A company that is helping the federal government track down cyberactivists who have been attacking business which refused to support Wikileaks has itself been hacked by the very same activists.
At the center of the storm is a leaderless and anarchic Internet group called Anonymous, which more recently has been coordinating attacks against Egyptian government Web sites. Late last month, authorities in the U.K. and the U.S. moved against at least 45 suspected Anonymous activists. Then, on Saturday, the Financial Times ran a story quoting Aaron Barr, the head of security services firm HBGary Federal, saying he had uncovered the identities of Anonymous’ leaders using social networking sites. Barr said he planned to release his findings at a security conference in San Francisco next week.
Anonymous responded by hacking into HBGary’s networks and posting archives of company executive emails on file-trading networks. The group also hacked the firm’s Web site and replaced it with a message saying it was releasing Barr’s findings on its own because the group was confident Barr’s conclusions were wrong.
“We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve ‘extracted’ is publicly available via our IRC networks,” the statement reads. “The personal details of Anonymous ‘members’ you think you’ve acquired are, quite simply, nonsense. So why can’t you sell this information to the FBI like you intended? Because we’re going to give it to them for free.”
I tuned into this conflict late Sunday evening, after HBGary President Penny Leavy had waded into Anonymous’ public chat channel in an attempt to reason with the group. Earlier in the evening, Anonymous sympathizers hijacked several Twitter accounts belonging to HBGary employees, and used them to post offensive comments and personal information about the account holders.
The topic of the IRC channel Leavy joined said it all: “Mission: Aaron Bratt FIRED. His salary donated to Bradley Manning Defense Fund. Simple.” Leavy said the group was planning to publish online the entire email archive belonging to Greg Hoglund, the security researcher in California who co-founded HBGary, which is part owner of HBGary Federal.
“[20:06:12] <+Penny> Guys, I can’t fire someone that owns a portion of the company What i can promise is we will have a meeting to discuss next steps”
In a phone interview late Sunday evening, Hoglund said that unlike the more traditional Web-site attacking activities of Anonymous, the hackers who infiltrated HBGary’s system showed real skills, even social engineering a network administrator into giving them complete control over rootkit.com, a security research site Hoglund has long maintained.
“They broke into one of HBGary’s servers that was used for tech support, and they got emails through compromising an insecure Web server at HBGary Federal,” Hoglund said. “They used that to get the credentials for Aaron, who happened to be an administrator on our email system, which is how they got into everything else. So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time.”
Hoglund said Anonymous had crossed a line, and that posting the company’s email online would expose internal, proprietary data that would likely cost HBGary millions of dollars. He added that Anonymous activists should be able to see — if they read the email they’ve stolen — that HBGary ultimately decided not to publicly name any of the members it had identified.
“Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistle blower. But now, we have a situation where they’re committing a federal crime, stealing private data and posting it on a torrent,” Hoglund said. “They didn’t just pick on any company, but we try to protect the US government from hackers. They couldn’t have chosen a worse company to pick on.”