A connection has been made between the hacker who took down Hacking Team and the individual responsible for exfiltrating 40GB of data from Gamma International last year.
- Read our coverage of the Hacking Story from yesterday.
The hacker was revealed to be PhineasFisher who claimed responsibility for hacking Gamma International, makers of FinFisher surveillance software, last year. However, attempts to get further information from the hacker were unsuccessful.
The hacker confirmed it in a Tweet to Motherboard reporter Lorenzo Franceschi-Bicchierai who had contacted the hacker while he or she was in control of the @hackingteam Twitter account.
Little more is known about the hacker except they have promised to attack more companies: “gamma and HT down, a few more to go :)”, they tweeted.
Meanwhile the hack is reverberating around the world as researchers delve into the files that have been made available for download via torrent.
A list of clients listed in a screenshot of a file directory from the data dump reveals some 109 company names including many big brand names such as Coca-Cola, Agfa, Gucci and a number of banks. The extent of Hacking Team's penetration into the banking industry is underscored by a PowerPoint document which lists 11 banks under “finance customers”. These include ABI, Barclays, Ing Direct, Deutsche Bank and ABN Amro.
A Barclays Bank spokesperson, in an email to SCMagazineUK.com, confirmed that the bank was a customer of Hacking Team. “Security is our highest priority and we take all potential threats to our data extremely seriously. We are working with the Hacking Team to ascertain the scope and scale of this issue,” she said.
Vodafone and Coca-Cola have not responded to our questions.
Security experts are already drawing lessons from the incident.
Dr Guy Bunker at Clearswift said: “The tools Hacking Team provided were no different from tools already being used, except they have been commercialised to make money and then offered to the market. The ways and means that they succeed are not dissimilar to any other attack you hear about, zero-day exploits, social engineering and spear-phishing and plain old hacking...”
Bunker added: “An important lesson here – and this is not dissimilar to the Sony Pictures attack – is that what might appear to be pretty innocuous information inside an organisation is like gold dust outside of it, especially to the media... All information has a value to someone, whether it is industrial secrets, current contracts, embarrassing emails or just a list of employees – who could then be poached by a competitor. Organisations must become aware of the value of their information...”
Another source, who wished to remain anonymous, pointed out that Hacking Team is just a small to medium-size player in a crowded marketplace for government hacking tools – with a “loose sense of morals, judging by the governments they were willing to do business with”.
He said having done business with government agencies around the world, especially countries like Saudi Arabia and South Sudan where the security services are very secretive, Hacking Team will have some very irate customers to deal with following the leaking of sensitive information which included names and email addresses of officials who weren't used to being in the limelight.
Itsik Mantin, director of security research at Imperva, said: “It is yet again a lesson for any organisations that have sensitive information – and every organisation has sensitive information – that while attempting to avoid infection and penetration one must also have our plans in place to detect and contain an infection or a breach once it happens. Otherwise, they may end up making desperate attempts to contain the damage by throwing unfounded threats of legal actions and infection by malware on curious individuals that download their precious secrets from the Internet.”
Javvad Malik at AlienVault said: “Hacking Team has divided opinions for a long time, so the fact they have been breached has stirred up a lot of online debate. However, with breaches being an almost daily occurrence, it may be that outside the security community and the affected governments not many will care for very long. I think what will be most interesting is whether this will create a gap in the market where other players could sell similar services to governments that may have lost confidence in Hacking Team.”
Dr Mike Lloyd, CTO at RedSeal said: “The great majority of breaches track back to basic, well-known issues that are obvious in hindsight, when filtered out from the vast amount of signal on what might go wrong. As an industry, we know a great deal about what to do to make solid defences, but in practice, we build weak structures filled with gaps.”
Mark James, security specialist at IT security firm ESET said clients will be moving quickly to get rid of Hacking Team software. “The type of data found included invoices and agreements from governments and organisations they clearly have stated they have no affiliation with. Along with that, source code was found and released for their software that will cause anyone still using it to quickly get it taken offline or disabled for security reasons,” he said.
Andrew Rogoyski, head of cyber security at CGI (formerly Logica), wondered how well Hacking Team's clients had vetted them. “A supply chain assessment should be made every time you put a contract out to a third party and take a view of the risk involved, and the level of protection they have in place,” he said.
Rogoyski , also chair of TechUK's Cyber Security Group and formerly seconded to the Cabinet Office's Office of Cyber Security and Information Assurance (OCSIA), said Hacking Team may have drawn too much attention to itself: “The more you make yourself publicly identified as ‘security capable' the more you make yourself a target – and not just by malign actors, but also those who see it as a challenge to take down people who pride themselves on their security expertise.”