Hacking Team, a controversial Italian company that sells spyware to governments and law enforcement agencies around the world, has been massively and embarrassingly hacked.
More than 400GB of highly sensitive data about clients and operations has been leaked online for anyone to download, and reveals the company has been doing business with countries such as Sudan, which are on the UN blacklist, despite it telling a UN investigation that it had no business relationship with the African country.
In most major cyberattacks, attribution is typically difficult, if not impossible. Just look at the huge Sony hack from November 2014. We are still debating who was behind that attack despite huge international attention and investigations from the FBI and highly regarded security company Mandiant.
Unless someone sticks their hand in the air and explicitly says: "I did it," then it is very hard to say for certain who is behind a particular attack.
In the case of the Hacking Team attack, while there has been no Anonymous-like bragging that Hacking Team "got pwned" one person has quietly indicated that it is behind the attack.
Last August, another highly secretive company which sells spyware, the UK-based Gamma International, was attacked and 40GB of data leaked. The data – including release notes, prices lists and source code – was published initially by a Twitter account going by the name of Phineas Fisher (@GammaGroupPR) which is a reference to Gamma International's powerful FinFisher and FinSpy spying tool.
A Reddit user of the same name said at the time: "A couple days ago I hacked in [to Gamma International] and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB."
Having tweeted some 35 times in the wake of the Gamma International hack, the account went silent until this week, when it tweeted:
While this is clearly no admission of guilt in relation to the Hacking Team attack, the account has since linked to an account of how Gamma was hacked, which is available on text-sharing website Pastebin adding that he/she would "writeup how hacking team got hacked once they've had some time to fail at figuring out what happened and go out of business."
Own by APT
The question remains however, who is Phineas Fisher?
As I have said attribution in cyberattacks is hugely problematic and even when you "know" who is behind the attack, they are typically hidden behind multiple layers of obfuscation.
Speaking with a well-placed source within the hacking community, he indicated that in order to identify the attacker, you would need to "follow common traits in the attack and methodology and try to find other groups who have carried out similar attacks".
He believes that Hacking Team was "owned by APT" (advanced persistent threat) and that the group has previous when it comes to leaking data. Additionally, the source said the group may have a link with WikiLeaks as it was among the first to post links to the leaked data on Twitter.
When asked specifically who could have carried out this attack, the source speculated that this hack was very similar to the methodology used by infamous Russian hacker Yama Tough, thought to be a member of the India-based hacker group Lords of Dharmaraja.
Back in January 2014 Yama Tough stole and released the full source code for Symantec's Norton Antivirus while trying to extort $50,000 from the company. The hacker is also thought to have been involved in the leaking documents from an Indian military server in 2014.
Back in February 2015, Yama Tough, who lives in Ukraine, told Taia Global's president Jeffrey Carr that it was Russian hackers who had breached Sony Pictures' network.
Of course this is pure speculation and likely to remain that way unless those behind the Hacking Team attack decide they want some fame and reveal their identity to the world.
Until then, as our source eloquently put it: "Attribution, my friend, is a bitch."