearly a criminal, it's unclear whether Hacking
Team did anything illegal. If anyone, Hacking Team are the vigilantes,
acting in the margins in pursuit of their love for authority and law and
order.“

In the guide, Phineas Fisher encourages others to follow his example.

“Hacking is a powerful tool. Let’s learn and fight!” he wrote, quoting the
anarcho-syndicalist labor union Comision Nacional de Trabajo, or CNT. After
Phineas Fisher hacked Gamma Group in 2014, the CNT said that it was clear
technology was just another front in class warfare, and that it was time to
“take a step forward” with “new forms of fighting.”

It’s impossible to verify whether all the details in the guide are true,
given that neither Hacking Team nor the Italian authorities have disclosed
anything related to the hack.

“Any comment should come from the Italian police authorities who have been
investigating the attack on Hacking Team, so no comment from the company,”
Hacking Team’s spokesperson Eric Rabe said in an email. The Italian
prosecutor’s office could not be reached for comment.

It’s unclear how the investigation is going, but Phineas Fisher doesn’t
seem too worried he’ll get caught. In another section of his guide, he
described Hacking Team as a company that helped governments spy on
activists, journalists, political opponents, and “very occasionally”
criminals and terrorists. The hacker also referred to Hacking Team’s claims
that it was developing tech to track criminals using the Tor network and on
the dark web.“But considering I’m still free,” he wrote snarkily, “I have
doubts about its effectiveness.”

After sharing a contact email address, in case anyone wants to send “spear
phishing attempts, death threats in Italian, or to gift him zero days or
access inside banks, corporations or governments,” the hacker concludes
with a call to arms.

“If not you, who?” He wrote. “If not now, when?”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160418/cc28c5cb/attachment-0001.html>