The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.
Listen to Motherboard’s new hacking podcast, CYBER, here.
At 3:15 a.m. local Italian time on July 5, 2015, the usually quiet Twitter account of the infamous spyware company Hacking Team posted a confusing message: “Since we have nothing to hide, we’re publishing our emails, files, and source code.”
The company, and its Twitter account, had gotten hacked.
The tweet included a link to a 400-gigabyte torrent file that contained all sorts of sensitive internal files: company emails, documents, contracts, spreadsheets, and spyware source code. Even at first sight, it was a devastating breach—and that was before journalists started digging into the cache, revealing Hacking Team’s list of questionable customers, its hacking techniques, and its sometimes rocky relationship with law enforcement agencies.
A vigilante hacker who goes by the name Phineas Fisher, who was infamous for breaching Hacking Team’s main competitor FinFisher in 2014, claimed responsibility for the attack. Months later, Phineas Fisher revealed how they did it in a detailed step-by-step post-mortem.
And they got away with it.
In July of this year, an Italian judge ruled that the investigation into who hacked Hacking Team should be shut down, arguing that there are no more leads to follow.
CYBER is Motherboard’s new podcast about cybersecurity. Subscribe on Apple Podcasts or any podcast app.
For the investigators, the hacker’s evasion techniques showed that they were part of “an organization that has scientifically and maniacally used techniques to evade identification.”
Phineas Fisher seemed amused, reacting to that description in an online chat with me: “lol what's that even mean, that I let out some sort of mad-scientist cackle every time I open up Tor Browser?”
More than three years after Hacking Team got owned, we still don’t know who really was behind the keyboard. After inspiring a new generation of vigilante hackers, Phineas Phisher went into hiding and hasn’t done a public hack in more than two years. We now know, however, more about how they got into Hacking Team’s systems. Hacking Team’s founder and CEO, David Vincenzetti, did not want to update his software, which meant that Phineas Fisher was able to attack an outdated system. Keeping software up-to-date is considered by many security experts to be among the most basic tips to prevent a hack.
In December of last year, prosecutors asked for the case to be dropped, arguing that they followed all the leads and could not solve the mystery of Phineas Fisher’s identity. In early July, an Italian judge responded, ruling to shut down the investigation into the Hacking Team data breach.
“I'm glad to hear they've stopped their pointless investigation that was mostly just being used as a tool by Vincenzetti to harass ex-employees that he didn't like,” Phineas Fisher told Motherboard, referring to Hacking Team’s attempts to frame former employees in the aftermath of the hack, which are detailed in the court documents.
Sealed court documents obtained by Motherboard tell the never-told tale of the digital manhunt, providing a fascinating look into how cybercriminals can stay anonymous and walk away scot-free even after embarrassing a company that provided surveillance technology to more than twenty government agencies around the world. The documents fill in some details left out by Phineas Fisher’s own account of their attack, and clear the names of the former Hacking Team employees who Vincenzetti accused of betraying the company.
They also reveal that the initial entry point into the Hacking Team network, the proverbial broken window that let the robbers in, was an out of date firewall and virtual private network system. According to sources close to the company, that firewall was still up despite the fact that the system administrators had already installed a newer one because Vincenzetti refused to upgrade. (A leaked email confirms that the VPN was left up for “a couple of exceptions.”)
“Only one user was still using it, and that’s why it had not been turned off. [...] Vincenzetti has the ultimate responsibility,” said a former Hacking Team employee, who was still at the company on the day of the hack and who spoke on condition of anonymity.
Another former employee said that the VPN and firewall was still up “literally because [Vincenzetti] couldn’t be bothered to install a software update.”
The first former employee also said that one of Hacking Team’s systems administrators was caught by Phineas Fisher playing video games such as World of Warcraft, and did not notice the hack for weeks.
“The system administrators deserve most of the blame,” the first former employee told me.
Phineas Fisher’s initial break-in was on May 22, 2015, around six weeks before they dumped the stolen files online. From there, the hacker moved stealthily through Hacking Team’s network, breaching the computers of the two system administrators on June 6, the same day they stole 290 gigabytes of information, which was the majority of the files.
On June 21, Phineas Fisher was able to get to the source code, which was inside the development network—the more sensitive area of the company—thanks to a “bridge” system installed between the dev network and the sales or commercial network, according to the court documents.
That bridge, according to people who worked at Hacking Team at the time, was installed because the administrators did not want to physically go to another office floor to manage it. With the bridge, the sources and court documents said, they could manage the dev network remotely.
“If it wasn’t for that system [Phineas Fisher] would have never arrived at the internal dev network,” the former employee told me.
To avoid getting caught, Phineas Fisher used all the tricks experienced hackers use: they made their connections anonymous by using Tor or other proxies, they hacked using penetration testing software, and they rented out the infrastructure they used to launch the attacks paying in Bitcoin.
“I'm glad to hear they've stopped their pointless investigation.“
And given that Bitcoin is, by design, relatively easy to trace, they used funds stolen from other people to pay for the servers. That was the key step that allowed Phineas Fisher to remain at large, according to the court documents analyzed by Motherboard.
“I'm ready to go to jail if I have to, but I'd rather stay free and active. It's not surprising they don't catch me,” Phineas Fisher told me. “With some basic precautions it's possible to stay anonymous on the internet.”
Some of the bitcoins Phineas Fisher used, the documents reveal, came from scratch cards bought on the website Buybitcoins.com, a site that allowed people to buy physical scratch cards that had a code on it that could then be redeemed on the site. The cryptocurrency was owned by an American citizen named Jon Davachi, who claimed to be innocent when reporters reached out to him after his name was published in the Italian press in December. Phineas Phisher told me that they stole Davachi’s bitcoins by hacking into the Buybitcoins website. The hacker’s account appears to be real given that they provided Motherboard with other non-public details that were contained in the court documents. The owner of Buybitcoins could not confirm whether his site had been hacked, but said that would explain how Phineas Fisher got the codes.
“Probably just got into my database, found some card secrets and then used a proxy when withdrawing the Bitcoin,” Buybitcoins.com’s founder Joey Rich told me.
Safe behind their digital mask, Phineas Phisher stole Hacking Team’s source code on July 4, according to the investigation.
At that point, there was nothing else to steal. That’s why they dumped everything online shortly after, Phineas Fisher told me.
Hacking Team employees at the time, when speaking with the investigators, admitted just how crucial that mistake was. And it was all because the company was more worried about selling spyware than keeping away hackers, despite the fact that just a year earlier, Phineas Fisher had embarrassed Hacking Team’s main competitor, FinFisher.
“After the attack, I realized that the internal corporate security was left in disarray in favor of the business needs of the company,” former chief technology officer Marco Valleri told investigators, according to the documents.
Daniele Milan, then chief operations manager and Vincenzetti’s right-hand, told the investigators that the company didn’t want too much security otherwise it would hinder the speed of software development.
“No one was assigned to the task of updating software,” Milan told investigators.
Hacking Team did not respond to multiple requests for comment. Vincenzetti did not respond to multiple requests for comment.
“Vincenzetti has the ultimate responsibility.”
Despite all these internal mistakes, after the hack Vincenzetti pointed the finger elsewhere. In a statement made a few days after the leak, a Hacking Team spokesperson said the hackers were likely a sophisticated group of criminals or perhaps government hackers. Vincenzetti, however, pressed charges against a group of former employees, who have been called “infidels” and “traitors,” by Vincenzetti and the Italian press. According to Vincenzetti, the five left the company and then plotted a plan to destroy it. The breach was their plan in action.
But after three years of investigation, Italian prosecutors and the judge have dropped all accusations against the five former employees.
“It’s clear that such a theory is completely groundless,” the judge wrote in her decision, referring to Vincenzetti’s accusations, “and has not found any confirmation in any of the evidence acquired during the investigation.”
For Alberto Pelliccione, one of the five former employees who was under investigation, these were “irrational and completely unfounded accusations.”
“On one hand there’s happiness because the nightmare is over,” Pelliccione, who’s now the CEO of defensive security company Reaqta, told me in a phone call after the judge’s decision. “But I also feel a grudge because for three years I have been living a nightmare I shouldn’t even have been living.”
According to the court documents, Pelliccione not only had nothing to do with the hack, but Hacking Team actively tried to frame him—and got caught. Vincenzetti told investigators that the company detected two attempts to attack Hacking Team coming from IP addresses in Malta, where Reaqta used to be based. In fact, the judge concluded, it was the other way around: someone inside Hacking Team connected to Reaqta’s network the day after the attack, in a clear—albeit clumsy—attempt to leave breadcrumbs pointing to Pelliccione. (The other alleged attack was months before the hack on the company, on May 13, 2015, when Hacking Team had already engaged private investigators to figure out whether Pelliccione and another former employee had stolen company secrets.)
The judge found that Pelliccione and fellow former employees Guido Landi, Mostapha Maanna, Serge Woon, and Alex Velasco are innocent. But also found that Phineas Fisher’s motives were “certainly political and ideological.”
When I asked the hacker what they thought about the ruling, they said that they always wanted to expose what they believe were the company’s shady dealings.
“Maybe now the prosecutors will have time to investigate the various crimes committed by Hacking Team,” Phineas Fisher told me recently, referring to the sale of Hacking Team spyware in Sudan, the company questionable hacking methods, and the sale to Mexican authorities who then used it to target dissidents. “But I don't have any illusions that prosecutors will look into any of that.”
The hacker also showed no regret, despite the fact that some of Hacking Team’s source code has been used by government hackers and criminals.
“The threat is all the government hacking tools that are still secret,” they said, “not the one I made public.”
Get six of our favorite Motherboard stories every day by signing up for our newsletter.