The Hacking Team breach – an attacker’s point of view
On 17 April 2016, two posts were added to Pastebin (one in Spanish, the other in English) detailing the alleged methods and tools used to access the internal network of Italian surveillance and technology company, Hacking Team. Hacking Team was targeted in July 2015 resulting in the release of approximately 400GB of company data, including client details, financial records, and proprietary source code. Responsibility for the breach was claimed by a hacker using the handle “Phineas Fisher”, who announced the leak using the Hacking Team’s own Twitter account. The same individual previously claimed responsibility for the release of 40GB of company data from Anglo-German spyware company, Gamma International Ltd, in August 2014.
Figure 1 - Hacking team Twitter page with defacement image
Phineas Fisher described how Hacking Team did not possess a substantial attack surface for targeting, however they claimed that they developed a zero-day exploit for an unspecified “embedded device”- which they targeted with an alleged “remote root exploit”. Phineas Fisher then described how they wrote a “backdoor firmware” for the aforementioned device in order to allow for re-entry into the network. They claimed they conducted reconnaissance of the network and identified vulnerable MongoDB databases that were not password protected. These databases allegedly contained details of the Hacking Team’s backup systems, including their Exchange email server that allegedly stored the BlackBerry Enterprise Server (BES) admin account password. These credentials granted the attacker escalated access privileges from which the attacker claimed they used to target the company’s Domain Controller and extract the passwords for all system users. Phineas Fisher also claimed that they identified references to a hidden network that contained the source code for Hacking Team’s Remote Control System (RCS) surveillance software. The system administrator was targeted in order to identify the necessary credentials for the Web interface of the GitLab source code management system and Phineas Fisher succeeded in securing access to the confidential information within.
Lessons can be learned from this post. Despite having what was alleged to be a small attack surface, vulnerabilities existed which Phineas Fisher exploited to gain access and, once in the network, used to secure further privileges and access confidential information. Non-password protected databases, as well as weak passwords stored in plain text, failed to halt the attacker’s progress and they appeared to traverse the company infrastructure with relative ease. This highlights a number of security concerns, for which CSO Online provides some excellent recommendations. The targeting of the system administrator’s credentials allowed Phineas Fisher to gain an understanding of the company and its infrastructure. Monitoring key individuals’ digital shadows, therefore, is important in order to prevent them from being targeted by those seeking other means to gain initial entry to a network, such as through spear phishing.
Finally, the Pastebin post encouraged other individuals to target organizations and provided guidance on how to conduct such attacks. Organizations, therefore, should be cognizant of their public perception as ideologically driven threat actors may target those perceived as unethical.