Phineas Fisher (also known as Phineas Phisher, Subcowmandante Marcos) is an unidentified hacktivist and self-proclaimed anarchist revolutionary. Notable hacks include the surveillance company Gamma International, Hacking Team, the Sindicat De Mossos d'Esquadra (SME, union of the Catalonian police force) and the ruling Turkish Justice and Development Party, three of which were later made searchable by WikiLeaks.

Phineas Fisher
Subcowmandante Marcos
Other namesPhinFisher, Phineas Phisher, Subcowmandante Marcos
Known forGamma International and Hacking Team breaches and leaks.
Notable workHackBack! 1–3
StyleHacktivism
MovementAnarchism, Antisec
MotiveSocial Justice, Activism
Criminal chargeCybercrime, Bank robbery
Details
VictimsHacking Team, Gamma International, AKP, Cayman Bank, Sindicat De Mossos d'Esquadra

Typically, each public attack is followed by a communique containing information about the breach, technical information in a how-to format, ASCII art, poetry and leftist and anarchist propaganda. In 2019, Fisher offered hackers a bounty of up to US$100,000 for successful hacktivism and the following year claimed to have paid out US$10,000.

Hacks

edit

Gamma International attack

edit

In 2014, Gamma International, most known for the FinFisher malware was hacked and a 40 gigabyte dump of information was released detailing Gamma's client lists, price lists, source code, details about the effectiveness of the FinFisher malware, user and support documentation and a list of classes/tutorials.[1] Months later Fisher released the first document of the HackBack! series named HackBack!: DIY Guide for those without the patience to wait for whistleblowers which claimed responsibility for the Gamma International hack as well as giving detailed instructions aimed at beginners of how to repeat a similar attacks, intending to "Inform and inspire you to go out and hack shit".[2][3]

After the release, WikiLeaks rereleased it as part of SpyFiles 4.[4]

Hacking Team attack

edit

Fisher in 2015 claimed to have successfully breached Hacking Team.[5] In the communique, which was this time released in Spanish, Fisher claimed to have breached the network through a 0-day exploit from a bug found in a SonicWall SSL-VPN embedded network device.[6][7] The exploit was subsequently patched by SonicWall before it was made public by security researcher and ex LulzSec member Darren 'Pwnsauce' Martyn who claimed "if you use these products is to unplug them, douse them in kerosene, and set them on fire. It is the only way to be safe from something seemingly developed with this level of negligence."[8][9]

After the release of the files, WikiLeaks rereleased the Hacking Team emails.[10]

Mossos D'Esquadra union attack

edit

On May 15, 2016, Phineas Fisher breached and leaked data from Sindicat De Mossos d'Esquadra (SME), the police union of the Catalonian police force. Fisher uploaded a video to YouTube of the attack and a link to a cache of personal data of officers such as full names, addresses, bank accounts and telephone numbers for more than five thousand officers, a quarter of the total force.[11][12] The Minister of the Interior, Jordi Jané i Guasch stated that the leak "does not compromise the work or investigations of the agents, but does compromise their privacy".[13] Fisher claimed that Ciutat Morta, a Catalan documentary investigating the 4F case, inspired her to commit the attack.[14]

Fisher uploaded a thirty-nine minute video after the attack to YouTube. The video consists of the attacker probing an SME website with publicly available open-source tools before using an SQL injection to dump the data. Whilst the attacker waits they show the viewer images of people who have allegedly been victim to police brutality at the hands of Mossos, a woman blinded at the 2012 Barcelona General Strike.[15] The video is set to a soundtrack themed around anti-police and overtly 'revolutionary' English and Spanish language hip-hop.[16]

Arrests

edit

In early January 2017 the mossos in conjunction with the Policía Nacional raided and arrested at least four people, including a person in Salamanca, Spain and two in the Sants district of Barcelona under suspicion of the SME attack.[17][18] A few hours after the raids were reported in the Spanish press Vice Motherboard claimed that they had been in contact with an email address previously associated with Fisher who claimed to be free at the time of contact.[19]

AKP hack

edit

In 2016, Fisher claimed responsibility for breaching networks belonging to the Turkish ruling Justice and Development Party (AKP) and stealing hundreds of thousands of emails and other files In solidarity with the Kurdish movement in Rojava and Bakur.[11][20][21] The trove which became known as The AKP Emails are archived at WikiLeaks.[11][20][22] Wikileaks caused issues with Fisher after the organization published the AKP emails despite Fisher directing them not to, potentially leaving operational and personal details vulnerable.[23][24] Fisher also accused Wikileaks of saying they knew the emails were "all spam and crap."[23]

On July 21, WikiLeaks tweeted a link to a database which contained sensitive information, such as the Turkish Identification Number, of approximately 50 million Turkish citizens.[25] The information was not in the files uploaded by WikiLeaks,[26] but in files described by WikiLeaks as "the full data for the Turkey AKP emails and more" which was archived by Emma Best, who then removed it when the personal data was discovered.[27][28]

Most experts and commentators agree that Fisher was behind the attack.[11][20][21][29]

Cayman Island National Bank and Trust hack

edit

In November 2019, DDoSecrets published over 2 terabytes of data from the Cayman Island National Bank and Trust, dubbed the Sherwood files. The files were provided by Phineas Fisher, who was previously responsible for the hack and subsequent release of Gamma Group and Hacking Team documents and emails. The files included lists of the bank's politically exposed clients and was used for studies of how elites use offshore banking.[30][31][32] The leak led to at least one government investigation.[33]

Bug bounty

edit

In Fisher's 2019 Cayman Bank hack communique, Hackback! Una guía DIY para robar bancos (Hackback! A DIY guide to robbing banks), Fisher offered hackers up to US$100,000 in either of the Bitcoin or Monero cryptocurrencies to carry out acts of hacktivism that lead to public disclosure of documents, naming it the "Hacktivist Bug Hunting Program".[34] In the communique, Fisher states that "this program is my attempt to make it possible for good hackers to earn a living in an honest way by revealing material of public interest, instead of having to go selling their work to the cybersecurity, cybercrime or business industries", going on to cite examples of companies to target such as extraction industries in Latin America, Private Military Contractors including Blackwater and Halliburton and operators of private prisons such as GEO Group and CoreCivic.[35]

MilicoLeaks

edit

In 2020, Fisher claimed to have paid US$10,000 out of the "Hacktivist Bug Hunting Program" to an anonymous hacker who leaked over two gigabytes of emails and documents from several email accounts belonging to Chilean military personnel. The archive was named MilicoLeaks by Distributed Denial of Secrets.[36] The cache of documents included over three thousand emails and one thousand documents, some related to "intelligence, finance and international relations".[37] The Chilean military confirmed the breach in an official document via Twitter.[38]

Identity

edit

The identity of Phineas Fisher is currently unknown. Fisher has been accused of being a Russian agent by tech journalist Joseph Menn in his book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. The book also claims that this is also the assumption of the state department, quoting James Lewis,[39] claims which Fisher strongly denied[23] as well as Vice Motherboard claiming from a source that "US government is actually convinced Phineas Fisher is indeed a hacktivist."[40] An Italian judge echoed this claim, saying "[Phineas Fisher’s motives were] certainly political and ideological."[41]

Fisher has issued communiques which reference Anarchism and anarchist related content such as the Zapatista Army of National Liberation as well as labeling herself an 'anarchist-revolutionary'.[35] Phineas has also done an interview with Blackbird of the CrimethInc Ex-Workers Collective, an anarchist media collective based mostly in the Americas.[42] The name "Phineas Fisher" is a play on the name of the FinFisher malware developed by Gamma International.[43] "Subcowmandante Marcos" is a word play on the former Zapatista Army of National Liberation spokesperson Subcomandante Marcos. The Cayman National Bank hack communique featured ASCII art of a cow with a pipe reminiscent of a famous image of Marcos and used the well-known Zapatista slogan "Para que nos vieran, nos tapamos el rostro" ("In order to be seen, we covered our faces").[35][44]

See also

edit

Further reading

edit
  • Archive of HackBack! zines and communiques. (The Anarchist Library)
  • Archive of Phineas Fisher related articles published by Vice News.

References

edit
  1. ^ Blue, Violet. "Top gov't spyware company hacked; Gamma's FinFisher leaked". ZDNet. Archived from the original on December 4, 2020. Retrieved March 3, 2021.
  2. ^ Fisher, Phineas (2014). "Hack Back – DIY Guide for those without the patience to wait for whistleblowers". Gist. Archived from the original on March 18, 2021. Retrieved March 3, 2021.
  3. ^ "A Notorious Hacker Is Trying to Start a 'Hack Back' Political Movement". www.vice.com. May 23, 2016. Archived from the original on February 16, 2021. Retrieved March 3, 2021.
  4. ^ "WikiLeaks - SpyFiles 4". wikileaks.org. Retrieved July 26, 2022.
  5. ^ "Hacking Team, Bayelsa Govt's Internet Surveillance Contractor, Hacked". AllAfrica.com. July 6, 2015. ProQuest 1694585911. Hacking Team is yet to officially comment on the hack, 16 hours after the perceived attacker, Phineas Fisher, announced the attack on Twitter.
  6. ^ "HackBack! 2". Gist. p. Section 5.3 - Technical Exploitation. Retrieved March 23, 2021. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
  7. ^ Constantin, Lucian (April 18, 2016). "Hacker: This is how I broke into Hacking Team". CSO Online. Retrieved March 23, 2021.
  8. ^ "Former LulzSec Hacker Releases VPN Exploit Used to Hack Hacking Team". www.vice.com. January 25, 2021. Retrieved August 2, 2021.
  9. ^ "VisualDoor: SonicWall SSL-VPN Exploit". Darren Martyn. January 24, 2021. Retrieved August 2, 2021.
  10. ^ "WikiLeaks - The Hackingteam Archives". wikileaks.org. Retrieved July 26, 2022.
  11. ^ a b c d Catalin, Cimpanu (January 31, 2017). "Spanish Police Claim to Have Arrested Phineas Fisher – Hacking Team Hacker". BleepingComputer. Archived from the original on November 12, 2020. Retrieved February 25, 2021.
  12. ^ Borràs, Enric (February 1, 2017). "Els Mossos arresten tres persones per la filtració de dades personals 5.540 policies". Ara.cat (in Catalan). Archived from the original on March 18, 2021. Retrieved February 25, 2021.
  13. ^ "Hackeado el Twitter del Sindicat de Mossos d'Esquadra". La Vanguardia (in Spanish). May 18, 2016. Archived from the original on July 25, 2016. Retrieved February 25, 2021.
  14. ^ Ara (May 20, 2016). ""Phineas Fisher: Ciutat morta' em va animar a fer un senzill atac als Mossos", portada de l'ARA". Ara.cat (in Catalan). Archived from the original on March 18, 2021. Retrieved February 25, 2021. "'Ciutat morta' em va animar a fer un senzill atac als Mossos".
  15. ^ Carranco, Rebeca (December 13, 2012). "Police chief resigns over woman who lost eye during strike demonstrations". EL PAÍS. Archived from the original on March 18, 2021. Retrieved February 25, 2021.
  16. ^ Cox, Joseph (May 19, 2016). "A Notorious Hacker Just Released a How-To Video Targeting Police". www.vice.com. Archived from the original on February 16, 2021. Retrieved February 25, 2021.
  17. ^ Borràs, Enric (February 1, 2017). "Els Mossos arresten tres persones per la filtració de dades personals 5.540 policies". Ara.cat (in Catalan). Archived from the original on March 18, 2021. Retrieved February 25, 2021.
  18. ^ "Spain: 4 engineers investigated over 'Phineas Fisher' hack". phys.org. Archived from the original on November 11, 2020. Retrieved February 25, 2021.
  19. ^ "Notorious Hacker Phineas Fisher: I'm Alive and Well". www.vice.com. January 31, 2017. Archived from the original on November 23, 2020. Retrieved February 25, 2021.
  20. ^ a b c Uchill, Joe (January 31, 2017). "Report that Spanish police arrest hacktivist Phineas Fisher disputed". The Hill. Retrieved April 26, 2022.
  21. ^ a b "Notorious Hacker 'Phineas Fisher' Says He Hacked The Turkish Government". www.vice.com. July 21, 2016. Retrieved April 23, 2022.
  22. ^ "WikiLeaks – Search the AKP email database". wikileaks.org. Archived from the original on July 19, 2016. Retrieved March 18, 2021.
  23. ^ a b c "Vigilante Hacker 'Phineas Fisher' Denies Working for the Russian Government". www.vice.com. July 23, 2019. Retrieved April 11, 2021.
  24. ^ Fisher, Phineas. Phineas Fisher AKP-WikiLeaks Statement.
  25. ^ Tufekci, Zeynep (July 25, 2016). "WikiLeaks put Women in Turkey in Danger, for No Reason". The World Post. Retrieved December 3, 2016.
  26. ^ Murdock, Jason (July 26, 2016). "WikiLeaks criticised for tweeting link to leaked database of millions of Turkish women". International Business Times UK. Retrieved March 12, 2017.
  27. ^ Best, Emma (July 26, 2016). "The Who and How of the AKP Hack, Dump and WikiLeaks Release". Glomar Disclosure. Archived from the original on September 1, 2016. Retrieved July 30, 2016.
  28. ^ "How 'Kind of Everything Went Wrong' With the Turkey Data Dump". July 28, 2016. Retrieved July 30, 2016.
  29. ^ "The CyberWire Daily Briefing 07.22.16". The CyberWire. Archived from the original on December 5, 2020. Retrieved March 18, 2021.
  30. ^ "Massive Hack Strikes Offshore Cayman National Bank and Trust". UNICORN RIOT. November 17, 2019. Retrieved February 17, 2021.
  31. ^ Collin, Matthew (May 5, 2021). "The hacker, the tax haven, and what $200 million in offshore deposits can tell us about the fight against illicit wealth". Brookings. Retrieved May 6, 2021.
  32. ^ Collin, Matthew (May 5, 2021). "What lies beneath: Evidence from leaked account data on how elites use offshore banking". Brookings. Retrieved May 6, 2021.
  33. ^ "Tax authorities investigate new leaks incriminating Belgians". The Brussels Times. December 22, 2019. Retrieved May 23, 2021.
  34. ^ "Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies". www.vice.com. November 17, 2019. Archived from the original on November 13, 2020. Retrieved February 25, 2021.
  35. ^ a b c Marcos, Subcowmandante. "Hackback! Una guía DIY para robar bancos". Archived from the original on November 17, 2020. Retrieved February 25, 2021.
  36. ^ Franceschi-Bicchierai, Lorenzo (March 26, 2020). "Phineas Fisher Says They Paid $10,000 Bounty to Person Who Hacked Chilean Military". www.vice.com. Archived from the original on February 21, 2021. Retrieved February 25, 2021.
  37. ^ Mostrador, El (December 14, 2019). "Ejército confirma hackeo a cuentas de correo e inicia peritaje para encontrar a los responsables". El Mostrador (in Spanish). Archived from the original on March 18, 2021. Retrieved February 25, 2021.
  38. ^ "Ejército de Chile – Comunicado Oficial". Twitter (in Spanish). December 14, 2019. Archived from the original on December 15, 2019. Retrieved February 25, 2021.
  39. ^ Menn, Joseph (2019). "CHAPTER 11> MIXTER, MUENCH, AND PHINEAS". Cult of the Dead Cow : how the original hacking supergroup might just save the world (First ed.). New York: PublicAffairs. pp. Chapter 11. ISBN 978-1-5417-6238-1. OCLC 1056778895. Even without the relationship with WikiLeaks, an equally logical explanation would be that Phineas is a Russian intelligence project. Indeed, that was Washington's private conclusion. Within US intelligence, "it's generally assumed to be Russians," said Jim Lewis, a well-connected longtime senior State Department official and negotiator on global internet issues. "It's consistent with Russian activities in other areas."
  40. ^ "Vigilante Hacker 'Phineas Fisher' Denies Working for the Russian Government". www.vice.com. July 23, 2019. Archived from the original on February 25, 2021. Retrieved March 17, 2021.
  41. ^ "Hacking Team Hacker Phineas Fisher Has Gotten Away With It". www.vice.com. November 12, 2018. Retrieved March 18, 2021.
  42. ^ "CrimethInc. : HackBack! Talking with Phineas Fisher : Hacking as Direct Action against the Surveillance State". CrimethInc. June 5, 2018. Archived from the original on November 25, 2020. Retrieved March 17, 2021.
  43. ^ Franceschi-Bicchierai, Lorenzo (July 20, 2016). "Hacker 'Phineas Fisher' Speaks on Camera for the First Time—Through a Puppet". www.vice.com. Archived from the original on December 9, 2020. Retrieved February 24, 2021. That's a dumb name though, just the first play on FinFisher I could think of and I haven't hacked them in a while.
  44. ^ Subcomandante Marcos (March 28, 1995). "La flor prometida". El País (in Spanish). ISSN 1134-6582. Archived from the original on December 31, 2020. Retrieved February 25, 2021. Y miren lo que son las cosas porque, para que nos vieran, nos tapamos el rostro; para que nos nombraran, nos negamos el nombre; apostamos el presente para tener futuro; y para vivir... morimos.