How Hacking Team got hacked

The hacker who stole reams of secret documents from the controversial surveillance company Hacking Team has come forward to explain how he did it and why.

In a lengthy post on Pastebin, the hacker known as “Phineas Fisher” details how he* was able to penetrate Hacking Team’s network and silently exfiltrate 400GB of data, including internal emails and the source code of Hacking Team’s surveillance tool, Remote Control System (RCS).

The post is part technical document, explaining the various tools and methods Phineas Fisher used to penetrate Hacking Team’s systems; part “DIY guide” for wannabe hackers; and part political manifesto describing his motives.

The hacker wrote that he was able to get a foothold in Hacking Team’s network by exploiting a zero-day vulnerability in an embedded system:

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. Since the vulnerabilities still haven’t been patched, I won’t give more details […]

Once he was able to get on the network undetected, Phineas Fisher says he spent a long time conducting reconnaissance, until he discovered several unsecured backups.

The series of steps Phineas Fisher took next is summed up neatly by Softpedia:

The most precious backup was of the Exchange email server, from where he extracted the BES (BlackBerry Enterprise Server) admin account password, which was still valid.

This password allowed Phineas Fisher to escalate his access by hacking the company’s Domain Admin server, from where he extracted the passwords for all the company’s users.

The hacker then honed in on one of the system administrators (“One of my favorite hobbies is hunting sysadmins”), whose emails revealed the password for Hacking Team’s GitLab source code library.

With the GitLab password, Phineas Fisher had what he needed to pilfer Hacking Team’s most valuable intellectual property – the source code for its flagship product, RCS.

The whole process took 100 hours, the hacker said in his post:

That’s all it takes to take down a company and stop their human rights abuses. That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win.

It’s been eight months since Phineas Fisher exposed Hacking Team’s secrets last July, when the hacker said on Twitter that he wanted to wait to reveal how he did it, to give Hacking Team enough time “to fail at figuring out what happened and go out of business.”

Hacking Team is still in business, although earlier this month the Italian government revoked the company’s license to sell spyware outside of Europe without special permission.

_{* Although we don’t know if Phineas Fisher is a man or woman, for simplicity and consistency we have chosen to use the masculine pronoun.}

Image of computer insides courtesy of Shutterstock.com.