How The Hack Volume 1: Phineas Phisher Takes On The Hacking Team
Part I: Inside The Mind Of A Hacktivist
Once in a while, there comes along a hacker who doesn't fit the typical mold. They can't be placed in the clear-cut categories of being a nation-state actor, cybercriminal, or hacktivist. Their motivations, as well as their tactics, techniques and procedures just don't make sense. Threat actors like these are significantly more interesting to study and read about but they are also more dangerous. Their ambiguity is a facade, they are unpredictable and you can't prepare for them because you're not sure how they attack or what they're after...
Phineas Fisher AKA Subcowmandante Marcos is one of those hackers. He is a self-proclaimed hacktivist with a remarkable level of technical sophistication that is typically seen in the upper echelons of cybercriminal organizations and among nation-state Advanced Persistent Threats (APT) groups.
It seems like they are trying to become a revolutionary icon. Phineas Fisher believes so much in the cause of hacktivism that he's even sought to inspire and motivate others by offering illegal bug bounties of up to $100,000 for compromising military contractors, private prison groups and natural resource extraction enterprises. As with other hacktivists, he's allegedly or at least nominally motivated to fight against governments and supernational corporations to combat corruption and protect human rights like privacy and freedom.
We don't know much about Phineas Phisher but we do know that he's been active in the hacktivist seen since 2014 and has managed to remain incognito. His list of victims is far and wide, He's successfully attacked banks police organizations, and government ministries. None of his attacks have been directly on United States business or government organizations, which may explain why he's managed to avoid being locked in a cage. A majority of his targets are European, and based on his knowledge of both historical and contemporary politics in western Europe it is not so illogical to conclude that he or they (in the plural and only sense of the word) is likely a European.
For someone who has never been caught Mr. Phineas Fisher does leave a long paper trail, in that on three separate occasions he's released entire reports on his illicit activities in Hack Back!: a DIY Guide series
. The most infamous of these reports is his encounter with the Italian-based firm known as the Hacking Team. It doesn't take much to guess what they do for a living they seem to be very good at it. As a part of his breach and subsequent data dump, Phineas Fisher was nice enough to dump some of their exploits which have since then been integrated into the Metasploit C2 framework.
The full report of the Hacking Team breach comically starts with a stick figure drawing a man urinating on the letters "HT", followed by an introduction that criticizes contemporary American Hacker culture. He emphasizes the origins of hackerdom and how the culture has in his opinion decayed as hacking has gone mainstream, essentially selling out and joining the suits.
"They misuse their talents working for 'defense' contractors, for
intelligence agenciesm to protect banks and corporations, and to defend
the status quo. Hacker culture was born in the US as a counterculture,
but that origin only remains in its aesthetics - the rest has been
assimilated. At least they can wear a t-shirt, dye their hair blue,
use their hacker names, and feel like Rebels while they work for the
Man. " - Phineas Fisher, Hack Back A DIY Guide Vol
His justifications for targeting the Hacking Team are very detailed. He provides 13 citations including a few from Citizen Lab and The Intercept which detail the Hacking Teams' sale of exploits to repressive governments and their use of the exploits against journalists. He makes things personal and attacks Hacking Teams CEO for using the phrase "boia chi molla" in the footer of their emails. Further research revealed that this phrase was a fascist slogan during the Mussolini era which can be translated directly as "The executioner who gives up", ie. claiming that anyone who gives up on the Fascist revolution is a murderer.
In traditional hacker fashion, the report continues to take on the appearance of a comedy when Phineas Fisher continues to barrage the Hacking Team with insults by damaging their reputation in regards to claims they've made in the past regarding alleged exploits for the Tor network:
"They also claim to have a technology to solve the "problem" posed by
Tor and the darknet. But seeing as I'm still free, I have my doubts
about its effectiveness. " - Phineas Fisher, Hack Back A DIY Guide
This is after all a DIY guide and after summarizing his motivations for hacktivism in general and targeting the Hacking Team in particular Phineas Fisher provides the reader with a quick tutorial in operational security ie. OPSEC. His strategy is simple and involves three steps (please see the original report for access to his citations and links) :
" --[ 3 - Stay safe out there ]---------------------------------------------------
Unfortunately, our world is backwards. You get rich by doing bad things
and go to jail for doing good. Fortunately, thanks to the hard work of
people like the Tor project [1], you can avoid going to jail by taking
a few simple precautions:
1) Encrypt your hard disk [2]
I guess when the police arrive to seize your computer, it means
you've already made a lot of mistakes, but it's better to be safe.
2) Use a virtual machine with all traffic routed through Tor
This accomplishes two things. First, all your traffic is anonymized
through Tor. Second, keeping your personal life and your hacking on
separate computers helps you not to mix them by accident.
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
something custom [6]. Here's [7] a detailed comparison.
3) (Optional) Don't connect directly to Tor
Tor isn't a panacea. They can correlate the times you're connected to
Tor with the times your hacker handle is active. Also, there have
been successful attacks against Tor [8]. You can connect to Tor
using other peoples' wifi. Wifislax [9] is a linux distro with a lot
of tools for cracking wifi. Another option is to connect to a VPN or
a bridge node [10] before Tor, but that's less secure because they
can still correlate the hacker's activity with your house's internet
activity (this was used as evidence against Jeremy Hammond [11]).
The reality is that while Tor isn't perfect, it works quite well.
When I was young and reckless, I did plenty of stuff without any
protection (I'm referring to hacking) apart from Tor, that the police
tried their hardest to investigate, and I've never had any problems."
- Phineas Fisher, Hack Back A DIY Guide
As with prior sections, this one is also thoroughly cited, and the author is well-written, knowledgeable and organized. This attacker is experienced, they know the pros and cons of using Tor maliciously, He stresses to only use Tor as a means of connecting to his attacking infrastructure rather than attacking directly from the Tor network:
"I don't hack directly from Tor exit nodes. They're on blacklists,
they're slow and they can't receive connect backs"
- Phineas Fisher, Hack Back A DIY Guide
Their knowledge goes above that of the theoretical, they provide a plethora of information regarding operating system comparisons, WiFi cracking, and even mistakes made by other hacktivists in the past. Based on the fact that they claim to have a farm of infiltrated servers aquired in the past to use in further attack we can assume that they've been around the block more than a few times.
The report continues with its scathing tone, however, this time it isn't addressed at suits or the Hacking Team but at state-sponsored hackers. He sees their skills in becoming and staying anonymous are lax because they operate from the safety of their home country and don't have to worry about being arrested:
"They're negligent because they can hack without legal consequence."
- Phineas Fisher, Hack Back A DIY Guide
Phineas Fisher knows that at some point his activity will be detected whether it be during or after the breach he takes precautions to avoid the inevitable investigation by incident response teams and law enforcement. He is familiar with the cyber forensic methodology and OSINT and seeks to avoid being caught by starting this operation from a clean slate, setting up fresh infrastructure that ideally would not be linkable to any of his other illicet activities:
"I didn't want to make the police's work any easier by relating my hack
of Hacking Team with other hacks I've done or with names I use in
my day-to-day work as a blackhat hacker. So, I used new servers and
domain names, registered with new emails and payed for with new bitcoin
addresses. Also, I only used tools that are publicly available, or
things that I wrote specifically for this attack, and I changed my way
of doing some things to not leave my usual forensic footprint."
- Phineas Fisher, Hack Back A DIY Guide
Clearly this isn't some noob who just watched V for Vendetta for the first time in their parent's basement, download Metasploit, started hacking and only thought of the consequences after the SWAT team kick down the front door. Fisher seems to have given a lot of time and energy to his target selection, the grooming of his infrastructure and the massive consequences of ending up in a maximum security penitentiary with not-so-nice people like gang members, rapists, murders, serial killers and child molesters.
Although there have been massive books written on Open Source Intelligence the entire OSINT subject can be tackled in one word: "Google". This is exactly the tool Phineas recommends for understanding both his target's technical infrastructure and the social hierarchy of the organization. As a general rule of thumb, any piece of information about you or your organization can be used maliciously, which is why privacy is important even if you don't wear a tin foil hat.
One of the more interesting tactics that Phineas Fisher recommends is scraping file metadata. Metadata is data about data, it is hidden from the plain eye but these little tidbits of information allowed Phineas Fisher to find information on the employees of the Hacking Team and the systems they are operating, ultimately laying the foundation for his attack.
After setting up his infrastructure, securing it and scouting his enemy Phineas Phisher finally comes to the most interesting part of the attack: breaching the organization. He mentions that there are three primary ways he's used in the past to actually get inside: social engineering, buying access and technical exploitation.
He rules out social engineering because the Hacking Team is well-versed in the craft, they do it for a living and would likely detect such attempts. Buying access is his second option for most breaches, he writes:
"Thanks to hardworking Russians and their exploit kits, traffic sellers,
and bot herders, many companies already have comprimised computers in
their networks. Almost all Fortune 500, with their huge networks, have
some bots already inside. However, Hacking Team is a very small company,
and most of it's employees are infosec experts, so there was a low
chance they'd already been comprimised."
- Phineas Fisher, Hack Back A DIY Guide
By process of elimination, Phineas Phisher concludes that technology exploitation is the only way into the Hacking Teams network. He runs scanners on their infrastructure and comes up dry, there were no public exploits or vulnerabilities. His only way in is via a 0-day exploit:
"So, I had three options: look for a 0day in Joomla, look for a 0day in
postfix, or look for a 0day in one of the embedded devices.
A 0day in an embedded device seemed like the easiest option, and after
two weeks of work reverse engineering, I got a remote root exploit.
Since the vunerabilites still haven't been patched, I won't give more
details..."
- Phineas Fisher, Hack Back A DIY Guide
A 0-day is an undiscovered vulnerability, it is not easy to find one of these. It is rumored that a 0-day can sell for hundreds of thousands of dollars. An embedded device is a hardware object like a processor, it's the lowest you can go before hitting raw physics. If Phineas Fisher is telling the truth he might be a genius, understanding never mind exploiting computational systems at such a low level is very very hard.
This level of technical prowess urges us to ask a few questions. Is Phineas Fisher who he says he is? Could he just be a persona made up as a cover for some government-backed APT group? Is he a lone wolf, or a group of hackers disguising themselves as an individual? If his OPSEC precautions hold up we'll probably never know, his identity will be one of many mysteries in the universe.
In part II we'll see Phineas Fisher live in action from within the Hacking Teams networks. We'll come to learn how an expert black hat cracked one of the deadliest cyber espionage companies on the planet and along the way Phineas Fisher will provide us with more than a few laughs.