Just days after transferring $11,000 in stolen bitcoins to an anti-ISIS revolutionary group in Syria, hacktivist Phineas Fisher was at it again — not just defacing the website belonging to Spain's Catalan police union, but actually posting an online tutorial showing how it was done.
Phineas Fisher, aka “Hack Back!” and “GammaGroupPR!,” is the same online agitator credited with hacking Italy-based government surveillance technology provider Hacking Team and posting a how-to guide describing the attack's methods. This new online assault on the police union, known as the Sindicat De Mossos d'Esquadra (SME), appears to be in retaliation for alleged violent acts against citizens.
Catalonia is an autonomous region in northeastern Spain, with its own police force. As part of the hack, Phineas Fisher leaked stolen data from SME's servers, including the names, financials and badge numbers of Mossos police force members. Also, on SME's Twitter page, the attacker posted images of people who are alleged victims of police brutality at the hands of Mossos officers.
The decidedly NSFW how-to video is nearly 40 minutes long and set to a series of rap and hip-hop songs including F*** tha Police by NWA. At first accessible via YouTube, the video was pulled down by Google, but versions are still circulating online.
The tools, techniques and targets chosen by Phineas Fisher could potentially offer insight into his (or her, or their) identity, or these clues could be misleading. One point that appears to be indisputable, however, is that the perpetrator has the skills and aptitude of a professional.
“What really struck me was his efficiency. That's not your typical hacktivist,” Pete Herzog, a professional hacker and security researcher, and managing director of the Institute for Security and Open Methodologies (ISECOM), told SCMagazine.com. The Spain-based security research non-profit runs several innovative programs including its Hacker Profiling Project (HPP). “He's good. He's got a smooth proficiency that comes with probably being a technical security consultant, definitely doing web app pen testing. He's practiced, he's done it a lot, he's got his hours in doing that.”
Zach Lanier, research director at Cylance, agreed, noting that the perpetrator “used a combination of tools and techniques that are typically employed by your modern red-team attacker, your pen tester.”
For instance, the attacker performed reconnaissance of the police union's site, did intelligence gathering through Google searches, masked his origin by using Tor, and used the OWASP ZAP attack proxy, an open-source web application security scanner. With such refined techniques, Lanier told SCMagazine.com that Phineas Fisher exudes the qualities of a “professional security worker throughout the day and then at night, he becomes a digital Batman.”
The attacker at points also used sqlmap, an open source tool that tests for SQL injection vulnerabilities; Kali Linux, a Linux distribution specifically designed for digital forensics and pen testing; and a few of his own custom scripts.
Herzog was particularly intrigued by Phinease Fisher's use of Kali. Not only does this further back up the theory that the hacker is professional security consultant familiar with these tools, but it also provides a window into his style and preferences. Herzog noted that many older, traditional computer forensics analysts use a similar product, BackTrack. “Which means that he upgraded to Kali… Of course, it could be for the [tutorial] video that he's suing a common platform, but he was too familiar with [Kali] to say that it's not something he uses a lot,” said Herzog.
The researchers at Cylance also took note of Phineas Fisher's unique command of multiple languages. Lanier's colleague Ryan Smith, vice president of Research at Cylance, said of the hacker's literary prowess, “Not only is the English really good, but also the style of writing is very engaging compared to other hacktivists.”
“Whoever it was, was comfortable with both Spanish and Catalan,” said Herzog, noting that he also “wrote with an English proficiency… They definitely had a ‘business English' to them.”
In this particular tutorial, Phineas Fisher primarily lets his code do the talking, but he does sneak in a couple of sarcastic barbs aimed at Mossos. At one point, the hacktivist writes: “hehe, mossos are probably too busy tear gassing protesters right now to pay attention to their server logs.”
Later, he apologizes for some inelegant, yet effective code, writing, “It's complete sh** script but it took 2 mins to write and it works so I don't bother improving it.” Herzog said that he probably wrote this, expecting fellow coders “might judge it.”
But after having just made headlines for donating stolen bitcoin currency to revolutionaries in the Rojava region of Syria, why would Phineas Fisher follow up so quickly with a second high-profile attack? One possible explanation, said Smith, is that some hacktivists work on multiple campaigns over extended periods, sometimes “four of five at a time,” queuing them up until they're ready to strike in a series of quick hits.
According to Phineas Fisher, the actual attack took place on May 15, the day before Pentecost Monday, an official holiday in Catalonia. If by chance the hacktivist is actually based in this region (thus explaining his familiarity with the language and choice of target), then it would stand to reason that a three-day weekend would offer a normally busy professional security expert an ideal window to launch several new attacks and advance his secret vigilante campaign.
While it's difficult to assess any hacktivist's true intentions, his motivations do appear to be genuine, said Smith, adding that the hacker probably believes his actions are the best way “for him to use his skill sets to cause the biggest effect” for his chosen causes.