After months of almost total silence, security firm HBGary issued a statement to counter what it claims were inaccurate media reports about a February security breach that spilled thousands of e-mail messages onto the Internet.
The letter, published on HBGary’s Web site and positioned as an “Open Letter to HBGary Customers and the Cyberdefense Marketplace,” seeks to clarify the events surrounding a February, 2011 attack by online mischief making group Anonymous. According to HBGary, loose fact checking by journalists and the company’s own silence led to rampant and widespread misinformation about what actually occurred.
The letter, which is not signed, reiterates company claims that its network was not compromised, just e-mail servers hosted in the cloud, but separated from internal networks. As they have before, the company claims they launched a thorough forensic investigation of their networks and determined that no data other than the emails were compromised. Paramount among these data is the company’s commercial product source code, what they call their most valuable asset. HBGary claims their source code has always been air-gapped from the Web and that despite allegations to the contrary, it was not stolen.
Once again, the letter attempts to a draw a distinction between HBGary and HBGary Federal, a wholly owned subsidiary headed by former CEO Aaron Barr, who was the initial target of the Anonymous attack. While admitting that HBGary Inc. “members” serve on the Board of Directors at HBGary Federal, the letter claims they merely guide the overall financial direction of the company, and play no role in its day-to-day operations as much of the company’s work is classified. They further point out that this attack, carried out by online hacker collective Anonymous, was an act of retaliation against work being done exclusively by HBGary Federal, and specifically their former CEO Aaron Barr. HBGary Inc., they claim, was a victim of circumstance merely because the two companies share the same cloud-based email system.
The almost identical management of the two firms and the fact that their corporate e-mail was intertwined have caused many to cast doubt on HBGary claims that the two firms were distinct from one another.
The letter also refutes some of the more outrageous claims by Anonymous – for example, that HBGary had a hand in the creation of the Stuxnet worm. Such claims stemmed from the misinterpretation of a single email sent by Greg Hoglund. The email in question asked that HBGary employees not discuss the Stuxnet in order to avoid becoming a part of the high profile discussion surrounding the worm, which the company thought was best to avoid on account of the sensitive nature of its alleged target. They call it unfortunate that their internal communications were “stolen and interpreted without context.”
Lastly, the letter closes with a stab at the nature of the reporting and coverage surrounding the incident, saying, “We wish that journalistic standards of fact-checking and verification were uniform across the press, but unfortunately, the blog-o-sphere makes that impossible.”