The Hacking Team Incident
A Lesson in Hacktivism and Surveillance Ethics
One sleepy July morning[1], the members of a small Milanese boutique cybersecurity firm, Hacking Team, awoke from the annuls of the weekend, unaware of the life-shattering series of events that they were about to experience. Only a few hours before, an entity who later identified themselves as Phineas Fisher (henceforth referred to as Fisher) uploaded a 400 GB trove of emails, internal documents, marketing and sales information, product source code, and other information to BitTorrent for all the world to see (Ragan, 2015; Associated Press, 2015).
Hacking Team was little known to the public, primarily finding its customer base in nation-states and law enforcement agencies; their primary product was a self-purported hacking suite for governmental interception called the DaVinci Remote Control System (RCS), which allowed those with the financial means to utilize pre-developed and packaged zero-day exploits to fully compromise most modern devices such as Android, iOS, and Blackberry phones, Windows, MacOS, or Linux computers, among many others (Ragan, 2015; O’Neill, 2019). While Hacking Team claimed not to sell to organizations that many would consider unethical (Osborne, Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack, 2015; Collins, 2015), Fisher claimed that they helped oppressive governments “hack and spy on journalists, activists, political opposition, and other threats to their power,” (Porup, 2016; O’Neill, 2019) a claim that in the previous years had been backed up by reports made by organizations such as Reporters sans frontières [sic] (English: Reporters Without Borders)[2], Citizen Lab[3], Privacy International[4], and Human Rights Watch[5].
But who is this mysterious vigilante, Fisher, who established that their form of hacking was ethical? While that information has never been disclosed and the individual (or individuals) has yet to be apprehended, they did provide us with a wealth of verifiable information. Shortly after publishing the Hacking Team’s data to BitTorrent, Fisher took to social media, using none other than Hacking Team’s own Twitter account to announce to the world that the firm had been compromised, corroborating with their own account @GammaGroupPR (an account used in a previous cyberattack on another cyber-espionage firm, Gamma Group) (Collins, 2015; Ragan, 2015; Osborne, Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack, 2015; O’Neill, 2019).
Disclaimers
Ethical Use of Information Disclosed
The primary source utilized in this case study is the guide written and published by Fisher themselves. Ethically, I cannot suggest that anyone attempt to utilize the techniques detailed in the guide without understanding their local laws and regulations or without taking the proper OPSEC precautions. I highly recommend that these techniques be utilized only in academic settings.
Primary Source Credibility
Many of the details in this case brief are partially verified by the coordination of the compromised Hacking Team Twitter account with the @GammaGroupPR account; there are details that lead us to reasonable believe that the details analyzed within this case brief are what happened, but neither the Italian Police nor Hacking Team have released official documentation of the case or incident. Due to this we must take a grain of skepticism; it provides the most comprehensive narrative of events but may have been partially or entirely fabricated (Franceschi-Bicchierai, The Vigilante Who Hacked Hacking Team Explains How He Did It, 2016).
Use of Artificial Intelligence
ChatGPT 4o was utilized in selecting an interesting but less well-known breach and in tackling some of the more difficult citations to ensure proper APA formatting, but was not used for research, analysis, content generation, or corrections. Grammarly was used to ensure that appropriate English grammar and spelling was consistently utilized throughout this document but was not used to generate written content. Microsoft Word provided additional grammar, punctuation, and spelling suggestions, augmented with AI capabilities, but did not provide any content utilized within this brief.
Use of Pronouns
While Phineas Fisher refers to themselves as a “he,” it is unclear if they are a single individual or a group of individuals masquerading as a single individual. To ensure a reduction in bias throughout this brief, the author has chosen to refer to Fisher as “they” to prevent establishing a narrative that they are a single person, a group of people, male, female, or any other gender. There is currently no reputable or authoritative information as to the identity of Phineas Fisher.
The Chain of Compromise
Several months after the release of Hacking Team’s data, Fisher posted a Spanish-language walkthrough (Fisher, 2016) of how they accomplished the compromise of the network and exfiltration of data. While it appears that more than one version of this information was posted from the primary source, the originals have been removed.
Lockheed Martin’s Cyber Kill Chain (CKC) (Hutchins, Cloppert, & Amin, 2011) provides an excellent methodology to breakdown and analyze cyber attacks and thus it will be the primary tool utilized to provide guidance in following Fisher’s steps as they moved throughout Hacking Team’s devices and resources. The following sections outline the steps that Fisher detailed in the DIY Guide to Hacking Hacking Team (Fisher, 2016).
Preparation
While not a traditional stage of the CKC, Fisher goes in depth about the steps taken to protect themselves. While eight years have passed since the document was written and published, the basic steps outlined are not terrible ideas, nor are they necessarily methods to ensure safety.
Fisher’s first suggestion is to encrypt storage devices on computers to prevent law enforcement from accessing records and data after seizure of computer equipment. This is sound advice, however, given the target of Fisher’s hack and their involvement with intelligence agencies, law enforcement agencies, and other government entities, ensuring that strong, well-reviewed encryption mechanisms are in place is important to prevent those with nation-state levels of funding to have methods of compromising the encryption put in place.
Additionally, the suggestion of using privacy-based virtual machines and separating personal and “professional” computers adds an administrative layer of security to the individual that may assist in mitigating other deanonymization techniques that law enforcement or government agencies could use to locate an individual.
Finally, Fisher suggests that TOR or a Virtual Private Network (VPN) should be used, but this is certainly not a failsafe method of ensuring that an individual’s privacy when engaging in potentially unlawful behavior on internet services is protected. Malwarebytes reported earlier this year that de-anonymization is possible utilizing timing attacks, work corroborated officially by German news agency NDR and unofficial by Reddit. In Malwarebytes’s report, they state that “this does not work when connection to onion sites however, because the traffic would never leave the Tor network in such case,” but by design, Fisher’s guide is to teach individuals how to protect themselves when targeting organizations that maintain their businesses far from the depths of the dark web (Arntz, 2024).
Despite the misgivings of the Tor network to ensure privacy and anonymity, Fisher does continue with solid, but unachievable, advice; to maintain a network of anonymously purchased and compromised servers by which to conduct the actual attacks through. While Fisher’s desire to share knowledge with others is respectable, it’s that anyone reading this would not have the capability or access to such a network to achieve the level of protection that Fisher themselves enjoyed. Turning that on its end, anyone reading Fisher’s manifesto that did have access to those resources likely didn’t need the level of information provided by Fisher.
Reconnaissance (external)
Fisher utilized a standard methodology to enumerate the publicly available resources of Hacking Team. Google, domain and subdomain tools such as dig, whois, and Nmap allowed them to gain an external look at the physical resources of the organization, while data aggregators and social media allowed them to establish a reasonably accurate organizational chart and structure of Hacking Team (Fisher, 2016).
The most essential information garnered from Fisher’s reconnaissance, however, was the information on the publicly available devices and services. From there, they were able to identify their target for exploitation to achieve access to the internal network, but that choice was the most interesting one. In section 5.3 of the DIY guide, Fisher states that they had three options, to look for a zero-day in Joomla, postfix, or one of the appliances. Given the long history of vulnerabilities within CMS solutions such as WordPress (over 10,000 spanning from 2003 to 2024 (MITRE, 2024)), it would seem apparent that targeting the web application would likely be the easiest route. Fisher, however, determined that identifying a zero-day within one of the appliances (specifically a VPN appliance) would be the easiest path forward. It can be speculated that this is due to the specific skill set that Fisher felt most comfortable with; reverse engineering appliance devices and applications rather than breaking web applications, or perhaps they made this decision with the ease with which they could pivot from the initial compromise to the internal network. They chose not to detail their reasoning within their write-up, nor is it speculated on within any of the other correspondence that could be located from the time.
Weaponization, Delivery, Exploitation, and Installation
The CKC details that the weaponization phase is a combination of exploits with a backdoor into a deliverable payload. The delivery phase is how the adversary transfers the combination derived within the weaponization phase to the target (Hutchins, Cloppert, & Amin, 2011). Fisher’s methodology and derivative report of how they achieved access into the network is complex enough that the analysis of these four phases can be combined into a single subsection, but each phase was still distinctly achieved within this.
Fisher spent two weeks reverse-engineering the embedded devices of the appliances they were able to identify during their reconnaissance phases before writing a custom version of the firmware for that device that included the backdoor (weaponization). However, at the same time, they also compiled ten tools within that firmware to utilize once they achieved access. These tools facilitated the later reconnaissance and exploitation phases as Fisher began to silently move around the network and comprised a second phase of weaponization and delivery, despite not being utilized in the initial infiltration.
The tools do give insight into the device that Fisher had compromised; given that Busybox[6] was one of the first listed, its likely that the device had an ARM processor and was running a stripped-down version of Linux as its base operating system. This is confirmed by the need for Fisher to compile Python within the compromised device.
It is also important to note that Fisher performed extensive testing on this new firmware version to ensure that it would not crash the target device. Had that happened, it may have alerted the Hacking Team system administration staff and caused them to lose their initial foothold on the network.
Neither Fisher (within the constraints of ethical disclosure) nor Hacking Team disclosed the compromised device nor the exploit that allowed the installation of the custom firmware, so there is no current information on how exactly Fisher was able to deliver, exploit, and install the custom firmware to the device. Given that this information hasn’t been disclosed in the nine years since the incident, it may never be known to the public unless some additional documents are ever released or Fisher’s identity is ever compromised.
Reconnaissance (internal)
Once access had been gained, Fisher was able to use the tools already compiled within the custom VPN appliance firmware to begin their reconnaissance of the internal network. One focal point of the CKC is that a chain of compromise can move back to previous stages as needed to achieve stage seven, actions on objectives.
Using their pre-compiled and attached (via their custom firmware) tools, Fisher was able to identify NoSQL databases (MongoDB[7]) living within the Hacking Team Network. Referring to them unironically as “NoAuthentication” databases, Fisher trolled through them, identifying that they stored the audio and video recordings from the Hacking Team computers that were used to develop and evaluate RCS. While this didn’t ultimately contribute to the damage that Hacking Team experienced, it is another shortcoming in a long line of other issues with their internal security posture.
More significantly, Fisher was able to identify Hacking Team’s iSCSI devices where they stored their backups, but from there, they pivoted to the command & control phase (C2) of the CKC.
Command & Control (C2)
While the technical constraints of accessing the backups limited Fisher’s capabilities, Hacking Team had implemented nothing on their networks that prevented Fisher’s clever use of tgcd[8] and an iptables rule[9] to allow the Synology[10] appliance to be mounted to their external (to the Hacking Team network) Virtual Private Server (VPS).
Within the backups were the virtual machines including at least one from 2014 of the Hacking Team Microsoft Exchange servers. Being that this server was joined to the domain, Fisher was able to first get a local admin password on the registry hives and then use that to get many of the domain user passwords, including the domain admin password.
Action
With the domain admin password, Fisher had unhindered access to the entire network. From there they were able to access the live Exchange Server to export the current emails in the background as they pivoted to also download all the file shares that they were able to access.
Additionally, they monitored the accounts of “high value targets,” two specifically mentioned were Christian Pozzi and Daniele Milan. This allowed further infiltration into additional networks utilizing a reused password (Milan’s) to access git repos as well as other resources. The sheer amount of access that Fisher was able to gain once compromising the VPN appliance shows just how dangerous those devices can be and demonstrates the efficacy and need for modern zero-trust concepts.
Weathering the Aftermath
The 400 GB torrent uploaded by Fisher was only the beginning. As security professionals around the world began to dig into the massive collection of files, it became clear that Hacking Team had not been entirely truthful in their former public relations campaigns (Osborne, Hacking Team breach: A 400GB corporate data dump and online mockery, 2015; Franceschi-Bicchierai, The Vigilante Who Hacked Hacking Team Explains How He Did It, 2016; Kassner, 2015).
To add fuel to the fire, Fisher took over the company’s Twitter (now X) account to announce to the world: “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code.” (Franceschi-Bicchierai, Hacker ‘Phineas Fisher’ Speaks on Camera for the First Time — Through a Puppet, 2016). Shortly after, system administrator of Hacking Team, Christian Pozzi, took to Twitter in what the author considers a poor and unprofessional attempt to refute the greater cybersecurity community’s criticism of Hacking Team’s business, and their [Hacking Team and Pozzi’s] cybersecurity practices. This culminated in the subsequent compromise and deletion of Pozzi’s Twitter account (Blue, 2015; Porup, 2016).
As their customer correspondence became known, a lengthy list of nation-states including Australia, Azerbaijan, Bahrain, Chile, Colombia, Cyprus, the Czech Republic, Denmark, Ecuador, Egypt, Ethiopia, France, Germany, Honduras, Hungary, Ireland, Israel, Italy, Kazakhstan, Lebanon, Luxembourg, Malaysia, Mexico, Mongolia, Nigeria, Oman, Panama, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Switzerland, Thailand, Turkey, the United States, Vietnam, the United Arab Emirates, and the United Kingdom. Unsurprisingly, specific government agencies from within those nation-states were named including the Egyptian MOD, the US FBI, the US DOD (not active), the US DEA, the Lebanese Army Forces, and the Spanish CNI, as well as several private companies[11] including Barclays and Google[12] (Osborne, Hacking Team breach: A 400GB corporate data dump and online mockery, 2015; Collins, 2015; Ragan, 2015; Blue, 2015; Associated Press, 2015). The reputational damages could only be speculated on, which several news outlets did, considering if any of the aforementioned customers were demanding their money back or if students were no longer seeking internships with the listing company (O’Neill, 2019) (Kassner, 2015).
Perhaps the most damning content in the data dump were the customer correspondence documents with countries such as Ethiopia, Sudan, and Uzbekistan. Despite a history of claims that Hacking Team did not work with entities that would violate sanctions such as those imposed by the European Union, NATO, and the United States (Osborne, Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack, 2015; Collins, 2015; Ragan, 2015; Blue, 2015). While this will largely be discussed later as an ethical consideration, it did lead to the European Parliament calling for an investigation into Hacking Team’s actions, and a year later, the revocation of their global license to export software (O’Neill, 2019; Blue, 2015; Associated Press, 2015).
Failure to Secure
Before analyzing the failures of Hacking Team that allowed Fisher undetected and unmitigated access to their documents, it is important to note that there were things that they had done correctly.
Hacking Team had a publicly exposed main website that utilized Joomla[13] as its content management system (CMS). As Fisher noted, Hacking Team kept it up to date and a publicly available tool produced by OWASP, Joomscan[14], gave no indication that were any known vulnerabilities, so they would have had to identify a zero-day vulnerability to compromise the website (Fisher, 2016; Porup, 2016).
Hacking Team’s overall attack surface was relatively small in general, consisting of the aforementioned Joomla site, one Postfix server, two routers, two VPN appliances, a spam filtering appliance and their customer support portal; the customer support portal required certificates achieve a connection (Fisher, 2016), meaning that Fisher couldn’t identify vulnerabilities or exfiltrate data from past customer issues (Porup, 2016).
Despite these few beacons of shining cybersecurity best practices, Hacking Team had shortcomings that allowed Fisher to easily pivot once they had gained access to internal resources. Primarily was an utter failure to master the basic concepts of strong password generation and hygiene. Passwords such as “P4ssword” (Osborne, Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack, 2015) and “Passw0rd” (Ragan, 2015) were in place across their network and in correspondences with clients (Ragan, 2015); after dumping passwords from one of the compromised machines, Fisher was able to find that poor passwords were rampant throughout the organization with employees of the cybersecurity company utilizing short passwords, easily guessable passwords, passwords based on names or dictionary words, or passwords without a significantly complex mix of character types (Fisher, 2016). System administrator Christian Pozzi was demonstrated to have proliferated this culture at the organization with the exposure of his personal password file showing that weak passwords filtered into his personal life as well as his professional (Ragan, 2015).
Pozzi’s passwords were exposed because Fisher was able to identify his accounts as the system administrator, locate a TrueCrypt volume, and then monitor for when Pozzi decrypted it, enabling Fisher to extract all the (supposedly) protected information within it (Porup, 2016). The establishment of this encrypted volume on a network attached device subverted the value of the encryption implemented; since Fisher had compromised Pozzi’s device, all it took was patience to gain access to the secrets hidden within.
Hacking Team’s procedures documented network isolation, but the organization failed to correctly implement their own procedures. Like Pozzi’s TrueCrypt volume, backups and source code (Franceschi-Bicchierai, The Vigilante Who Hacked Hacking Team Explains How He Did It, 2016) that were supposed to be maintained off of the primary network were, in fact, connected to it, allowing exfiltration via the compromised VPN appliance. In the case of the backups, Hacking Team did not use encryption nor access controls to secure them, again allowing access to them by an unauthenticated party and leading to Fisher gaining domain admin access[15].
Exacerbating Hacking Team’s password woes were their poor account hygiene: local admin accounts were still active and accessible, rather than having been disabled or removed. Had the BESAdmin account been inaccessible to Fisher, the entire compromise would have crumbled and potentially mitigated the attack (Fisher, 2016).
Finally, there was a lack of maintenance and monitoring that Hacking Team’s networks did not implement on their own infrastructure. Fisher was able to establish persistence by locating high-uptime servers where they could make a reasonable assumption that anything living in memory would be there the next time they needed to access the network (Fisher, 2016). Many of Fisher’s actions could have been easily detected as abnormal or anomalous behavior, but it seems that Hacking Team had focused their energy and efforts on monitoring their own spyware and infiltration tools rather than guarding their internal networks[16].
Lessons of Hindsight
So, what can be learned from both Hacking Team’s mistakes and from Fisher’s comprehensive document demonstrating exactly how to achieve a heist such as this?
First, initiative-taking, rather than reactive security will always be the primary way to stay ahead of the adversary. Of course, this requires knowing what actions the adversary will take, an impossible task, and closing the gap before they do it. Hacking Team established too little too late that they were going to shore up their defenses (Porup, 2016), but the damage was already far beyond the point of repair. As explored earlier, Fisher’s exposure of the organizations internal confidential assets led to an investigation by the European Union, the revocation of their export license, and the ultimate demise of the company. What follows, however, are steps the organization could have taken, again proactively, to mitigate the impacts of Fisher’s attacks or halt the chain of events that occurred.
Hacking Team appears to have had little, if any, internal security monitoring on their own infrastructure and resources. While neither Fisher’s account, nor what little information was released by Hacking Team indicate that Fisher created or modified any accounts for their own purpose, it seems that Hacking Team was unable to identify that Fisher was successfully authenticating into seemingly inactive local and domain admin accounts, something that certainly should have flagged as anomalous behavior (perhaps even when occurring over the VPN device as well). In fact, according to Fisher, where there was the implementation of a Nagios[17] dashboard to achieve monitoring of one of their networks (named Sviluppo[18]), this led to the compromise of that secondary network[19]. Additionally, there was little or no monitoring of ingress or egress connections or of the transfer of the data out of the internal network (Porup, 2016). 400 GB of data may not have been a significant number of bits and bytes to an organization specializing in the subversive collection of audio, video, and image files, but in the author’s anecdotal experience with deploying data loss prevention solutions to medium and large organizations, that even a minimal attempt to establish some method of anomalous data transferal identification would have resulted in putting all of the pieces together to identify that something nefarious was afoot.
Finally, at least for technical solutions, Hacking Team did not seem to implement robust endpoint protection mechanisms on their devices. In the case of Christian Pozzi and Mauro Romeo, Fisher was able to monitor their devices with a collection of keyloggers and Metasploit modules (Fisher, 2016), something that could have been identified as malicious behavior by an endpoint detection solution and either prevented or at least alerted upon.
Administratively, it seems that Hacking Team had no interest in accomplishing the boring, written section of compliance and governance; the part that most of the industry hates doing but is desperately needed to ensure that silly mistakes and stupid holes are not left wide open as was the case with this incident. Hacking Team allegedly had a policy in place to establish network segmentation but was not implemented within the production networks[20]. They also either did not have or did not utilize a password complexity policy, as can be seen by the list of passwords extracted by Fisher (Fisher, 2016) and exposed by others from the trove of data (Ragan, 2015). In one case, Fisher details how they were able to reuse the domain password of Milan to access Git repositories containing the source code of RCS, something that certainly would have been prevented if the password policy had included a reuse clause and been enforced (Fisher, 2016). The list continues with proper user management and lifecycle policies, proper implementation of encryption, proper implementation of authentication mechanisms and policies. Appropriate implementation of administrative and policy controls would not have saved Hacking Team from their fate, but it certainly would have made Fisher’s job significantly more difficult.
Ethical Considerations
Offensive Security as a Service
Whether it is surveillance-as-a-service, cyberdestruction-as-a-service, exfiltration-as-a-service or any other use of cybersecurity techniques and technology as a product sold by a private company, it is hard to determine whether the procurement and utilization, as well as the operation of these businesses, is an ethical endeavor (Franceschi-Bicchierai, The Vigilante Who Hacked Hacking Team Explains How He Did It, 2016; Blue, 2015). As stated by Hacking Team executives after the incident, once their products were released to the world by Fisher, the entire world was put at risk, but that is transferring the blame of the development of the product from Hacking Team to Fisher (Blue, 2015). Hacking Team was still ultimately responsible for the development and proliferation of these products, and as with all cyber weapons, once the bullet is fired, anyone can pick it up off the ground (any number of times) and fire it at any target they desire. It was, perhaps, only a matter of time before someone else identified any number of vectors that Hacking Team was using and put them to use in less altruistic ways that what Hacking Team was claiming to use them for.
Additionally, Hacking Team claimed that their products were used to fight terror and criminals, to “root out lone wolves,” but who gets to decide who these undesirables are (Associated Press, 2015)? As the world found out when Fisher’s data dump was finally reviewed, Hacking Team has been less than responsible in their selection of customers, allowing countries like Ethiopia, Uzbekistan, and Sudan to use their product to attack those who disagreed with them. To shift this to a thought exercise in how bad it could have been, if Hacking Team had been a thing in the 1930’s, would the world of the 2020’s have considered them an ethical and responsible organization if their products were used to commit mass surveillance on the Jewish population by the Nazi regime? The winners certainly write the history books, and everyone is the hero in their own personal story.
Hacktivism and the Exposure of Hacking Team
As Eric Rabe, chief marketing officer for Hacking Team at the time of the incident said, “We can disagree about public policy but that doesn’t give [someone] the right to put someone out of business,” so the question remains as to whether Fisher had the right to expose Hacking Team or if Fisher’s chosen methodology was the correct way to go about exposing them (Osborne, Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack, 2015; Blue, 2015; Franceschi-Bicchierai, The Vigilante Who Hacked Hacking Team Explains How He Did It, 2016). If Fisher had not gone about releasing the 400 GB collection of evidence against the company, how might they have ended their support of oppressive regimes? Would the proper way have been to submit an appeal to the European Parliament; and if so, how would a person even have gone about done that (assuming that Fisher is a constituent of the European Parliament). The ethical considerations of vigilantism are worthy of their own study, but it is possible that Fisher felt they had no other alternatives available to them and this was the only method within their reach and skill set to achieve their goal. It may not have been the right one, but until Fisher decides to speak more about why and how they did this, the world may never know what motivations led them to do this instead of any of the other avenues that may or may not have been available to them.
Education of the Proletariat
An interesting subtext of the incident was whether Fisher was ethical in their release of the DIY guide to teach others how to accomplish the same style of hack against others. Sharing knowledge is generally an admirable activity, but in this case, did Fisher provide enough information to their audience to ensure safety when engaging in the behavior being promoted? Was Fisher establishing a case for risky behavior for a group of people who could not recognize the potential impacts of their actions? As discussed earlier, the people most likely to follow Fisher’s guide are those without established networks of compromised resources, nor are they the type to have the background knowledge to fill in the gaps that Fisher’s guide does not cover. Did Fisher subject these individuals to potentially committing poorly planned crimes and should we applaud Fisher for sharing knowledge when it may have dire unintended consequences? At a minimum, Fisher’s behavior is irresponsible if they are unable to assume accountability for those actions?
As a second note, can Fisher claim that anyone they are sharing this knowledge and information with will follow the same ethical code of honor that they did (Porup, 2016)? While Fisher’s ethics and motivations have been examined in this brief, there is no way to know how someone might use the information held within the document they provided. As discussed in the lens of Hacking Team developing cyber weapons that could be used by anyone picking the fired bullets off the ground, Fisher has no way of knowing how this document could be used or by whom it might be used.
Release of Zero Days to the Wild
While Fisher specifically did not elaborate on the zero day vulnerability in the VPN appliance that they utilized to gain access to the Hacking Team network because “Since the vulnerabilities still haven’t been patched, I won’t give more details” (Fisher, 2016). This is directly contradicted, however, by the fact that three (or more) zero days were exposed in Fisher’s data dump (Kassner, 2015). Two of these were for Adobe Flash Player and the third was for the Windows Kernel, meaning that a sizable portion of the digital population was affected by irresponsible disclosure of this information.
Two Malwarebytes researchers took this novel opportunity to study the delta between the release of information on a zero day to the general public vs when company owning the affected product could release a fix for it and found that exploits appeared in the wild only 27 hours after the data dump was release, while patches addressing the vulnerabilities took 48 hours to release (Kassner, 2015). Given that updates are not always installed immediately, it is likely that these zero days remained impactful to the security posture of the greater internet community for some time.
In this case, both Hacking Team and Fisher were wholly unethical, Hacking Team for identifying the vulnerabilities and then choosing to hoard them, Fisher for releasing the information out into the wild rather than redacting them from the dump and responsibly disclosing them. It is unknown the exact number of individuals were impacted after the Hacking Team incident by these specific zero days but given that Malwarebytes identified them out in the wild, the number is likely higher than zero.
Conclusions
Five years later, Paolo Lezzi, owner of InTheCyber, decided to revive Hacking Team, rebrand it as Memento Labs, and fold its capabilities into his existing company to refocus their [Hacking Team] efforts to “best support law enforcement” (O’Neill, 2019). Even today, in 2024, their website is still active[21], but the damage caused by Fisher remains. Hacking Team, even under the new name and the umbrella of InTheCyber ownership now must ask for permission from Italian export authorities to sell the latest version of RCS (RCS X) abroad (O’Neill, 2019). The culmination of the European commission’s inquiry into the activities of Hacking Team and their alleged customers resulted in the revocation of their export license only a year later in 2016 (O’Neill, 2019).
The former European Parliament member, Marietje Schaake, who spearheaded the efforts to dig into Hacking Team’s business practices is still dissatisfied with the resulting legal controls that were put in place as a result of Hacking Team’s untimely demise, continuing to draw attention to the fact that technology moves faster than legislation and the legislation is largely driven by the industry it is designed to govern (O’Neill, 2019). The restrictions that Memento Labs has placed on itself are inadequate; limiting the number of licenses they sold to Ethiopia did little to control the Ethiopian government’s use of the RCS tool against political opposition (O’Neill, 2019).
Fisher’s account, a lack of veracity notwithstanding, gives us an unprecedented look into the mind of an adversary as they perform a targeted attack against an individual organization (Fisher, 2016). Despite an individual’s feelings about the ethics behind Fisher’s actions, there is no doubt that they are highly intelligent, dedicated, and skilled individual(s) Additionally, the Lockheed Martin Cyber Kill Chain allows us to break Fisher’s steps into easily modeled steps to identify how and where organizations might make changes in the future to proactively mitigate the same security posture gaps that Fisher used to access Hacking Team’s deepest and darkest secrets (Hutchins, Cloppert, & Amin, 2011).
As for the ethics of surveillance and hacktivism, it is up to the reader to determine who, if anyone was in the right here. Individuals on both sides broke laws and violated the privacy of others. Both parties committed acts that were, from one perspective, unethical; but contrary to that opinion, both parties were committing those acts for what they thought was the greater good. Phineas Fisher thought that ousting surveillance services for hire for the paychecks they garnered from oppressive regimes was enough to justify their [Fisher’s] actions while Hacking Team thought that their contributions to the war against terrorists and criminals justified the underhanded capabilities of their products. In the end it is the author’s opinion that neither side won and that all modern humanity is the loser in this battle.
References
Arntz, P. (2024, September 19). Tor anonymity compromised by law enforcement. Is it still safe to use? Retrieved from Malwarebytes Labs: https://www.malwarebytes.com/blog/news/2024/09/tor-anonymity-compromised-by-law-enforcement-is-it-still-safe-to-use
Associated Press. (2015, July 16). Hackers expose spy software firm’s global clients. Retrieved from CBS News: https://www.cbsnews.com/news/italy-hacking-team-breach-suggest-spy-software-sold-fbi-russia-vatican/
Blue, V. (2015, July 9). How spyware peddler Hacking Team was public dismantled. Retrieved from Engadget: https://www.engadget.com/2015-07-09-how-spyware-peddler-hacking-team-was-publicly-dismantled.html
Cimpanu, C. (2020, July 1). Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities. Retrieved from ZDNet: https://www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/
Collins, K. (2015, July 6). Hacking Team’s oppressive regimes customer list revealed in hack. Retrieved from Wired: https://www.wired.com/story/hacking-team-spyware-company-hacked/
Fisher, P. (2016, April 15). HackBack! A DIY Guide ]HT[ [J. S. Burrows, Trans.]. (J. S. Burrows, Ed.) Retrieved October 18, 2024, from Github: https://gist.github.com/jaredsburrows/9e121d2e5f1147ab12a696cf548b90b0
Franceschi-Bicchierai, L. (2016, July 20). Hacker ‘Phineas Fisher’ Speaks on Camera for the First Time — Through a Puppet. Retrieved from Vice: https://www.vice.com/en/article/hacker-phineas-fisher-hacking-team-puppet/
Franceschi-Bicchierai, L. (2016, April 15). The Vigilante Who Hacked Hacking Team Explains How He Did It. Retrieved from Vice: https://www.vice.com/en/article/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it/
Hacking Team Commercial (n.d.). [Motion Picture]. Viewsdesk. Retrieved October 20, 2024, from https://www.youtube.com/watch?v=R63CRBNLE2o
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation. Retrieved from Lockheed Martin.
Kassner, M. (2015, August 23). Hacking Team breach leads security researchers to unexpected insights. Retrieved from Tech Republic: https://www.techrepublic.com/article/hacking-team-breach-leads-security-researchers-to-unexpected-insights/
MITRE. (2024, October 20). CVE Search Results for “WordPress”. Retrieved from MITRE CVE Records: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
O’Neill, P. H. (2019, November 29). The fall and rise of a spyware empire. Retrieved from MIT Technology Review: https://www.technologyreview.com/2019/11/29/131803/the-fall-and-rise-of-a-spyware-empire/
Osborne, C. (2015, July 6). Hacking Team breach: A 400GB corporate data dump and online mockery. Retrieved from ZDNet: https://www.zdnet.com/home-and-office/networking/hacking-team-dnp/
Osborne, C. (2015, July 7). Hacking Team: We won’t ‘shrivel up and go away’ after cyberattack. Retrieved from ZDNet: https://www.zdnet.com/article/hacking-team-cyberattack-aftermath-interview/
Porup, J. M. (2016, April 19). How Hacking Team got Hacked. Retrieved from Ars Technica: https://arstechnica.com/information-technology/2016/04/how-hacking-team-got-hacked-phineas-phisher/
Ragan, S. (2015, July 05). Hacking Team hacked, attackers claim 400GB in dumped data. Retrieved from CSO Online: https://www.csoonline.com/article/551971/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
[1] July 6th, 2015
[2] https://rsf.org/en/special-report-internet-surveillance-focusing-5-governments-and-5-companies-enemies-internet
[3] https://citizenlab.ca/2015/03/open-letter-hacking-team-march-2015/
[4] https://privacyinternational.org/sites/default/files/2018-02/egypt_reportEnglish_0.pdf
[5] https://www.hrw.org/report/2014/03/25/they-know-everything-we-do/telecom-and-internet-surveillance-ethiopia (Associated Press, 2015)
[8] https://github.com/maaaaz/tgcd-windows
[9] Iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT –to-destination 127.0.0.1
[10] https://www.synology.com/en-global
[11] While not a customer, Apple had provided Hacking Team with an iOS Enterprise Developer Cert, allowing them to create iOS applications that for all intents and purposes was fully legitimate despite being spyware that augmented their RCS platform with iOS surveillance capabilities (Blue, 2015)
[12] In an amusing turn of events, the Google marketing team was selling mapping services to Hacking Team while its anti-malware team was also working to track Hacking Team’s spyware and tools (Blue, 2015)
[14] https://github.com/OWASP/joomscan
[15] Additionally, while it did not contribute to the chain of compromise, the compromise of the virtual machine allowed Fisher to generate a golden ticket to ensure one method of persistence within the network (Fisher, 2016).
[16] While not significant to this event, Fisher did identify several MongoDB NoSQL databases that were unprotected. More recent cybersecurity events, such as the 2020 MongoDB ransomware incident, have shown just how damaging unsecured NoSQL databases can be. In this case, Hacking Team got extremely lucky that this did not contribute to the severity of their incident (Cimpanu, 2020).
[18] Sviluppo is the Italian word for “development”
[19] Again, improper network segmentation also allowed Fisher to pivot from one network to the other.
[20] Fisher cited https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf in their document, however, at the time of this writing, that link is no longer accessible and the Internet Archive/Wayback Machine is unavailable due to recent cyberattack so the author was unable to confirm that this document ever existed or that this policy was indeed included. As with everything else stated by Fisher, it must be taken with considerable skepticism as it cannot be absolutely verified. In this case, the sheer number of administrative issues make verification of this single point moot, as there were several other policy failures that can be pointed too to show that Hacking Team had a significant problem with establishing a compliance and governance program within their organization.
