2011-02-14 HBGary & the Stuxnet Worm: What Emails Leaked By Anonymous Reveal

The group of hacktivists known as Anonymous has released tens of thousands of emails from HBGary, a provider of classified cybersecurity services to the Department of Defense, Intelligence Community and other US government agencies. Anonymous leaked the emails after HBGary’s CEO Aaron Barr plotted to infiltrate Anonymous and uncover the identities of individuals within the group and after it was found out that HBGary and two other firms had been actively plotting to sabotage and target WikiLeaks.

Additionally, it has been reported that Anonymous has obtained Stuxnet access. That is because the emails, now public, were improperly secured. A cybersecurity service did not protect itself from the possibility of infiltration from hackers.

Crowdleaks.org has made it possible for the tens of thousands of emails to be searched. The search engine allows one to see how HBGary executives have been going back and forth discussing the malware Stuxnet worm and tracking news stories related to the worm attack that took place in Iran for the past months.

Stuxnet, according to a dossier put together by Symantec, is a complex threat to computer systems that has the capacity to reprogram industrial control systems. It’s “a large, complex piece of malware” and it can self-replicate itself through removable drives, spread in LAN, update itself through peer-to-peer mechanisms in LAN, and contact a command and control server that allows a hacker to download and execute the code, etc.

The emails show HBGary had a copy of the Stuxnet and was willing to share it upon request between those working in the firm. They show the firm was conducting research of interest to the National Security Agency (NSA). The emails do not indicate the firm was doing the research for company fearing Stuxnet would attack the firm.

According to Crowdleaks, the emails show that HBGary might have been planning to use Stuxnet "for their own purposes."

HBGary Federal Chief Operating Officer Greg Hoglund, Martin Pillion, President CEO of HBGary Federal President, and executive Phil Wallisch were sent an email from Barr on August 9, 2010:

Hey Guys,

Can I please get 1 or 2 copies of the Stuxnet malware?

Thanks,
Aaron

He received a reply from Pillion, which included an attachment, the code for Stuxnet.

Another employee, Charles Copeland, asks in an email on September 26, 2010, “Does anyone have a dropper I have been unable to find it." Phil Wallisch responds, “I’ve got this from July.” A “dropper” is program or malware designed to install some sort of malware (virus, backdoor, etc) to a target system.

Another exchange takes place in August 2010:

Greg,

Can I get the Stuxnet samples you and Phil have? There are some interesting things happening and I have been asked if I could provide samples to a certain government organization (not one of the ones you might think - an oversight group).

On August 6, Stuxnet data is presumably sent as a file attachment.

Thomas Conroy of Northrop Grumman Corporation was contacted by Barr on November 18, 2010. He asked Conroy if had more insight on the Stuxnet being the biggest threat to industry and included this link.

Conroy responded, “Not really. But if the article is correct, there may be an unintended beneficial consequence.”

Conroy, the vice president of national security programs for Northrop Grumman, has extensive contrats with the NSA and the National Geospatial-Intelligence Agency (NGA), which, according to CorpWatch, was formally inaugurated in 2003, provides overhead imagery and mapping tools that allow intelligence and military analysts to monitor events from the skies and space. Conroy is someone who has been in high echelon meetings working with government to develop domestic cybersecurity infrastructure.

What seems to be a “joke” about HBGary possibly helping Iran after it was attacked by Stuxnet circulated in December 2010. An email from Brian R. Varine, Chief of the ICE Security Operations Center, wrote, “I think you guys have a potential customer.” The email was forwarded. A link to the Fox News story on the worm causing havoc was shared and the words “new business” appeared in the email. Varine wrote, “Assuming you can get the State Department to give you a license to sell.”

Wallisch responded, “You can tell Brian the only way we'd sell software to a terrorist state would be if it shipped backdoored. Now that would be hilarious.”

“You know he knows that... ;)” replied someone connected to the firm, Rich Cummings.

“It would be so bad-ass,” replied Wallisch.

“Someone has asked for that in the past,” added Cummings. What that final statement meant is unclear.

Emails related to Stuxnet show the firm’s policy and attitude on coverage of Stuxnet and the firm by journalists. An email from September 26, 2010, shows that Hoglund wanted all employees to not comment to the press on Stuxnet because, "We know nothing about Stuxnet."

*For previous coverage of AnonLeaks, click here. And, for more on Stuxnet and HBGary, see this post on Crowdleaks.