Log In Sign Up

Big Fish, Little Fish, Critical Infrastructure: An Analysis of Phineas Fisher and the 'Hacktivist' Threat to Critical Infrastructure

The hacktivist threat actor is listed in many risk decision documents. Yet their tactics and techniques often remain a mystery. We create a MITRE ATT CK (ATT CK) model of a well known hacktivist who goes under the pseudonym of Phineas Fisher, and map that threat to critical infrastructure. The analysis is derived from hacker manifestos, journalist reporting, and official government documentation. This analysis fills a gap in current threat models, to better define what skills and methods a determined hacker might employ. This paper also identifies seven essential mitigations which can be deployed by critical infrastructure operations and asset owners, to prevent such intrusions by hacktivists. We are in the process of contributing this threat actor into the ATT CK knowledge base.


Threat Actor Type Inference and Characterization within Cyber Threat Intelligence

As the cyber threat landscape is constantly becoming increasingly comple...

Towards automation of threat modeling based on a semantic model of attack patterns and weaknesses

This works considers challenges of building and usage a formal knowledge...

Towards Dynamic Threat Modelling in 5G Core Networks Based on MITRE ATT CK

This article discusses how the gap between early 5G network threat asses...

Collaborative Information Sharing for ML-Based Threat Detection

Recently, coordinated attack campaigns started to become more widespread...

Advanced Persistent Threat: Detection and Defence

The critical assessment presented within this paper explores existing re...

A replication of a controlled experiment with two STRIDE variants

To avoid costly security patching after software deployment, security-by...

Code Repositories


ATT&CK Models of the Threat Actor "Phineas Fisher"

view repo

I Introduction

State actors are widely considered to be the default threat actors to critical infrastructure, since they are the threat most often discussed in the media. For example, in 2017 the malware CrashOverride [eset_industroyer_2017] was found to have been used in the 2016 power outages in Ukraine, which saw the manipulation of industrial control devices, resulting in a few hours of downtime in a localised area. A report published in 2019 [slowik_crashoverride_2019] suggests that their objective was to disable the whole country’s power grid for a much longer period. While it may make little practical difference to an operator who the intruder is, it is good practice to have a solid comprehension of what tactics and techniques an adversary may deploy. In this instance, the creators had time and money to devote to the development of a sophisticated piece of malware, specifically designed to compromise the target. The skills and techniques they deployed are well understood, and attacks like these are becoming more common. However, the techniques and tactics used by less resourced actors often go undiscussed.

State of the art literature [ghafir_security_2018, white_risk_2019] does not detail the technical threats which a hacktivist might employ, since it is hard to attain such information without identifying and investigating the intruder. We, therefore, perform an analysis of a well known hacktivist who goes under the pseudonym of Phineas Fihser (See section IV). The majority of this analysis is based on their self-published manifestos, which break down the steps taken to compromise their targets. This analysis is further supported by news reporting and academic literature. Subsequently, we derive a attk model of their techniques, and identify ways that an equivalently capable hacktivist like Fisher might compromise critical infrastructure. Based on this research, we identify seven mitigations which may be deployed within an industrial network. This work was motivated by a recent publication by Fisher in November 2019, which stated ‘I will pay up to 100 thousand USD for each filtration of this type, according to the public interest and impact of the material…’[fisher_hackback_2019], where they advocate the intrusion into oil, gas, mining, logging and livestock companies, and surveillance companies such as the NSO group, among others. While we do not intend to make judgements on the political aims of such ‘hacktivism’, based on this call to arms, and lack of insight into hacktivist methods, it is clear there is a need for further technical analysis.

The remainder of the paper provides a discussion on the related work (§II), followed by an introduction of the attk model (§III) and the Hacktivist known as Phineas Fisher (or Phisher) (§IV). We then offer an analysis of Fisher’s attacks (§V-A) and how this threat may be mapped to critical infrastructure (§V-B), followed by proposed mitigations (§V-C) and concluding remarks (§VI).

Ii Related Work

To date, several studies have investigated threats to critical infrastructure and industrial control systems. One such paper, by Rudner [rudner_cyber-threats_2013], identified several threat actors: international terrorism, state-sponsored terrorism, espionage and sabotage, malevolent hacktivism, and insider threats. Rudner examines the declared intentions, strategies, objectives and demonstrated capabilities of those entities known to have threatened Critical National Infrastructure. These threats align with the NIST SP-800-82 Guide to industrial control system security [stouffer_guide_2015] definitions, as four primary adversary actors: Individual; Group; Organisation; and Nation-State. Yet, neither of these publications define what actions these actors may take against their targets.

The most interesting threat, regarding our investigation, is ‘malevolent hacktivism’, which Rudner cites the United States Department of Homeland Security warning that Anonymous may target critical infrastructure [department_of_homeland_security_dhs_2011] ”as part of its green energy agenda”, which specifically supports the environmentalist campaign against the Alberta Oil Sands and the proposed Keystone XL oil pipeline. Two other groups are listed (Deep Green Resistance and Fertile Ground), who in 2011/12 declared an intention to target critical infrastructure. Fertile Ground propounded111Based on private communication from a senior security officer in the Canadian energy industry, January 2012 [rudner_cyber-threats_2013]. the view that critical infrastructure is highly vulnerable and poorly designed, so that cyber attacks striking at key nodes could have a significant impact. As of early 2020, the authors have been unable to find any incidents that could be attributed to them.

While a variety of incidents have been attributed to Anonymous, none appear to (or have been publicly reported to) directly affect critical infrastructure. Meanwhile, Anonymous has claimed [yaron_hackers_2011] they have access to the Stuxnet source code, but there has been no evidence that they have used it. Moreover, Stuxnet was designed to run on a specific site and is not particularly useful on its own.

The human threat to critical infrastructure is discussed by Ghafir [ghafir_security_2018], in which they propose a system to improve the security awareness of business environment employees. Of particular interest is Ghafir’s discussion of social engineering and the attack strategies, suggesting the use of Kevin Mitnick’s attack cycle, i.e. Research; Develop Trust; Exploit Trust, and; Utilise Information. In emergencies where many disperse departments and business partners all need to interoperate, social engineering becomes a very valid threat to critical infrastructure. Indeed, as reported by [ics-cert_incident_2012], spear-phishing is a common entry point. Nonetheless, the security awareness delivery method proposed by Ghafir does not appear particularly suited to application to SCADA/ICS systems, due to the addition of ‘pop-ups’ to employees workflows along with additional network connections.

Generally, the current body of research describes intrusions at a very abstract level, and primarily focus on motivation and description of the different types of threat actors. There is a lack of detailed technical analysis of the skills a hacktivist may employ when compromising critical infrastructure. One might contemplate there is no difference between a hacktivist or state actor, and since there is no publicly attributed attack to critical infrastructure that has been performed by an individual or group of hacktivists, one could assume they may follow the existing intrusion trends as reported by ICS-CERT. This paper aims to explore these assumptions.

Iii attk

Released in 2015, attk [strom_finding_2017] is a curated knowledgebase of adversary behaviours. attk has three main corpora consisting of pre-ATT&CK, mobile, and enterprise. This paper considers the enterprise version since it is designed for Microsoft Windows and Linux based operating systems. The knowledge base consists of adversary tactics (why) and techniques (how), that can be used by defenders to determine how secure their systems are. Tactics serve as useful contextual categories for individual techniques and cover standard notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data. Techniques represent how an adversary achieves a tactical objective by performing an action. As detailed in [strom_mitre_2018], attk has multiple applications: Adversary Emulation; Red Teaming; Behavioural Analytics Development; Defensive Gap Assessment; SOC Maturity Assessment; Cyber Threat intelligence Enrichment. This paper will use the model to analyse the threat of Fisher to critical infrastructure, in a sense a gap assessment will be performed based on the hacktivist threat.

Unlike other models such as Microsoft’s STRIDE

[shostack_threat_2014] and Lockheed Martin’s Cyber Kill Chain [hutchins_intelligence-driven_2011], attk is not highly abstracted from the low level concepts, but at the same time attk does not include low level details such as iocs, exploits, or vulnerabilities. Fig. 1 shows the level of abstraction between high, mid, and low level models. The knowledge base is grounded in observed and plausible adversary behaviours, that are likely to be encountered rather than theoretical techniques that are unlikely to be seen due to difficulty of use or low utility. The behaviours described by the attk model can be encoded into IDS systems as signatures, and are also accompanied by potential countermeasures.

High-level Models (Lockheed Martin KillChain, Microsoft STRIDE)

Mid-level Model (MITRE ATT&CK™)

Low Level Concepts (Exploit & Vulnerability databases)



Level of Abstraction
Fig. 1: Abstraction levels of models and threat knowledge databases [strom_mitre_2018]

Iv Phineas Fisher

Phineas Fisher is a pseudonym [franceschi-bicchierai_hacker_2016], that identifies as female [fisher_hackback_2019], who has claimed and verified responsibility for many high profile intrusions and data leaks. In 2014, Fisher targeted Gamma Group [jeff_larson_leaked_2014]. Gamma Group sells surveillance software to governments and police forces around the world, many of which have been criticised by human rights organisations [marquis-boire_bahrain_2012]. After releasing Gamma Group’s client list, source code, and private details, Fisher published a step by step guide [fisher_hack_2014] on how she compromised their systems.

One year later in 2015, Fisher compromised, then published the details and source code for another surveillance company called Hacking Team [j.m._porup_how_2016, franceschi-bicchierai_vigilante_2016], accompanied with another write up of her methods [fisher_hackback_2016].

In May 2016, she hacked the Catalan police union website [collective_hackback!_2018], defacing it, then leaked personal information of around 5,000 police officers. Fisher created a video recording of the steps taken in the hack, which showed simple vulnerabilities in their systems. In response to this hack, the police force carried out raids on social centres and hacker labs222A place for technology hobbyist and enthusiasts to meet. Not related to illegal activities., where they claimed they had arrested Fisher. Shortly thereafter Fisher communicated with the media, and agreed to give an interview to Vice News [franceschi-bicchierai_hacker_2016].

On the 19th of July 2016, Fisher compromised the Turkish Justice and Development Party (AKP) network [greenberg_wikileaks_2016], and was collecting data to handover to Wikileaks. While Fisher specifically [emma_best_renowned_2019] told them not to release the data, this was ignored. This hack was not accompanied by a walkthrough guide, and subsequently, Fisher became inactive for a time [franceschi-bicchierai_hacking_2017].

In November 2019, Fisher leaked the internal emails of the Cayman Bank and Trust Company located on the Isle of Man [franceschi-bicchierai_phineas_2019]. Along with this leak, she also stole a large sum of money from the bank. This theft has been confirmed, and took place in 2016 [cox_offshore_2019]. As with the other attacks she published a post-mortem [fisher_hackback_2019], and also offered a 100,000USD bounty to hack banks and oil companies that could lead to the disclosure of documents in the public interest. To this day no one appears to have been able to identify who Phineas Fisher is, and the Italian investigation into the Hacking Team hack was closed without answers [franceschi-bicchierai_hacking_2018]. While there is some speculation that Phineas Fisher might be a government operation, it is widely believed that she is a hacktivist [franceschi-bicchierai_vigilante_2019]. Fisher’s primary message is to start a revolution of hackers, who will hack for the social good, and target companies that are deemed ‘evil and corrupt’. By publishing her post-mortem documents, she has shown the simple techniques needed to break into these systems. In the case of critical infrastructure such as ics, it is therefore valuable to identify how much of a threat these systems might be from hacktivists like Phineas Fisher.

V Analysis

This section presents an analysis of Phineas Fisher’s intrusions, followed by a discussion of the consequent potential threat to critical infrastructure, and possible detection methods.

V-a Analysis of Fisher’s Intrusions

The attk framework currently has 266 techniques in the enterprise matrix, from these techniques we have chosen a subset which represents Phineas Fisher’s tactics and techniques. This is based on her self-published break downs of each attack [collective_hackback!_2018, fisher_hack_2014, fisher_hackback_2016, fisher_hackback_2019], and is presented in Table I. The table follows the standard attk presentation format, where the column headers describe the adversary tactics, while the remaining cells describe the techniques that were performed by Fisher. Each of the tactics are now discussed in turn. Each technique is mapped back to the source: A, Gamma Group; B, Hacking Team; C, Police Union; D, Cayman Bank. Techniques that were not explicitly stated are noted with an ‘I’, which denotes, ‘Inferred’ based on the context. Cells with a red background are mitigated by the countermeasures discussed in section V-C.

width=angle=90 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact (a,b,c,d) Exploit Public-Facing Application (2) (i) Command-Line Interface (1) (i) Component Firmware (d) Access Token Manipulation (5) (d) Access Token Manipulation (5) (i) Brute Force (4) (i) Account Discovery (b) Exploitation of Remote Services (2) (a,b,d) Audio Capture (c) Commonly Used Port (3) (c) Data Compressed (3) (a) Account Access Removal (a,b,d) External Remote Services (4) (i) Execution through API (1) (a,b,d) External Remote Services (4) Exploitation for Privilege Escalation (2) (i) Clear Command History (b,c) Credential Dumping (5) (i) Application Window Discovery (a,b) Logon Scripts (7) (a,b,d) Data from Information Repositories (a,b) Connection Proxy (3) (i) Exfiltration Over Command and Control Channel (3) (a,c) Defacement (i) Spearphishing Link (i) Graphical User Interface (i) File System Permissions Weakness (i) File System Permissions Weakness (i) Component Firmware (b,c) Credentials in Files (7) (i) File and Directory Discovery (i) Remote Desktop Protocol (4,5) (a,b,c,d) Data from Local System (i) Fallback Channels (3) (a,b,c) Exfiltration Over Other Network Medium (3) (c) Valid Accounts (4,5,6) (a,b,d) PowerShell (5) (c) Hidden Files and Directories (d) Setuid and Setgid (a,b) Connection Proxy (3) (i) Exploitation for Credential Access (2) (a) Network Service Scanning (3) (a,b,c) Remote File Copy (3) (a,b) Data from Network Shared Drive (a,b) Multi-hop Proxy (6) (i) Scripting (a,b) Logon Scripts (7) (c) Valid Accounts (4,5,6) (i) Exploitation for Defense Evasion (2) (i) Forced Authentication (6) (a) Network Share Discovery (i) Remote Services (b) Data from Removable Media (b) Multi-Stage Channels (3) (i) Source (i) Modify Existing Service (a,b,c) Web Shell (c) Hidden Files and Directories (a,b,c,d) Input Capture (b) Network Sniffing (4) (i) Windows Admin Shares (a,b) Data Staged (i) Multilayer Encryption (3) (i) Trusted Developer Utilities (1) (i) Redundant Access (3) (i) Indirect Command Execution (i) LLMNR/NBT-NS Poisoning and Relay (6) (i) Process Discovery (i) Windows Remote Management (5) (a,b,d) Email Collection (4) (i) Remote Access Tools (1,6) (i) User Execution (3) (i) Registry Run Keys / Startup Folder (i) Redundant Access (3) (b) Network Sniffing (4) (i) Remote System Discovery (a,b,c,d) Input Capture (a,b,c) Remote File Copy (3) (b) Windows Management Instrumentation (5) (i) Security Support Provider (i) Scripting (b) Two-Factor Authentication Interception (i) System Information Discovery (a,b,d) Screen Capture (i) Standard Application Layer Protocol (3) (b) Windows Remote Management (5) (i) Server Software Component (c) Timestomp (a) System Network Configuration Discovery (a,b) Standard Cryptographic Protocol (d) Setuid and Setgid (i) Trusted Developer Utilities (1) (i) System Network Connections Discovery (i) Standard Non-Application Layer Protocol (b) System Firmware (c) Valid Accounts (4,5,6) (i) System Service Discovery (c) Valid Accounts (4,5,6) (a,b,c) Web Shell (5) (i) Windows Management Instrumentation Event Subscription (5)

TABLE I: A combined attk model based on each of Fisher’s manifestos.

V-A1 Initial Access

In all of the intrusions, initial access was gained by exploiting internet facing applications, typically by performing SQL injection attacks. For the Hacking Team incident, Fisher was able to perform reverse engineering and identify a zero-day vulnerability in their VPN appliance. It later turned out that the appliance was also vulnerable to the trivially performed shellshock333Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorised access to many Internet-facing services, such as web servers, that use Bash to process requests. vulnerability. While Fisher did not use spear-phishing to gain access, she did refer to them in her guides.

V-A2 Execution

During the time of these exploits, circa 2015, PowerShell was commonly used to perform a lot of execution once initial access had been gained. Today, Microsoft has deployed several mitigations against its misuse, and while this has prevented the same methods from working, there are a plethora of other methods to achieve the same results. This leads on to the other techniques such as Command-Line Interface, Scripting, Graphical User Interface, and Windows Management Instrumentation/Windows Remote Management, which, if enabled on this target will allow the adversary to execute commands. All of these methods we used or discussed by Fisher. Interestingly, these are all tools normally found in an enterprise network, and follows the philosophy of living off the land, which is strongly advocated in the manifestos.

V-A3 Persistence

Persistence was often performed using web shells that were uploaded to a compromised service. Hacking Team was a particular exception, where she developed a backdoored firmware for their VPN service. This firmware included many additional tools needed for the next stages. Fisher also maintained a redundant access service, in case she was locked out from her primary persistence method. The guides stated that ”I always use Duqu 2 style ‘persistence’, executing in RAM on a couple high-uptime server” [fisher_hackback_2016], Duqu2 is a relative of Stuxnet, and performed covert, in-memory, espionage operations [maynard_modelling_2016].

V-A4 Privilege Escalation & Credential Access

Privilege escalation was performed by monitoring the activities of operators, using techniques to capture user input and hijack authenticated multi factored sessions, as well as intercepting credentials by modifying popular services to record the plaintext, which was the technique against the Catalonia police union. These approaches are similar to those of state actors.

V-A5 Defense Evasion

In most cases there were few active defences to be evaded, since Fisher tried to maintain a RAM only presence, e.g. exploiting services without placing malware on the disk, which may trigger alerts. When touching the disk, Timestomping was performed, which masks the modification dates of files changed. When impersonating a user login, Fisher would change the logged IP and UserAgent to match historical access logs.

V-A6 Discovery & Lateral Movement

All of Fisher’s guides start by discovering as much information about the target as possible, typically involving domain and IP scanning for services and other publicly identifiable data. This helps outline the target, and is performed again once an initial compromise has been done. The second time focuses on passive monitoring of network traffic, to find additional targets. Techniques such as LLMNR/NBT-NS poisoning and relay are used which allow for lateral movement. These techniques take advantage of broadcast messages on the network and forge a response to the service to gain an insight into what is running on the network.

V-A7 Collection & Impact

Collection and Impact were Fisher’s main ATT&CK tactics (objectives), which was achieved via several techniques. Network file shares were remotely accessed and downloaded locally, with the most common aims being the collection of the target’s email archive, internal documentation, client/staff details, and source code. For any company, this can result in a significant impact on the day-to-day operations, and how they are perceived by the public. As a final step, Fisher has previously taken over the company social media account and announced to the world they have been compromised. Although the attk model does not have a technique for disclosing private information as an impact tactic, it does include Defacement and Account Access Removal.

V-A8 Command And Control & Exfiltation

Command and Control, and Exfiltration were performed via commonly used port numbers and connection proxies. While Fisher would use multiple hops and off-the-self remote access tools, and often simple file transfers via HTTP and SSH. These approaches are often sufficient to bypass simple IDS which are unmonitored, as the traffic generated matches day-to-day operations (though more bandwidth may be used, this is often not monitored).

It is noticeable that Fisher’s intrusion methods did not significantly vary between each attack in terms of the techniques used. While the techniques are dependant on the environment, the skills required to perform a successful intrusion are readily attainable.

V-B Threat to Critical Infrastructure

Based on the techniques employed by Fisher, we can deduce that a dedicated hacktivist is a valid threat to critical infrastructure. Moreover, in recent years there has been a growing concern for climate change, which may drive people towards targeting oil, gas, and other energy related infrastructure in particular. Such ‘hacktivist’ threats targeting critical infrastructure could feasibly adopt techniques similar to those discussed above, however, the environment found within critical infrastructure is not the same as a traditional enterprise network, due to different underlying operations and requirements. It is common to find older operating systems and applications, which have been validated and certified for specific operations. It may not be possible to update the systems to include the most recent attack mitigations, since that may require additional verification. For example, many techniques make use of PowerShell, which was first released in 2006. Since then there has been a great deal of improvements for threat mitigation and event logging. These improvements may not be found within critical infrastructure systems. Moreover, there may be many old Unix systems, and architectures, that contain exploitable vulnerabilities allowing an adversary alternative avenues of attacks. As discovered in our analysis, Fisher would maintain a few remote access paths into their compromised network, to ensure that if one of the compromised machines were detected, she would have another entry point. Within critical networks, there are often multiple redundant network paths providing a resilient network, and while this is a necessity, it also provides adversaries with alternative paths of attack.

As reported by the ICS-CERT [ics-cert_incident_2012], spear-phishing has become common within operators of critical infrastructure. While Fisher did not use this technique, it was mentioned frequently in her manifestos. From our analysis, developing backdoored firmware is within the capability of a hacktivist. This is a concern for critical infrastructure networks as they often contain many embedded devices and network appliances, which may not be recently patched, as was seen in the Duqu and Stuxnet intrusions.

Due to the advancement and proliferation of security controls and mitigations, adversaries are having to resort to more subtle modes of operation. As seen in the 2016 Ukrainian power outage, and by Fisher, the adversary mimicked legitimate users actions to avoid detection. The motivation of a hacktivist might be to find and leak information about the company or to disrupt operations. Leaking information could be a concern for manufacturing companies, which often have trade secrets encoded into the network. Meanwhile, power generation and transmission operators may have financial fines imposed for service disruptions.

V-C Mitigations

Based on the analysis of the tactics and techniques used by Fisher, which could potentially be deployed by anyone hacktivist threat actor, we now highlight seven mitigations methods defined by the attk framework, that may be deployed within critical infrastructure systems. The mitigations are ordered by level of deployment complexity, and were chosen based on the number of techniques which they mitigate:

  1. Execution Prevention: Application whitelisting may be able to prevent the running of executables masquerading as other files.

  2. Application Isolation and Sandboxing: Perform application isolation via operating system calls, or virtualisation and application microsegmentation to mitigate the impact of a compromise.

  3. Network Intrusion Prevention: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. In which case anomaly based IDS may be used.

  4. Multi-factor Authentication: Integrating multi-factor authentication (MFA) as part of the organisational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

  5. Privileged Account Management: Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network.

  6. Filter Network Traffic: Use host-based security software to block non essential traffic e.g. LLMNR/NetBIOS.

  7. Restrict File and Directory Permissions: Restrict write access to scripts to specific administrators. Where possible perform access and execution logging.

Table I includes which of the mitigations may prevent each techniques, by colouring the cells red and including a number of each mitigation.

Vi Conclusion

As far as the authors are aware this is the first academic analysis of Phineas Fisher, and the first paper to provide a technical analysis of the ‘hacktivist’ threat to critical infrastructure. We have taken a previously unknown threat actor and identified a set of tactics and techniques which may be used to mitigate future attacks. We are in the process of submitting this threat actor into the attk knowledgebase, which will be available to other researchers and security practitioners. More broadly, research is also needed to detect and prevent such threat actors within the industrial control landscape.

A note on reproducibility

All information used in the creation of these models are cited in the main body of the text. Since some of the manifestos were difficult to ascertain we maintain a local copy444, which includes the individual attk models as well as the combined model discussed in this manuscript.


The authors wish to thank the reviewers for their helpful feedback. We also wish to extend our thanks to the hosts of the Risky Biz podcast (Patrick Gray and Adam Boileau), who provided enlightening reports into Fisher’s exploits and brought Fisher to the authors’ attention.