A Brief Analysis of How Phineas Fisher Hacked HackingTeam - Part 1
Author: Cristian-Valentin Vlaicu
Reading time: 3 minutes
Introduction
Understanding the techniques a hacker uses in order to compromise servers is the first step that has to be taken in order to be able to defend systems. A company cannot defend itself against the unknown. Defensive security should be defined as a mix between defensive tools and capabilities (antiviruses, web proxies, methodologies) and knowledge of attack vectors and techniques. Therefore, it is important to study and understand how attackers manage to compromise networks.
In this series of articles we will focus on Phineas Fisher’s account of how he managed to compromise the systems of HackingTeam. The series will be divided in three parts, each describing the steps of the attack: information gathering, gaining access and lateral movement. Although the events described by himself took place around eight years ago, it is still an useful and insightful report.
Who is Phineas Fisher?
Phineas Fisher is the nickname of a hacktivist who hacked various entities and companies, including surveillance companies, a bank, and political institutions. He is a self-proclaimed anarchist, whose purpose is to fight against the establishment. His identity remains unknown to this day [1]. Fisher released a few documents in the HackBack! series in which he details the steps he took to compromise his targets. His report on the steps he took to compromise the systems of HackingTeam is published in English on GitHub [2].
HackingTeam
HackingTeam was a technology company that was selling surveillance and offensive tools to public institutions, law enforcement and private companies. The company was acquired in 2019 by the InTheCyber Group to create Memento Labs [3].
Why Did Phineas Fisher Target HackingTeam?
Phineas Fisher hacked the company out of personal conviction that he is fighting against an actor who is making surveillance easier for the system (i.e. the governments). His political ideas are stated in the beginning of the documents from the HackBack! series. After the release of the files, the e-mails of HackingTeam were published by WikiLeaks [4].
Information Gathering
Phineas Fisher points out that focusing on expanding the attack surface of the company (by gathering as much information as possible) is a necessary first step. He starts by mentioning that Google is a good source of information if the appropriate search queries are used. In addition, subdomain enumeration assists attackers in defining the company’s IP range and adds that sometimes interesting information can be found on subdomains. He refers fierce [5], theHarvester [6] and recon-ng [7] as the tools that he uses in the information gathering phase. Next, Fisher recommends performing whois lookups and reverse lookups in order to detect other domains and IP ranges.
After having an overview of the targeted IP ranges, he says that scanning the targets that were discovered through the above mentioned enumeration methods is the following step. However, this already means leaving your prints on the target’s servers, as scanning includes accessing open ports and identifying the services.
To avoid detection, he leverages an infrastructure that he uses for activities that warrant direct communication with a company’s servers. He mentions that domain names, stable servers and hacked servers are part of the infrastructure he employs in his attacks. Domain names are used for C&C servers and DNS tunnels. Stable servers are used as C&C servers to receive reverse shells and to store the information he gathers from his targets. Lastly, the hacked servers are used as pivots to hide the IP addresses of the stable servers and to scan ports and download files. He connects to this infrastructure using the Tor network.
Back to port scanning, he notes that nmap is a precise tool. However, for companies with larger IP ranges, he suggests that zmap and masscan are faster.
In his paper, he mentions that it is useful to gather information about employees, their roles and contact information for social engineering purposes. He once again refers Google, theHarvester and recon-ng as good tools to gather data. In addition, employees can be identified using LinkedIn and details can also be gained from the metadata of the files that the target company publishes.
After gathering the necessary information, Phineas Fisher then proceeded to employ various tactics to gain and further expand his access within the network of the HackingTeam company. We will cover these in the second article of this series.
Remarks
As the author noted himself, information gathering can sometimes prove to be tedious and unappealing. However, it serves an important purpose: expanding the attack surface of the company.
The techniques outlined in this report are known to the cybersecurity community. At CSE, are using them to footprint our clients’ presence on the Internet and to make sure that no compromising details can be found.
The pieces of information that a person can gather from online sources can be assembled to a puzzle that can provide great insight into a firm. For companies, it is useful to know that whatever gets published on the Internet can be used against them in such attacks, ranging from company files to employee information. In addition, it is important to note that exposing unnecessary services and data can be dangerous as they can be picked up by attackers.
Conclusion
To state it differently, it is crucial to understand that limiting the trails that your company leaves on the Internet is a key first step in minimizing the attack surface. A minimized attack surface translates to a better overview and control over your assets. A better overview and control over your assets results in a decreased chance of breaches.
However, even though a company does its best to minimize its footprint, it is still exposed to risks. We will analyze these risks in the second part of this series, in which we will see how Phineas Fisher compromised the network of the HackingTeam company.
References
[1] - https://en.wikipedia.org/wiki/Phineas_Fisher
[2] - https://gist.github.com/jaredsburrows/
[3] - https://www.key4biz.it/
[4] - https://wikileaks.org//hackingteam/emails/
[5] - https://github.com/mschwager/fierce