Tech

The Vigilante Who Hacked Hacking Team Explains How He Did It

Back in July of last year, the controversial government spying and hacking tool seller Hacking Team was hacked itself by an outside attacker. The breach made headlines worldwide, but no one knew much about the perpetrator or how he did it.

That mystery has finally been revealed.

Videos by VICE

After eight months of almost complete silence, the pseudonymous digital vigilante behind the hack has resurfaced, publishing a detailed explanation of how he broke into the company’s systems and laid bare its most closely guarded secrets.

The write-up breaks down not only how the hacker, who calls himself Phineas Fisher, sneaked into Hacking Team’s network and quietly exfiltrated more than 400 gigabytes of data, but also serves as a manifesto of his political ideals and the motives behind the hack.

“And that’s all it takes to take down a company and stop its abuses against human rights,” the hacker proclaimed at the end of his guide, which Motherboard has seen in advance. “That’s the beauty and asymmetry of hacking: with just 100 hours of work, one person can undo years of a multimillion dollar company’s work. Hacking gives the underdog a chance to fight and win.”

“And that’s all it takes to take down a company and stop its abuses against human rights.”

Phineas Fisher argued that leaking documents to show corruption and abuse of power is real “ethical hacking,” as opposed to doing consulting work for companies who are often the ones that actually deserve to be hacked.

Hacking Team is a Italian company that sells spyware and hacking services to police and intelligence agencies across the world. Through the years, researchers have documented several cases where Hacking Team’s tools were used against journalists, dissidents, or activists.

“I see [Hacking Team’s CEO David] Vincenzetti, his company, and his friends in the police, military and governments, as part of a long tradition of Italian fascists,” Phineas Fisher continued, writing in Spanish. (Vincenzetti often signs his emails with the fascist motto “Boia chi molla”)

Last year, the hacker, who’s been only known as Phineas Fisher, though his Twitter account’s handle is now “Hack Back,” broke into the corporate servers of Hacking Team, going seemingly unnoticed for weeks.

In early July of 2015, the hacker culminated his intrusion by leaking online a massive treasure trove of files containing thousands of internal documents, emails, and even the source code of the company’s hacking tools—in other words, Phineas Fisher took everything there was to take, laying bare all the company’s secrets, including its once closely-held list of customers.

On the night the hacker published the data, he revealed himself to be the same person who in 2014 breached Gamma International, a Hacking Team’s competitor that sells spyware called FinFisher. For months, however, one big question has remained unanswered: how did the hacker manage to embarrass and completely own a company whose whole business model depended exactly on hacking other people?

At the time, the hacker promised he’d soon tell the world. He just wanted to wait a little time, he said on Twitter, until Hacking Team “had some time to fail at figuring out what happened and go out of business.”

The ASCII art at the top of Phineas Fisher’s guide on how he hacked Hacking Team.

More than eight months later, Hacking Team is still in business. That’s why Phineas Fisher decided to come out with the blow-by-blow account of what happened, “so we can laugh them off the internet for good,” he tweeted.

In his guide, published on Friday, the hacker explained how he used an unknown vulnerability, or zero day, to get the first foothold into Hacking Team’s internal network. Given that the bug has still not been patched, however, Phineas Fisher didn’t provide any details on what the vulnerability is exactly, or where he found it. (The hacker also declined to comment for this story.)

After getting in, the hacker said he moved around carefully, first downloading emails, then gaining access to other servers and parts of the network. Having gained administrative privileges inside the company’s main Windows network, Phineas Fisher said he spied on the system administrators, particularly Christian Pozzi, given that they usually have access to the whole network. Having stolen Pozzi’s passwords by recording his keystrokes, the hacker said he accessed and exfiltrated all the company’s source code, which was hosted on a separate isolated network.

At that point, he reset Hacking Team’s Twitter password using the “forgot password” function, and on the late evening of July 5, he announced the hack using the company’s own Twitter account.

The tweet announcing the hack, sent via Hacking Team’s official Twitter account, while it was under the control of Phineas Fisher.

The hacker said that he was inside Hacking Team’s network for six weeks, and that it took him roughly 100 hours of work to move around and get all the data. Judging from his words, it’s clear Phineas Fisher had a strong political motivation to attack Hacking Team.

“I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and all those who had their blood spilled by Italian fascists,” he added, referring to the bloody raid on the Italian school in Genoa in 2001, where police forces stormed a school where anti G-8 activists of the Genao Social Forum were housed, resulting in the arrest of 93 activists. The methods of the raid and subsequent detention, however, were so controversial that 125 policemen were brought to trial, accused of beating and torturing the detainees.

The hacker also rejected being defined as a vigilante, and chose a more political definition.

“I would characterize myself as an anarchist revolutionary, not as a vigilante,” he told me in an email. “Vigilantes act outside the system but intend to carry out the work of the police and judicial system, neither of which I’m a fan of. I’m clearly a criminal, it’s unclear whether Hacking Team did anything illegal. If anyone, Hacking Team are the vigilantes, acting in the margins in pursuit of their love for authority and law and order.”

“Hacking gives the underdog a chance to fight and win.”

In the guide, Phineas Fisher encourages others to follow his example.

“Hacking is a powerful tool. Let’s learn and fight!” he wrote, quoting the anarcho-syndicalist labor union Comision Nacional de Trabajo, or CNT. After Phineas Fisher hacked Gamma Group in 2014, the CNT said that it was clear technology was just another front in class warfare, and that it was time to “take a step forward” with “new forms of fighting.”

It’s impossible to verify whether all the details in the guide are true, given that neither Hacking Team nor the Italian authorities have disclosed anything related to the hack.

“Any comment should come from the Italian police authorities who have been investigating the attack on Hacking Team, so no comment from the company,” Hacking Team’s spokesperson Eric Rabe said in an email. The Italian prosecutor’s office could not be reached for comment.

It’s unclear how the investigation is going, but Phineas Fisher doesn’t seem too worried he’ll get caught. In another section of his guide, he described Hacking Team as a company that helped governments spy on activists, journalists, political opponents, and “very occasionally” criminals and terrorists. The hacker also referred to Hacking Team’s claims that it was developing tech to track criminals using the Tor network and on the dark web.

“But considering I’m still free,” he wrote snarkily, “I have doubts about its effectiveness.”

After sharing a contact email address, in case anyone wants to send “spear phishing attempts, death threats in Italian, or to gift him zero days or access inside banks, corporations or governments,” the hacker concludes with a call to arms.

“If not you, who?” He wrote. “If not now, when?”

This story has been updated to include Phineas Fisher’s comment on the term “vigilante.”