HBGary Emails A Sweet Valentine For Social Engineers

SAN FRANCISCO– The news keeps getting worse for security firm HBGary Federal. Members of the online mischief-making group Anonymous posted another cache of 20,000 company e-mails Sunday, following a similar disclosure last week. But the real damage from the leak may be yet to come, as sophisticated attackers mine the email trove for information on the company’s business contacts, including U.S. military, intelligence and law enforcement organizations, that could be used later in targeted attacks.

SAN FRANCISCO– The news keeps getting worse for security firm HBGary Federal. Members of the online mischief-making group Anonymous posted another cache of 20,000 company e-mails Sunday, following a similar disclosure last week. But the real damage from the leak may be yet to come, as sophisticated attackers mine the email trove for information on the company’s business contacts, including U.S. military, intelligence and law enforcement organizations, that could be used later in targeted attacks.

The contents of the harvested e-mails present a potentially damaging  breach: yielding personally identifiable information as well as details of social connections and relationships between members of the U.S.’s top defense, spy, intelligence and law enforcement agencies, as well as staff and members of the House of Representatives and Senate, says Chris Hadnagy of social-engineer.org, a non-profit group.

Among the more sensitive content are e-mail exchanges with active personnel within the CIA, FBI and NSA that include personal and business contact information. These include the names and e-mail addresses of personnel at DISA, the NSA, CIA, FBI, the Air Force and elite government contractors such as IBM.

“You’ve got the names and e-mail addresses of high ranking government officials,” notes Hadnagy. Beyond that raw information, there are detailed exchanges between HBGary and HBGary Federal executives: CEO Aaron Barr, COO Ted Vera and Federal Principal Consultant Phil Wallisch detailing HBGary’s Federal’s efforts to win the approvals needed to pitch and sell its technology to individuals within the elite law enforcement, defense and intelligence agencies. Together, the e-mail messages provide a road map of the professional and personal networks that are the currency of the Washington D.C. business and intelligence communities. Other e-mail exchanges provide insight into the thinking and needs of U.S. spy agencies. E-mail conversations between HBGary executives discuss the technology interests of the NSA, for example, and how the super secretive agency may end up applying the company’s technology, which allows researchers to observe and dissect the operation of malicious programs in minute detail, with the goal of discovering its author or origin.

“You’ve got all the communications that are occurring with that person -threads and conversations that tell you ‘here’s what they were talking about and with whom,’ and ‘here’s what their interest level was,'” Hadnagy said. “For a social engineer, that stuff is a gold mine.”

The information that can be gleaned about relationships and topics of conversation, coupled with the contact information – phone, work and even personal e-mails, are priceless and could all be used to build trust with the target in the context of a highly effective social engineering attack, he said.

“If you have a rapport and knowledge about that group from the inside, its very easy to get someone to click on a link or open a malicious PDF,” he said. “If you have the inside information or data in your possession then you’re a trusted person.”

Penny Leavy, President of HBGary Federal’s parent company, HBGary Inc., said the company was in the process of notifying all the parties affected by the breach, including business partners and customers.

The theft and release of the e-mail archives was carried out by members of the group Anonymous as a pre-emptive strike against HBGary Federal, a wholly owned subsidiary of HBGary Inc., after CEO Aaron Barr went public with claims that he had infiltrated the group’s membership and collected information on the identities of its leaders. Barr was to present his findings at this week’s Security B-Sides Conference San Francisco this week. That talk has subsequently been pulled by HBGary. Barr has kept a low profile since the attack, but told Forbes.com that he and his family have received threats and mysterious phone calls in the wake of the hack.

After using an SQL injection attack and sophisticated social engineering to gain control of the HBGary Web site and the e-mail accounts of company executives, the group also defaced the Web page of HBGary Federal and hijacked the Twitter accounts of Barr and other HBGary Inc. and HBGary Federal staff, posting derogatory messages and pictures in their names. Some of those accounts have since been taken offline.

The message exchanges released so far have already led to a number of embarrasing surprises for HBGary Federal, its business partners and customers, as well as the U.S. government. Among the revelations: HBGary Federal and partner firm Palantir Technologies proposed a plan to Bank of America to launch a disinformation campaign against the information disclosure site Wikileaks and its supporters ahead of a planned release of sensitive documents believed to be from BoA. Published e-mail exchanges also suggest the security startup were proposing a campaign against progressive groups and individuals on behalf of the U.S. Chamber of Commerce.  Palantir subsequently severed ties with HBGary and apologized for its involvement in the scheme.

Leavy said that the company’s partners had been supportive following the hack. The proposals for Bank of America and the U.S. Chamber of Commerce were simply responses to requests for services that HBGary had received. “HBGary Federal is a services company and they were asked to develop proposals,” she told Threatpost.

In the days since the attack, Leavy has been quoted as saying that the breach would cost HBGary Federal “millions of dollars” to recover from. Hoglund – a noted expert on rootkit programs and the operation of malware – said in a published report that the failure at his comany was a ‘human’ failure.’ The Web site of HBGary, for a time, included a message saying that the company was working to recover from what the company describes as a “intentional criminal cyber attack.” “We are taking this crime seriously and are working with federal, state, and local law enforcement authorities and redirecting internal resources to investigate and respond appropriately,” the company said. Leavy told Threatpost that the investigation is ongoing.

Targeted attacks that leverage insider access or leaked information about organizations have figured prominently in some of the most prominent hacks in recent years. In the so-called “Aurora” attacks against Google and other Western technology and defense firms, unknown assailants are believed to have used targeted e-mail messages to high-value employees to plant malicious programs and get access to sensitive internal systems. A social engineering contest at this year’s Defcon security conference showed that many prominent organizations are highly vulnerable to e-mail and phone calls soliciting sensitive information that might then be used later as the foundation of a targeted attacks.

As for those organizations and individuals affected by the leak of personal and contact information in the e-mail messages, Hadnagy recommends extreme vigilance to the possibility of a social engineering attack.

“Your threat level has to go to ‘high,'” he said. “This requires more than the standard awareness.” Those caught up in the breach need intensive training and debriefing about likely social engineering methods and real world tests. He also advised organizations to issue those affected new e-mail addresses and to use the old addresses as honeypots to catch social engineering attempts. He also said organizations should expect that attacks may not come via the Internet, but by phone or even face to face contacts. “They should be aware of simple conversations happen on phone or in person, also,” he said.

Suggested articles


  • tinker on


    Criminal activity is criminal activity. Whether any of this goes to trial or not, the industry and the government must suffer the judgment of the masses. Most importantly, U.S. computer security companies will now appear to be a part of the much bigger problem of government paranoia. I wouldn't try to peddle your 'wares abroad any time soon. Honest geeks like me will be diligently guarding my country with patriotic fervor.


  • Anonymous on

    Some of HBGary 'work':

    A reseller from Turkey called Forensic People has been
    courting me to pay attention to them.  He has a bank and a telecomm company
    lined up for AD.  Both are consumer oriented.  The idea would be to
    put the DDNA agent on consumer computers then when malware is detected the
    consumer would told to take the computer to a service center to be cleaned
    up.  Forensic People wants to run those service centers.  The telecom
    company has millions of customers.  Is this idea nuts or does it warrant
    my supporting him?


    Putting legal and contractual stuff aside, the ddna agent would work.
    We may need to add something to alert customers if a problem has been
    detected, depending on how the Telecom wants that information
    delivered. We may also want to rebrand that offering since it's
    consumer focused.


  • Incognito on

    I agree with you tinker. What shocks me is how casually these companies are willing to break the law. Is very telling of how bad the corruption has gotten in this country. Had somebody told me about this without any of the e-mails I would have believed him just another conspiracy nut job. This has opened my eyes. It is true, the government does screw its people as many times as it wants just to get what it wants. Especially to serve the interests of corporations. Our government is corrupt and doesn't seem to be ashamed about it. And something tells me that they will just pretend like nothing has happened and will not do anything about these e-mails. Well, they will try to arrest the hackers, that is for sure. How there they expose the governement's corrupt inert workings!

  • Can't lie your way out of this one on

    Mr Hagnagy almost has the correct advice.   After changing email and phone contact information, clients compromised by HBGary should ensure that they do not update HBGary on their new contact information.   Such reckless and amatuerish behavior has no place in the professional arena.   Mrs. Leavy is the pot calling the kettle black.   Considering her company is directly implicated in attempting to wage an electronic war on U.S. citizens for their political opinions and beliefs, and her employees alledgedly openly stalked families and children; the LAST thing I want to hear is a criminal lecturing other criminals about their actions.   The correct action would be for the state where her corporation is filed to disolve its charter as if even a portion of the allegations are true, it is not as much a corporation as a black hat mercenary organization willing to offer its services to the highest bidder.   Further, all the officers of HB Gary should as, a court order, be banned from possesing, or being in proximity of a computer for a minimum of 10 years, and be ordered to not be in contact with children.  Amoral behavior of this magnitude demands indictments and justice

  • Can't lie your way out of this one on

    Ms Leavy's company may be a services company- but it is not normal for a services company to develop proposals for actions that include creating fake facebook profiles, attacks on American organizations and citizens, and specific journalists.    That is not so much a response as it is conspiracy.   It is her responsiblity as a corporate officer to ensure that her company does not engage in illegal activity, and behave ethically.   By her own admission it  seems she failed in that, and is clueless as to how to behave as corporate officer.   Any company can and should say no to even responding to such requests for services.   Grow up and take responsibility for your actions and your company's actions.    You responded to such requests for services of your own valition and admission, and clearly lacked judgement and a moral compass.    Lies will not help.

  • Anonymous on

    Completely agree with Mamasezyes ^


  • Anonymous on

    Hahhahaahaha!! HBGary just made my day full of lolz. Congrats Anons!

  • ZorkDude on

    If this was like an old movie, the FBI would handcuff HB Gary's CEO and arrest him.  Instead, it is unlikely they will be charged with anything.  The truth hurts.

  • Truth in Advertising on

    From a personal perspective, this has been an eye-opener. I've always suspected this type of thing was going on, but I never expected to have any proof of it actually taking place.

    As far as both HBGary and HBGary Federal go, I have no sympathy for either of them. Greg Hoglund and Penny Leavy-Hoglund may play for sympathy using the 'victim' card, but they were not innocent bystanders. They lied to the media about their extent of ownership in the HBGary Federal, and I believe that they are also lying as to their lack of knowledge as to what was going on.

    In statements to the media, both Greg Hoglund and Penny Leavy-Hoglund stated that HBGary, Inc. only had a 15% stake in HBGary Federal, and that it was a separate company under separate management. Nominally, this is true. However, if you examine the documents, you would find that Penny Hoglund-Leavy and HB Gary, Inc. are, in fact, majority investors (87.5%) in HBGary Federal, in terms of dollars actually invested.

    Penny Leavy-Hoglund and Greg Hoglund are two of six original founding Directors. Furthermore, if you examine Appendix "B" of the Operating Agreement for HBGary Federal, LLC, you would see the figure supporting this.

    Furthermore, Penny Leavy-Hoglund also signed the incorporation papers for HBGary Federal, and along with her husband, Greg Hoglund, is one of the Founding Directors of HBGary Federal.

    This source document can be downloaded from the following URL: http://cryptome.org/0003/hbg/HBG-Fed-OA.pdf

    If you examine the above document, you will see that despite her claims to only owning some 15% of HBGary Federal, in fact you can see that she owns 48% in her own right, with her company HBGary, Inc. owning almost another 15%, for a total ownership stake of some 63% (Despite only having a 63% ownership, they are responsible for some 87.5% of the monies actually invested in the company.)

    As the saying goes, figures don't lie.

    Truth in Advertising
  • Anonymous on

    HBGary is a bit player ... a wannabe ... "mouse nuts" in the grand scheme of things.

    The tiny company has (had?) only 36 heads, 20 of which worked for the Federal subsidiary.

    They are not, and never were, mainstream. 

    Much ado about nothing.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.