Anatomy of a hack: how a lone black hat took down a global spyware vendor

Hacker overlooking a city

The hacker claiming responsibility for a massive attack on spyware vendor Hacking Team has revealed how he pulled off the infiltration.

The perpetrator described himself as a 'black hat' hacker - one that uses their skills for personal gain, rather than helping companies plug the holes in their security - and goes by the alias Phineas Fisher.

Hacking Team specialises in, as the company puts it, offensive security. It sells tools to break into networks and gather data for covert surveillance, and has sold its products to the FBI and the US Department of Justice, along with a host of Italian government agencies.

Fisher's hack, conducted in July last year, also indicated that Hacking Team had conducted business with oppressive regimes in Saudi Arabia, Bahrain and Sudan, all of whom have been criticised for human rights abuses.

According to the black hat, the firm "helped governments hack and spy on journalists, activists, political opposition, and other threats to their power".

People like the staff employed by Hacking Team, he added, "misuse their talents working for 'defense' contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo".

Fisher released a Pastebin document (which we are not linking to) detailing the entire process through which he infiltrated Hacking Team's network, labeling it "a DIY guide".

According to Fisher, the most common methods of hacking were unfeasible. "I didn't want to try to spear phish Hacking Team," he said, "as their whole business is helping governments spear phish their opponents".

Such an attack would be quickly discovered, he reasoned, and the company's position as an infosec expert meant that its network was unlikely to be compromised by pre-existing bots or malware.

He also added that the company's exposed attack surface was very low, with very few systems connected directly to the internet, and therefore few systems he could try and exploit.

Fisher's only move was to find a zero-day exploit in one of three systems - Postfix (an email transfer agent), Joomla (the CMS system that ran Hacking Team's website), or one of the embedded appliances (a spam filter and two VPNs).

Two weeks of reverse-engineering yielded a remote root exploit for one of the appliances, although Fisher will not disclose further details, as "the vulnerabilities still haven't been patched".

Fisher extolled the virtues of extensive pre-breach preparation, saying: "The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate."

As part of a week of planning, he wrote a series of post-exploit tools, including custom firmware with a built-in backdoor. This meant he only had to use the exploit once, minimising the risk of detection.

Once inside the network, thanks to a vulnerability in its MongoDB database, Fisher found audio and video recordings of Hacking Team's staff at work.

The recordings were captured during testing of the company's Remote Control Software - a spyware tool that is one of its main products. Ironically, Fisher notes, "they were spying on themselves without meaning to".

"Although it was fun," he said, spooling through the recordings "wasn't very useful," so he rooted around until he'd found a backup of the company's Exchange email server.

From this, he was able to extract a local administrator password for the live server containing Hacking Team's emails - "the heart of the company".

As a precaution, Fisher downloaded the emails before he did anything else. This ensured that he wouldn't walk away empty-handed, as "with each step I take there's a chance of being detected".

His worries were unfounded, however. Fisher used tools like keyloggers and other spyware tools to wreak havoc on Hacking Team's network, sniffing around in their personal systems and gaining access to source code and Github repositories.

He ended his guide with a call to arms for would-be hackers. "Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking," he claimed.

"However, most people that call themselves 'ethical hackers' just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked."

"That's the beauty and asymmetry of hacking", Fisher wrote. "With 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.