I. Abstract and Introduction

II. Related Work

III. Mitre ATT&CK

IV. Phineas Fisher

V. Analysis

VI. Conclusion and References

VI. CONCLUSION

As far as the authors are aware this is the first academic analysis of Phineas Fisher, and the first paper to provide a technical analysis of the ‘hacktivist’ threat to critical infrastructure. We have taken a previously unknown threat actor and identified a set of tactics and techniques which may be used to mitigate future attacks. We are in the process of submitting this threat actor into the MITRE ATT&CK (ATT&CK) knowledgebase, which will be available to other researchers and security practitioners. More broadly, research is also needed to detect and prevent such threat actors within the industrial control landscape.

A NOTE ON REPRODUCIBILITY

All information used in the creation of these models are cited in the main body of the text. Since some of the manifestos were difficult to ascertain we maintain a local copy[4], which includes the individual ATT&CK models as well as the combined model discussed in this manuscript.

ACKNOWLEDGEMENTS

The authors wish to thank the reviewers for their helpful feedback. We also wish to extend our thanks to the hosts of the Risky Biz podcast (Patrick Gray and Adam Boileau), who provided enlightening reports into Fisher’s exploits and brought Fisher to the authors’ attention.

REFERENCES

[1] ESET, “Industroyer: Biggest threat to industrial control systems since Stuxnet,” p. 17. [Online]. Available: https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

[2] J. Slowik, “CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack.” [Online]. Available:

https://dragos.com/resource/crashoverride-reassessing-the-2016-ukraine-electric-power-event-as-a-protection-focused-attack/

[3] I. Ghafir, J. Saleem, M. Hammoudeh, H. Faour, V. Prenosil, S. Jaf, S. Jabbar, and T. Baker, “Security threats to critical infrastructure: The human factor,” vol. 74, no. 10, pp. 4986–5002.

[4] R. White, “Risk Analysis for Critical Infrastructure Protection,” in Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies, ser. Advanced Sciences and Technologies for Security Applications, D. Gritzalis, M. Theocharidou, and G. Stergiopoulos, Eds. Springer International Publishing, pp. 35–54.

[5] P. Fisher. HackBack - A DIY Guide To Rob Banks. [Online]. Available: https://packetstormsecurity.com/files/155392/HackBack-A-DIY-Guide-To-Rob-Banks.html

[6] M. Rudner, “Cyber-Threats to Critical National Infrastructure: An Intelligence Challenge,” vol. 26, no. 3, pp. 453–481.

[7] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, “Guide to Industrial Control Systems (ICS) Security.”

[8] Department of Homeland Security. DHS warns Anonymous may target critical infrastructure. [Online]. Available: https://web.archive.org/web/20180916124235/http://www.homelandsecuritynewswire.com

o[9] O. Yaron, “Hackers Threaten Cyber Attack Against Israel; Mossad, IDF Websites Down.” [Online]. Available: https://www.haaretz.com/1.5207001

[10] ICS-CERT, “Incident Response Summary Report (2009-2011),” p. 17. [Online]. Available: https://ics-cert.us-cert.gov/Other-Reports

[11] B. E. Strom, J. A. Battaglia, M. S. Kemmerer, W. Kupersanin, D. P. Miller, C. Wampler, S. M. Whitley, and R. D. Wolf, “Finding Cyber Threats with ATT&CK-Based Analytics.” [Online]. Available: https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics

[12] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “MITRE ATT&CK : Design and Philosophy.” [Online]. Available: https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy

[13] A. Shostack, Threat Modeling: Designing for Security. Wiley.

[14] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” vol. 1, no. 1, p. 80. https://www.vice.com/en_us/article/78kwke/hacker-phineas-fisher-hacking-team-puppet

[16] Jeff Larson and Mike Tigas. Leaked Docs Show Spyware Used to Snoop on U.S. Computers. [Online]. Available:

https://www.propublica.org/article/leaked-docs-show-spyware-used-to-snoop-on-u.s.-computers

[17] M. Marquis-Boire and B. Marczak. From Bahrain With Love: FinFisher’s Spy Kit Exposed. [Online]. Available: https://citizenlab.ca/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/

[18] P. Fisher, “Hack Back: A DIY Guide for those without the patience to wait for whistleblowers.”

[19] J.M. Porup. How Hacking Team got hacked. [Online]. Available: https://arstechnica.com/information-technology/2016/04/how-hacking-team-got-hacked-phineas-phisher/

[20] L. Franceschi-Bicchierai. The Vigilante Who Hacked Hacking Team Explains How He Did It. [Online]. Available: https://www.vice.com/en_us/article/3dad3n/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it

[21] P. Fisher. HackBack - A DIY Guide (HackingTeam). [Online]. Available: https://www.exploit-db.com/exploits/41915

[22] Collective. HackBack! Talking with Phineas Fisher: Hacking as Direct Action against the Surveillance State. [Online]. Available: https://crimethinc.com/2018/06/05/hackback-talking-with-phineas-fisher-hacking-as-direct-action-against-the-surveillance-state

[23] A. Greenberg, “WikiLeaks Dumps ’Erdogan Emails’ After Turkey’s Failed Coup.” [Online]. Available: https://www.wired.com/2016/07/wikileaks-dumps-erdogan-emails-turkeys-failed-coup/

[24] Emma Best. Renowned hacker and former WikiLeaks source Phineas Fisher says organization misled people about their files Emma Best. [Online]. Available: https://emma.best/2019/07/18/hacker-wikileaks-source-phineas-fisher-says-organization

[25] L. Franceschi-Bicchierai. Hacking Team Hacker Phineas Fisher Is Taking a Break Because of Stress. [Online]. Available: https://www.vice.com/en_us/article/xy5enw/hacking-teams-phineas-fisher-will-return-but-only-after-a-break-at-the-beach

[26] ——. Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies. [Online]. Available: https://www.vice.com/en us/article/vb5agy/phineas-fisher-offers-dollar100000-bounty-for-hacks-against-banks-and-oil-companies

[27] J. Cox. Offshore Bank Targeted by Phineas Fisher Confirms It Was Hacked. [Online]. Available: https://www.vice.com/en ca/article/ne8p9b/offshore-bank-targeted-phineas-fisher-confirms-hack-cayman-national-bank

[28] L. Franceschi-Bicchierai. Hacking Team Hacker Phineas Fisher Has Gotten Away With It. [Online]. Available: https://www.vice.com/en us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it

[29] ——. Vigilante Hacker Phineas Fisher Denies Working for the Russian Government. [Online]. Available: https://www.vice.com/en ca/article/qv7y8m/vigilante-hacker-phineas-fisher-denies-working-for-the-russian-government

[30] P. Maynard, K. McLaughlin, and S. Sezer, “Modelling Duqu 2.0 Malware using Attack Trees with Sequential Conjunction,” in 2nd International Conference on Information Systems Security and Privacy.

Authors:

(1) Peter Maynard, Centre for Secure Information Technology, Queen’s University Belfast, UK (p.maynard@qub.ac.uk);

(2) Kieran McLaughlin, Centre for Secure Information Technology, Queen’s University Belfast, UK (kieran.mclaughlin@qub.ac.uk).

This paper is available on arxiv under CC0 1.0 license.

[4] https://github.com/PMaynard/Viva-Phineas-Fisher