SAN FRANCISCO– The news keeps getting worse for security firm HBGary Federal. Members of the online mischief-making group Anonymous posted another cache of 20,000 company e-mails Sunday, following a similar disclosure last week. But the real damage from the leak may be yet to come, as sophisticated attackers mine the email trove for information on the company’s business contacts, including U.S. military, intelligence and law enforcement organizations, that could be used later in targeted attacks.
The contents of the harvested e-mails present a potentially damaging breach: yielding personally identifiable information as well as details of social connections and relationships between members of the U.S.’s top defense, spy, intelligence and law enforcement agencies, as well as staff and members of the House of Representatives and Senate, says Chris Hadnagy of social-engineer.org, a non-profit group.
Among the more sensitive content are e-mail exchanges with active personnel within the CIA, FBI and NSA that include personal and business contact information. These include the names and e-mail addresses of personnel at DISA, the NSA, CIA, FBI, the Air Force and elite government contractors such as IBM.
“You’ve got the names and e-mail addresses of high ranking government officials,” notes Hadnagy. Beyond that raw information, there are detailed exchanges between HBGary and HBGary Federal executives: CEO Aaron Barr, COO Ted Vera and Federal Principal Consultant Phil Wallisch detailing HBGary’s Federal’s efforts to win the approvals needed to pitch and sell its technology to individuals within the elite law enforcement, defense and intelligence agencies. Together, the e-mail messages provide a road map of the professional and personal networks that are the currency of the Washington D.C. business and intelligence communities. Other e-mail exchanges provide insight into the thinking and needs of U.S. spy agencies. E-mail conversations between HBGary executives discuss the technology interests of the NSA, for example, and how the super secretive agency may end up applying the company’s technology, which allows researchers to observe and dissect the operation of malicious programs in minute detail, with the goal of discovering its author or origin.
“You’ve got all the communications that are occurring with that person -threads and conversations that tell you ‘here’s what they were talking about and with whom,’ and ‘here’s what their interest level was,'” Hadnagy said. “For a social engineer, that stuff is a gold mine.”
The information that can be gleaned about relationships and topics of conversation, coupled with the contact information – phone, work and even personal e-mails, are priceless and could all be used to build trust with the target in the context of a highly effective social engineering attack, he said.
“If you have a rapport and knowledge about that group from the inside, its very easy to get someone to click on a link or open a malicious PDF,” he said. “If you have the inside information or data in your possession then you’re a trusted person.”
Penny Leavy, President of HBGary Federal’s parent company, HBGary Inc., said the company was in the process of notifying all the parties affected by the breach, including business partners and customers.
The theft and release of the e-mail archives was carried out by members of the group Anonymous as a pre-emptive strike against HBGary Federal, a wholly owned subsidiary of HBGary Inc., after CEO Aaron Barr went public with claims that he had infiltrated the group’s membership and collected information on the identities of its leaders. Barr was to present his findings at this week’s Security B-Sides Conference San Francisco this week. That talk has subsequently been pulled by HBGary. Barr has kept a low profile since the attack, but told Forbes.com that he and his family have received threats and mysterious phone calls in the wake of the hack.
After using an SQL injection attack and sophisticated social engineering to gain control of the HBGary Web site and the e-mail accounts of company executives, the group also defaced the Web page of HBGary Federal and hijacked the Twitter accounts of Barr and other HBGary Inc. and HBGary Federal staff, posting derogatory messages and pictures in their names. Some of those accounts have since been taken offline.
The message exchanges released so far have already led to a number of embarrasing surprises for HBGary Federal, its business partners and customers, as well as the U.S. government. Among the revelations: HBGary Federal and partner firm Palantir Technologies proposed a plan to Bank of America to launch a disinformation campaign against the information disclosure site Wikileaks and its supporters ahead of a planned release of sensitive documents believed to be from BoA. Published e-mail exchanges also suggest the security startup were proposing a campaign against progressive groups and individuals on behalf of the U.S. Chamber of Commerce. Palantir subsequently severed ties with HBGary and apologized for its involvement in the scheme.
Leavy said that the company’s partners had been supportive following the hack. The proposals for Bank of America and the U.S. Chamber of Commerce were simply responses to requests for services that HBGary had received. “HBGary Federal is a services company and they were asked to develop proposals,” she told Threatpost.
In the days since the attack, Leavy has been quoted as saying that the breach would cost HBGary Federal “millions of dollars” to recover from. Hoglund – a noted expert on rootkit programs and the operation of malware – said in a published report that the failure at his comany was a ‘human’ failure.’ The Web site of HBGary, for a time, included a message saying that the company was working to recover from what the company describes as a “intentional criminal cyber attack.” “We are taking this crime seriously and are working with federal, state, and local law enforcement authorities and redirecting internal resources to investigate and respond appropriately,” the company said. Leavy told Threatpost that the investigation is ongoing.
Targeted attacks that leverage insider access or leaked information about organizations have figured prominently in some of the most prominent hacks in recent years. In the so-called “Aurora” attacks against Google and other Western technology and defense firms, unknown assailants are believed to have used targeted e-mail messages to high-value employees to plant malicious programs and get access to sensitive internal systems. A social engineering contest at this year’s Defcon security conference showed that many prominent organizations are highly vulnerable to e-mail and phone calls soliciting sensitive information that might then be used later as the foundation of a targeted attacks.
As for those organizations and individuals affected by the leak of personal and contact information in the e-mail messages, Hadnagy recommends extreme vigilance to the possibility of a social engineering attack.
“Your threat level has to go to ‘high,'” he said. “This requires more than the standard awareness.” Those caught up in the breach need intensive training and debriefing about likely social engineering methods and real world tests. He also advised organizations to issue those affected new e-mail addresses and to use the old addresses as honeypots to catch social engineering attempts. He also said organizations should expect that attacks may not come via the Internet, but by phone or even face to face contacts. “They should be aware of simple conversations happen on phone or in person, also,” he said.