Phineas Fisher: A Timeline of Hacktivism

and thank you for coming to my talk someone the Leeds area might have seen this one already but this is the tale of Phineas Fisher and just a quick show of hands who's heard of Phineas Fisher before not as many as I thought would be cool okay so let's jump right in so my name is Jake I'm a full time blue team er hobbyist security guy school researcher sorry I do some privacy stuff at AAG org Leeds if interested I when I'm not discreet if I take media photography like that one that that's what I do in my spare time when I'm not doing the sybers um so let's have a look at the timeline of Phineas Fisher then

because a lot of people know of the hacks but maybe don't know how many there are and the time in between them and different ones so this is what we're going to go through today these the hacks are going to talk through an address one by one so let's go into gamma labs then so our camera freezes as a company company's name so this video says hacking is at all the problem though is that companies like gamma labs sell to customers who seek to use hacking to evil ends brief history on gamma for those that maybe not heard them before they sell spyware so they spell they excel sophisticated tools to governments around the world and law

enforcement departments and I do if you can see it but there's a very well but there's a map that shows they're sort of proof occation throughout the world and there's different color codes so maybe you can see from the country where they operate and make assumptions about whether that technologies used ethically or not so how did finish hack gamma labs well it all started with a support site which they discovered finn's support dot feed and fisher dot-com and what they notice is that the website the developer of that website had made many many others and they noticed that there were some sequel injection and Aleph i abilities that allowed them to basically get that get

the source code of that site and look through so having having looked at this using Alafia and you know not standard sub web application testing stuff for easter notice that the web server was up to date so there's no there was no chance of privilege escalation right because it was fully patched there's no at the time the Noven police for the web server so i you know what do they do right what would you do not situation if you're a red team we publish in staff all the time with me is a blue team you self ask those questions and but they know it's there's a file on that web server called QA team and inside that's

that file that directory contains a copy of the mobile malware product or that mobile product calls fins pipe and that's where that came from so if you ever heard about the leaking of a fin spy this is where it came from however you know there wasn't really a lot better finish the sharp if a fake camera group PR k-- twitter account which i thought was quite funny and they take it they take the tape copy of the dead at the found on the QA server side directory they do also get access from the support website to some of the products but they're encrypted and the still encrypted to this day so samples of those binaries are not out in the

wild in it decrypted format and there's lots of copies of customer helpdesk asked you know ticket and this revealed some of the customers that dealt with gamma labs as you can see that as a list and but you know you've got what you'd expect law enforcement things like that so yeah so let's start camera labs so there wasn't it wasn't really too much fallout right they got on it embarrassing for the company but there wasn't that juicy soft dare that Phineas wanted so let's move on to the next target which is hacking this video will explain to you what they do

[Music] [Applause]

[Applause]

[Applause]

[Applause]

[Applause]

control system [Music] interception [Music] rely on us so attacking team I don't think I could have summed them up better myself to be honest right they're very brazen about what they do they don't hide it hide themselves behind shell companies are you know there's very soft honest in the capabilities capabilities they provide to their client so here's another quote from finished his manifesto hacking team had very little exposed to the Internet for example that gamma Group the customer support site needed a quite certificate to connect they had their main website was running Joomla a mail server a couple of Reuters and to VPN appliances so not not that much of a bigger stay there again a little bit of

a backstory on a hacking team so again colored come up with some stories there if you want to go look at those you can um I'm going to the move too much detail but again you can see they're spread across the world the countries that they operated in and where they provide services so again you can get an example of the type of clientele that excuse me the hacking team did business with okay so let's move on to hack itself so that right there is hacking teams IP range as you can see and this is what fenice began with so they began with the IP range and and then from there look they're a state right and that's where

you saw these summary of the appliances and things that were exposed so let's have a quick quiz shall we Phineas mentions in the manifest they had three options so how do we think today how did Phineas break in attacking team so I want you to put your hand up for each one so who thinks it was a zero day in Joomla Oh [Music] who thinks is zero day in postfix no tech is okay I'm expecting some hands up who thinks it was a zero day in an embedded device well though yeah so we now know what this was and we'll cook this alert on the top but this was a smooth wall VPN appliance so Phineas had

found a nasty inside this SonicWALL appliance and use that to break in okay this begins that's not the listening phase so now that they'd compromised and they were on the network you started using nmap to scan out different parts of the environment right again standard sort of attica stuff and they discover some MongoDB service there were open on the on the LAN and inside there was some audio files and which was sort of debugging but it was the QA teams testing their us at the malware so the different systems that they kind of lay on DaVinci platforms and they're just testing you know make sure that microphone was captured or the devices compromised those sorts of things and

you can listen to those as well as online in dumped you can listen to there's nothing really you know sensitive but it's just them testing to make sure they can capture those conversations so do if it's blurry as you can see so as they're moving around they discover that there's a backup server and according to the official documentation that we now have because Phineas stole it you can see that they they say that the backup servers are as different subnet however Phineas see this is not not the case there are actually are accessible and with that they're able to find a backup of the old another exchange server and they're able to mine inside of there and for credentials so

what do you think the passwords look like for the accounts that were compromised so do we think it was endlessly recommended do we think it was a variation of password come on let's give him some credit do you think it was reasonably complex it wasn't in his recommended it was a variation password but it was kind of complex ok there's his password yeah so domain admin on their on their estate had that as their password and and Phineas even comments logged groceries I mean no you had to direct quartz and Phineas okay so this one's quite ass so this is you know so think about this right from like a kill chain perspective so from

backups to demanded min is literally what happened here right because of the password that was found and and you can see a dump of the other passwords as well that were discovered so it looks like with people that weren't maybe at level 70 level but had better and more complex passwords was quite interesting here's a screenshot of the file servers that were captured by Finnish so you can see full proctoring traversal of those different elements and again you can browse online you can go through this if you want so next then so once you have a demo admin account you wanted to point down this side bins so those two people there the current says means a hacking team

they're still employed the reason why I'm showing them as their faces is because that the public information the spoke on record of a hacking team and the breach it's not as if you know they're not used to but I'm right and but they're still working hacking team and the gentleman on the left is the yet is the guy that was that weak password and if you go for the breach if you got the files of any stolen a lot of them pertain to this individual because he had lots of unsavory content on his work machine and that you imagine what that was yes he watched the at work and and was called by the screen grabs and things

like that's a pretty I would want to be in that position okay so pretty much that breaks it open a nutshell I mean that pretty much is it is it so after Phineas hazard to mount an account they scan the network again we find an odd jaws asset management device and if you picture their network I don't have a picture of this but the topology basically went as follows so you had like a corporate network and had a development network and there was a device in the middle of Britain and that was it so once finished compromised the logged in but that not just advice well they're able to go over to the development network and that's when they

were able to get all that juicy information so you know and all the development of stuff around RCS and the implants I think it was David this morning's key not mentioned in his opening talker mentioned the difference between huh container so the reason what we nor those differences because a Phineas because they broke in and really that information yes that's a custom gift I made I'm not proud of it but I think it they bumped it up a little bit and okay so that was hacking team so we're two breaches in let's move on so the third breach in the in the history of Phineas was SME a Spanish police union or police division so this

one is quite special so this one Phineas actually recorded the entire breach they didn't record the reconnaissance Affairs but they did recall themselves actually doing it and again you can find the full clip of that online but here's a snippet so basically um as you can see there's a scroll mark there as you would expect so there's a website that Phineas did some recon on discover that it was rescue I probable injected into it don't the WP config dear base and use that and you know to leverage themselves and give them more access they back toward the login pages as well just so they could get a copy of the password so they could use those on different things

and as you can see the information that was actually leaked because of this is quite offices names you know personal information it's you know it's it's a pretty big hit for the for the organization how about stuff out that Internet and so what you can also see you as well as so that after the back the login page they discovered that from this in this database they discovered that the they refused the password for the Twitter account so if anything takes it over and begins the wrong sort of PR campaign for the for the Union and which look like this so what they did is they replaced the header image with images of the victims of this particular police

union and as you can see it's people being beaten up and you know perhaps across he's being committed you're being documented and obviously it's fair to say the police union were not happy about that so again another perhaps maybe the start of a politically motivated campaign by finish there and clearly had some sort of ulterior motives other than privacy are you know protecting someone's rights or things like that hmm okay cool so let's move on then to the next tack which was the Cayman National Bank yes for nice broke into a bank sir as you can see that so they brought you to a bank installed ten thousand year old old mod nut and we'll get into that

but that's finished his comment on that and there's the Bitcoin productions of course you can see those things so Phineas gives ten thousand euros to the people of rojava and you can see that transaction there before uhm as father activity though there was a reddit account that was attributed to Phineas and the companies are a number of post one in particular was this one in which it says translate says the bank steal from you so why don't you steal from banks and Phillies commented on this you know what's the effect of that you know people already do this and made references to some of the criminal gangs in Europe had already been looking at break into banks on successful broke

into banks saying that it is possible so maybe this was a foreshadow that they had already done this all were going to do this okay so I think it's important to sort of highlight the raw Java and why that's important maybe to Phineas so let's do that so here's a map of Syria and you can see the surrounding countries I think we're all pretty aware of situations here what's been going on the last couple of years a Java is that a yellow um sort of marking there and particularly to the north or northeast is that that's our quadrant and so in February sorry yes so in January of 2014 the YPD split sort of declared or an immunity from autonomy

sorry from the Kurds and say about this new state and you can see some pictures of those fighters and that's not situation look what is interesting is that how they start of reformed to this sort of sort of libertarianism and some of things that they push forward or what came up because of it and this very much aligns with felices on political solve leanings and language if you look at their manifesto the very much line with that kind of politics and this set themselves really and then they choose to help this group out with the donation so clearly they have us have some sort of sympathy or empathy with Raja and I like what they're doing and and in the

most recent disclosures the officer Gordon you know they mention it and yeah I just think was interesting to solve you know explain that I love Amaro and put her face to row Java so yeah a little bit more contact as well so Turkey turkey doesn't get on with the with the Kurds and the massive massive conflict internally and there's a lot of a lot of military aggression between Turkey and Syria as you can see here in his article and the timeframes for this kind of a line with Vanitas hacked or the next - each does so the bank sock Cayman Cayman National so we don't know the full amount of money that was stolen we know it was a few hundred thousand

because Phidias had said it was and we don't have that number because the bank hasn't reported it far as I'm aware but it was a it was a good troop of cash for that way so the tank run that they gave to the road job is probably the tip of the iceberg and but as you can see there so they were compromised for the same VPN exploit attacking team so which we now know is this on equalities SonicWALL appliance and this was obviously scores very recently as in late late last year in a very soft political manifesto even affiliated is very very political and they talked about that and how they did it so let's talk it's maybe going to how

they did it so for those who thought no Swift is the financial system the banks used to send money across the world that's a very gross simplification but it serves a purposes of today I think and for basically Phineas yeah Crockett the bank via this VP and exploit pivoted around probably using the same method you know TTP's as they did in hacking team and other breaches and what I think it's kind of fascinating is where the banks controls as a again as a blue team as I said earlier they didn't seem to have that great of control because Phineas was also was able to breach the network move around pivot right and all those things they're also able to use

three counts three different user accounts compromised those accounts and use them to verify they're all spiffed messages which is if you develop a research on Swift is not the done thing now granted this this was before the security rework of Swift after numerous banks on the world had suffered breaches and Swift was abused in certain ways and parsha strictest re standards were brought into social security harder best anti stronger best I'm sorry um but in this case the bank won't even checking the outgoing Swift messages so Phineas was disabled what other access they would they were able to do this and it was only detected as error so the first time for this does this they send the money through Mexico

and it's flagged because they go the way it went because either you care for the payment system it went through the UK so I've seen the red flag it's not gonna send and that was when they found it's not clear how the full chain worked in terms of Wichitas doctor went through you know we don't know what Phineas to scores is a a number of productions did get caught on the cancelled but it seems like some that they did do work purposely because the money was gone so we don't know the exact you know the exact timeline of events there but again I think it's interesting to sort of mention okay cool okay so that's like

what if ekp so remember Turkey I mentioned earlier there's a sort of political you know war with their cereal that I judged I'd elliptical while this area and if it KP is the largest of the ruling political party in Turkey and Feliz broke into their eldest their main party domain I'm stole a bunch email which is very political right and anything about this though is that the this is picked up by WikiLeaks as often is and an it to be three with the row Java again so Phineas clearly wanted to tell he wanted to get some information between the Turkish government and the Royal Java right again because they have some thoughts empathy there and and

spoke to someone within the road Java to sort of eases over I maybe it is information useful to you in some sort of your information wirelessly and however someone from that group then went to WikiLeaks and WikiLeaks talk what they gave them and published it despite that represented different or Java saying please do not publish just stop what do you think they published anywhere and the resulting Phineas actually been frozen out of the network cuz he went into full you know dear for our mod and shutting us out just cover the breach and close it down so you know is detrimental to faces motives to support because they wanted to stare there for longer and gather more

information and but yeah so within that date that was stolen I assume among but that data the entire vault database for the political party was also among it however at the time was falsely reported that Phineas was the only person to have leaked this and and and you know and then other arguments you know nations day and all this stuff but actually I think correct Phineas wasn't the first person to leak the status it's funny right I know but another group doing it months before figure Turkish group Ike a group a joke before so it wasn't the first time okay oh and it was about thirty gig as well so it's quite a lot of quite a lot of I

loved air that was torn there okay so they were the hacks and let's go into the aftermath or maybe the highlighted aftermath of some of the breaches because it gets even gets even more crazy really so let's talk about the police union so there wasn't much fall of a Phineas however depletion in when a bit crazy arresting people that they thought were phineas and I thought I mean people that retweeted you know the post on Twitter they were arrested and the police put out you know um some statements that they'd cut the court Phineas and you know they're days were over and no actually were just any meenie miney more random people and hoping that it's

talking that they could you know win some sense in the you know public site hacking team is is an interesting one because it went to court so it was investigated by the time authorities thoroughly um an American citizen somehow ended up in in all of this and he was pulled in by the FBI and they would questioned him and asked him you know what is your involved with this and you know and this guy was completely confused as to why the hell the FBI were interested in him over this he's never even heard of hacking team right well it was because of this website so this this website is a Bitcoin scratchcard all was a bitcoins got a scratch our website so

you would buy scratch card and you would get a random amount of bitcoins but this site calls its bitcoins from another website called buy bitcoins comp my belief and phineas pork into that website police broke into the buy bitcoins website and stole bitcoins blown into that guy belonging to John so the FBI have a Bitcoin transaction from John's account the pic country then you use to buy the server that Feliz used to see attacks against hacking teams they think oh we've got it right it's done it's got the guy we've got the big countries action it belongs to this guy American says and we can go arrest him and happy days but again they were only

aware that Phineas had actually hacked and stole the chaps bitcoins did not e lead back to Phineas and so again it shows this sort of upset by for instance suppose you know a bit smarter deliberately making a gap between them and you know the finances of doing their operations okay so let's jump back to hacking team then so farm whyis and told the investigators that the company was basically more worried about selling spire with it was keeping hackers away basically and the you know the they also said is well there's an awful comment from a senior member of hacking team staff that basically said that the company cared so the too much security would hinder

development base who ever heard that before right so they basically were investing in security at all and you can see that the fact of controls their lack of separation right and their network and their attitude the password complexity all that stuff right you can see the wage did not invest at all so let's move on to the CEO still currency or MyID who has a crazy theory that at the time you know knows it's finished by the time he had a burning desire to prosecute all of all its employees that he classed as infidels and traitors and that the breach of the of his company was their plan you know manifest their they plotted against him and his company and

this breach was them did it but actually in reality I think we can all probably agree that he was just salty he was just angry that his company had been compromised and breached and that he was ultimately responsible so remember that stomach wall appliance I told you about at the start of this of the hockey team segment well he was responsible he refused to upgrade that SonicWALL appliance because he used it personally and despite countless emails from IT begging him to you know buzz accept the risk but actually patch it he refused her so camera I suppose right there's a story to this as well and that one employee was actually was persecuted by the david and it went for the drugged in

for the court system and really saw this guy who had to work to prove his innocence and obviously he was acquitted the investigation was was dropped by Italian authorities because there was an evidence there was nothing linking any they couldn't find any evidence to back to someone for this has really covered their tracks and and the investigate the investigators give up they closed the case so Phineas had got away with it okay so recently as well joseph menn offer many different publications but recently the called a cow in that book there's a chapter around Phineas Fisher in which he speculates that someone in the US government disclosed to him that they believe the Fisher is a nation-state Hackett's which

was then later disproved of counted if I sauce the motherboard that basically said that no no the equipment actually believe there have been activists and not a nation's debt it was reported you know when this came out this is it this is the smoking gun we all thought right Phineas is fancy bear no and I've got a short clip of Phineas response to the comment I don't if you can hear it through the microphone but okay and if you if you listed to this cyber podcast by motherboard there's an episode of Phineas fish yeah and they go through and basically just troll joseph menn and the publication's I picked this up by having some when I think Russian accent

reading out their speech and the book Bank program the Fenice so variously with that in November when they talk about the bank and they disclose the information it's got how they did it the AUSA lodge a hacker book about your program unlike any other in which they're offering a hundred grand for hacks on these companies so unsure yet if any any any ones that you taking them up on this but this is an open offer allegedly so if you can prove that you've had them tell you these companies off people within these industry so you know that's quite a heart that and they'll pay you money so again another interesting and very extensive fetus purse or a

bitter jest just a bit of a joker not taking themselves too seriously and and that is it thank you very much for sitting through that and I hope it was useful and yeah you can follow me on Twitter thank you [Applause]