Alleged attacker posts how-to account of Hacking Team infiltration

There’s a saying that nothing on the Internet should be trusted — at least without verification. So it’s up to you to decide if a recent entry on Pastebin by a person claiming to be responsible for the data breach at Hacking Team and explaining how it was done is true.

At least one security Web site say it’s essential reading for CISOs. Without being able to verify the identity and author of the post I won’t go that far, which is why I’m not including a link to the piece. But the story does make sense and part of it is worth infosec teams thinking about.

Hacking Team, you’ll recall, is an Italian company that sells security monitoring solutions to law enforcement agencies — and, allegedly, some unsavoury governments — including tools for taking advantage of software vulnerabilities. Last year unknown person or persons got into its network and leaked several hundred gigabytes of data, including alleged internal e-mails, invoices, and source code, and a number of zero-day vulnerabilities the company had discovered that presumably could be used against criminals.

The Pastebin author’s account is that Hacking Team was attacked to end it’s “human rights abuses.” The end of the story is that he/she gained access to the unencrypted password list of users — including the domain administrator whose password was P4ssword.

But the intrusion was started with the attacker looking for a zero-day exploit in an embedded device. After two weeks of work reverse engineering, a remote root exploit was created. “I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device,” writes the author. “The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities.”

Once inside the attacker scanned the network and discovered a vulnerability where it would least be expected: Insecure backups on iSCSI devices, which were supposed to be on a separate network, but nmap found a few in their subnetwork. Some computer skills were needed to mount the backups from a VPS. Once there the attacker found (unencrypted) backups from virtual machines and found the password list, which led to the opening of the Exchange server and staff communications.

I’ve simplified the process, but the point I got out of it is infosec teams need to be more imaginative if they want to secure their enterprises.

As for whether the story is true, a hacker who sees himself as a white knight might indeed post such a detailed account. Or, if you’re a conspiracy buff, an intelligence agency might spread the story to warn CISOs to be more careful.

Either way, it’s worth thinking about

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now