HBGary wanted to suppress Stuxnet research
It is no secret that in recent days, Anonymous Operatives have released a cache of HBGary Federal internal emails to the public. Crowdleaks has discovered that within these communications, Aaron Barr received a copy of Stuxnet (a computer worm that targets the types of industrial control systems ICS that are commonly used in infrastructure supporting facilities) from McAfee on July 28, 2010.
In an effort to confirm this was in fact Stuxnet, Crowdleaks has decompiled some of the source code, which can be found here. Throughout the following emails it is revealed that HBGary Federal may have been planning to use Stuxnet for their own purposes.
In a message sent to all email account holders at HBGary.com, Charles Copeland, Lead Support Engineer at HBGary, Inc. writes:
from: Charles Copeland
to: all@hbgary.com
date: Sat, Sep 25, 2010 at 9:54 PM
subject: Stuxnet Worm Mailing List
Filter messages from this mailing list. mailed-byhbgary.com
hide details 9/25/10
Computerworld – Officials in Iran have confirmed that the Stuxnet worm infected at least
30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems
I’ve already got a email asking about stuxnet, this came out late Friday. Does anyone have a dropper I have been unable to find it.
In another email sent directly to Aaron Barr, David D. Merritt writes:
from: David D. Merritt
to: Aaron Barr
date: Sun, Oct 3, 2010 at 9:35 PM
subject: Re: Hunter Killer Insanity 285mailed-bygmail.com
hide details 10/3/10
contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec….
i’m seeing TSA becoming a malware testbed…
Aaron Barr responds:
On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote:
> Dave,
>
> We haven’t but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though.
>
> In doing a little research:
> http://diocyde.wordpress.com/2010/03/12/ringy-ringy-beacon-callbacks-why-dont-you-just-tell-them-their-pwned/
>
> While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value.
>
> Aaron Barr
> CEO
> HBGary Federal, LLC
> 719.510.8478
In another message sent to all email account holders at HBGary.com by
Greg Hoglund, it’s made clear that HBGary wanted to hide their work on Stuxnet.
from: Greg Hoglund
to: all@hbgary.com
date: Sun, Sep 26, 2010 at 10:26 PM
subject: stuxnet mailing list
Filter messages from this mailing listmailed-byhbgary.com
hide details 9/26/10
All,
HBGary has no official position on Stuxnet. Please do not comment to the press on Stuxnet. We know nothing about Stuxnet.
-Greg Hoglund
CEO, HBGary, Inc.
In the most chilling strand of emails, we find that whatever HBGary was working on, it was in conjunction with the NSA.
Aaron Barr writes:
Hi Cheryl,
719.510.8478
Aaron
Sent from my iPad
Aaron Barr writes:
> From: Aaron Barr
> To: Peace, Cheryl D
> Sent: Mon Aug 09 13:54:23 2010
> Subject: Re: Number
>
> Hi Cheryl,
>
> It does. I haven’t met him personally. Our sister company does work
> in a few different pockets on the bldg. And i am on the extended NANA
> team. I recently joined to stand up HBGary federal, a related but
> separate company. We manage all the work that requires clearances.
> We exchange some technologies, but we have some separate developments
> as well. Mostly around threat intelligence and CNO/social media.
>
> I think there are some enabling tech to your mission but really need
> that qualified.
>
> Interested to run some of the stuxnet stuff by u as well.
>
> Aaron
>
>
> Sent from my iPhone
Cheryl Peace writes:
On Aug 9, 2010, at 9:27 AM, “Peace, Cheryl D” wrote:
>
>> Aaron
>> Did a little checking and we already do busy with you guys. Does the name
>> Tony Seager ring a bell?
Aaron Barr writes:
>> —–Original Message—–
>> From: Aaron Barr [mailto:aaron@hbgary.com]
>> Sent: Friday, August 06, 2010 10:56 AM
>> To: Peace, Cheryl D
>> Subject: Re: Number
>>
>> OK. If interested do you have some time to get together when you get back?
>> either next Friday or early the following week?
>> Aaron
Cheryl Peace writes:
>> On Aug 6, 2010, at 10:44 AM, Peace, Cheryl D wrote:
>>
>>> I am in Europe till mid next week
Aaron Barr writes:
>>> —–Original Message—–
>>> From: Aaron Barr [mailto:aaron@hbgary.com]
>>> Sent: Thursday, August 05, 2010 10:57 PM
>>> To: Peace, Cheryl D
>>> Subject: Re: Number
>>>
>>> Hi Cheryl,
>>>
>>> Can I schedule an appointment with you to come by and chat for a few
>>> minutes?
>>>
>>> Aaron
Cheryl Peace writes:
>>> On Jul 30, 2010, at 10:41 PM, Peace, Cheryl D wrote:
>>>
>>>> I am at Rao at the bar if you want to come by for a few. Meeting friends
>>> for a cocktail in a few
>>>> ————————–
>>>> Sent using BlackBerry
Arron Barr writes:
>>>> —– Original Message —–
>>>> From: Aaron Barr
>>>> To: Peace, Cheryl D
>>>> Sent: Fri Jul 30 20:02:44 2010
>>>> Subject: Number
>>>>
>>>> Cheryl,
>>>>
>>>> Sorry to bother you but do you have a minute to talk. I don’t have
>>>> your number handy. It will only take moment, but I have some
>>>> information for you.
>>>>
>>>> Aaron Barr
>>>> CEO
>>>> HBGary Federal
>>>> 7195108478
In a related internal email sent to Rich Cummings, CTO of HBGary, Inc., Greg Hoglund writes:
from: Greg Hoglund
to: Rich Cummings
date: Mon, Nov 16, 2009 at 9:30 PM
subject: Govt dropper in this word DOC, zipped up for youmailed-byhbgary.com
hide details 11/16/09Phil, Rich,
I got this word doc linked off a dangler site for Al Qaeda peeps. I think it has a US govvy payload buried inside. Would be neat to REcon it and see what it’s about. DONT open it unless in a VM obviously. password is meatflower. Remove the .txt extension too. DONT let it FONE HOME unless you want black suits landing on your front acre.
-Greg
Crowdleaks.org had a software engineer (whose name has been withheld) look at the Stuxnet binaries inside of a debugger and offer some insight on the worm. She informed us that most of the worms’ sources were using code similar to what is already publically available. She noted that the only remarkable thing about it was the 4 windows 0 days and the stolen certificates.
She says:
“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”
When asked what type of organization likely wrote it, she stated:
“Probably a corporation by request of a government, it was clearly tested and put together by pro’s. It really looks like outsourced work.”
[...] Server gedost, sondern bringen mittlerweile sogar relevante Informationen zu Tage: Link 1 Link 2 Ob man die DDOS Attacken nun als gerechtfertigten zivilen Ungehorsam oder als kriminelle [...]
15.01.2011:
“Israeli Test on Worm Called Crucial in Iran Nuclear Delay”:
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.” [at the Dimona complex in the Negev desert, which is reported in the article to be "famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program"]
…
“It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it.” Mr. Langner is among the experts who expressed fear that the attack had legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.”
Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it.
…
But Israeli officials grin widely when asked about its effects. Mr. Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sidestepped a Stuxnet question at a recent conference about Iran, but added with a smile: “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.” …”
This article makes no mention of a few important emails,
This email shows Cheryl from NSA asking if she can get an advance copy of a article being written on Stuxnet Krebs (http://krebsonsecurity.com/) and Aaron saying that he thinks he can get an advance copy.
http://hbgary.anonleaks.ru/aaron_hbgary_com/910.html
It doesn’t sound like an advance copy was acquired, in this email Aaron asks Greg if he’ll be able to get an advanced copy and Greg replies that he doesn’t think it would be ‘wise’ to ask for one.
http://hbgary.anonleaks.ru/aaron_hbgary_com/11038.html
Obviously this suggests the NSA has an interest in knowing what the investigative progress on Stuxnet is by Security community before it is published to the public.
[...] variety of Stuxnet is on GitHub. Crowdleaks posted the code but it’s uncertain if its the actual source or that of code posted by an [...]
[...] confirm that the Magenta Rootkit proposal was even accepted but given HBGary’s involvement in Stuxnet research, it’s a chilling proposal that was likely taken seriously by HBgary INC. and probably not the [...]
[...] gefunden, die einem amerikanischen IT-Unternehmen entwendet worden waren, berichtet die Website Crowdleaks. Man habe Teile des Programms in eine lesbare Form überführt, um die Echtheit zu verifizieren. [...]
[...] gefunden, die einem amerikanischen IT-Unternehmen entwendet worden waren, berichtet die Website Crowdleaks. Man habe Teile des Programms in eine lesbare Form überführt, um die Echtheit zu verifizieren. [...]
[...] [...]
[...] of having access to Stuxnet code. More on the allegation here http://crowdleaks.org/hbgary-wanted-to-suppress-stuxnet-research/ and here via a UK National newspapers (The Guardian) [...]
[...] die Plattform Crowdleaks berichtet, habe das Sicherheitsunternehmen McAfee den HBGary-Unternehmenschef Aaron Barr per Mail [...]
[...] “Crowdleaks: HBGary wanted to suppress Stuxnet research” [...]
[...] even a cursory look at internal emails on attempts to develop an in-house version of Stuxnet (via Reddit) as well as the general panorama of the discussions that are available in [...]
Link to a .pdf-Doc about Stuxnet and comparison between Stuxnet and Aurora:
http://eset.ru/.company/.viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf
[...] http://crowdleaks.org/hbgary-wanted-to-s… [...]
[...] anyways. but its interesting to see some of the information coming out of the HBgary fiasco.. Crowdleaks: HBGary wanted to suppress Stuxnet research looks like maybe some of the documents are deliberately uploaded to keep tabs on their readership. [...]
[...] had a copy of Stuxnet, the virus allegedly developed by U.S. and Israeli spy agencies to monkey wrench Iran's nuclear [...]
[...] HGBF had a copy of Stuxnet, the virus allegedly developed by US and Israeli spy agencies to monkey wrench Iran’s nuclear [...]
[...] against large companies, however, the broader private sector* also has a key role in preventing e-crime and computer security incidents and ensuring that appropriate risk management strategies are [...]
[...] HBGary wanted to suppress Stuxnet research (crowdleaks) [...]
[...] HBGary wanted to suppress Stuxnet research (crowdleaks) [...]
[...] Spionage-Programmen für Ermittlungen durch US-Behörden sowie für Privatkunden, u.a. auch Stuxnet. Der Angriff von Anonymous auf HBGary ist also als ein Akt der Selbstverteidigung zu [...]
[...] [...]
Facewoot.net est le meilleur panel pour pirater un compte facebook sans logiciel !
2011, 19th of Oct: “Small brother” of Stuxnet named «Duqu» is discovered in Europe by Symantec and Sophos: http://www.zeit.de/news/2011-10/19/computer-kleiner-bruder-von-stuxnet-in-europa-aufgetaucht-19153008
Duqu was found on 7 or 8 companies in EU, which are involved into the software-development for industrial usage, latest attack dated with 17th of Oct, teh first might have already started in December 2010.