Wow! It’s been a crazy week so far. You may be aware of the recent data-breach that struck the servers of HackingTeam. For those of you who don’t know who’s behind HackingTeam, refer to this wiki page.

It was exactly 8:26pm (UTC-05:00) when the first tweet regarding the hack was tweeted from the official @HackingTeam account itself. A picture of the first tweet can be found below:

Since then, a total of 16 tweets were sent. The tweets have been deleted but a backup has been made here.

In the first tweet, there were two links made available to the public. Both links are hosted on encrypted servers (infotomb & mega) which redirect to a 23.6mb .torrent file.

MD5 checksum of the file: 26183ae8f24e798a15d77dd3476f5ed9

The torrent file contains the following folders:

Upon analyzing the leaks, I’ve found the following:

1.“0day” exploits.

2. All emails between the company and the clients were available to read in a .pst format.

3. List of HackingTeam clients (Some government institutions from around the globe).

4. Sophisticated Programs/Spywares created by HackingTeam in an open-source format.

5. A folder named c.pozzi [Employee named Christian Pozzi] shows some information about an employee.

6. Invoices for some(if not all) transaction made between HackingTeam and governments.





This question has came across every single individual who was following this incident. How were they hacked? Who did it? A group? An individual?

A person came forward taking credit for being behind the attack.

gamma and HT down, a few more to go 🙂 — Phineas Fisher (@GammaGroupPR) July 6, 2015

I'll writeup how hacking team got hacked once they've had some time to fail at figuring out what happened and go out of business — Phineas Fisher (@GammaGroupPR) July 7, 2015

This notorious hacker is the same individual who has breached into the surveillance company Gamma [a little about Gamma here].

The hacker seems to have left a clue as to how he/she got into HackingTeams’ servers. I believe the method was a combination of Social Engineering & Password guessing, possibly even exploiting one of HackingTeams’ webapps. The hacker could have guessed one of the employee’s password which granted him access to the network, or he could have social engineered an employee to install a spyware on their computer. There are a lot of possibilities, we will never know exactly how the attack was done unless the person who was responsible speaks up.



As stated above, there is a file named “c.pozzi” the folder has 869mb of data. It contains information about a certain employee whose name is Christian Pozzi [backup here] he works as a security engineer in the company. In that c.pozzi folder, there are 3,524 Files scattered across 510 Folders.

In the “screenshots” folder, we can find a bunch of screen-grab pictures taken from the hackers screen monitoring Christian Pozzi’s computer. It seems that the hacker, while he/she was grabbing the database, decided to have some fun spying on the employee. This tweet from the hacker confirms my theory:



It’s surprising how a security engineer with over eight years of experience in the cyber field would choose easily guessable passwords for his accounts.



What the hacker may have done was monitor each and every move Christian Pozzi made on the internet, gather his information and what social media he uses. Guess the employees account passwords on other websites, chances are that he may use the same password on HackingTeams servers (which turned out to be true). The steps that the hacker took in order to attack HackingTeam could have been as follows: 1. Gather information about HackingTeams servers, Employees, Subdomains, IP's and opened ports. 2. Scan extensively for exploits. 3. Move on to guessing employees passwords. 4. The hacker succeeded in trying to infiltrate their networks after hours (minutes?) of sniffing around trying to find a way in. 5. Take control of Christian Pozzi's computer. 6. Start grabbing their whole cyber infrastructure (Email systems, Computer files, etc.) 7. Leak it on their official twitter account. So what happened after all that? To sum-up the whole scenario; 1. Invoices leaked showing HackingTeam working with governments that are blacklisted by the UN. (Sudan) 2. Emails, passwords (in clear text), clients informations, invoices, spywares made by the team, and 0day exploits, are all available to the public. 3. 0day exploits patched, Viruses/Spywares made by the team got patched(or in the process of being patched) by AntiViruses. 4. HackingTeam.com is down. 5. Christian Pozzi's twitter account got hacked after he made desperate attempts to damage-control the whole situation, the account later got deleted. 6. Torrent still up and running, seeders increasing, more people are getting their hands on the database. 7. HackingTeams reputation went downhill. I'll be surprised to see them come back again. All in all, I would like to thank the hacker for doing this. He has protected peoples' internet privacy and possibly saved lives of human rights activists in oppressed countries. -OxAlien.