Even more troubling, however, were plans by the three contractors to use malware and other forms of malicious software to hack into computers owned by the Chamber's opponents and their families. Boasting that they could develop a "fusion cell" of the kind "developed and utilized by Joint Special Operations Command (JSOC)," the contractors discussed how they could use "custom malware development" and "zero day" exploits to gain control of a target's computer network. These types of hacks can allow an attacker not only to snoop but to delete files, monitor keystrokes and manipulate websites, e-mail archives and any database connected to the target computer.
In January of 2011, Hunton and Williams, which had met with the Chamber to discuss the proposals, sent by courier a CD with target data to the contractors. The targets discussed in e-mails included labor unions SEIU, IBT, UFW, UFCW, AFL-CIO, Change to Win, as well as progressive organizations like the Center for American Progress, MoveOn.org, Courage Campaign, the Ruckus Society, Agit-Pop, Brave New Films and others.
Though HBGary markets itself as a firm that uses its expertise in cyber security to help both companies and the government defend against malicious attacks, the e-mail archives leaked by Anonymous make clear that executives at the firm were interested in selling this technology for offensive capabilities. In an e-mail with Greg Hoglund, the founder of both HBGary and Rootkit.com, and part owner of HB Gary Federal, Aaron Barr, HBGary Federal's chief executive, described a "spear phishing strategy" that could be used on "our adversaries." In another e-mail chain, HBGary staff discussed using a fake "patriotic video of our soldiers overseas" to induce military officials to open malicious data extraction viruses; in another, they discuss the success of a dummy "evite" e-mail used to maliciously hack target computers.
The tactics described in the proposals are illegal. However, there were no discussions in the leaked e-mails about the legality of using such tactics. Rather, the Chamber's attorneys and the three contractors quibbled for weeks about how much to charge the Chamber for these hacking services. At one point, they demanded $2 million a month.
HBGary Federal and their partners were scheduled to meet the Chamber to finalize the deal on February 14, 2011. However, on February 4, Barr boasted to the Financial Times that he was preparing to reveal the identities of Anonymous, which responded with the hack that spilled the contents of HBGary Federal's e-mails and Rootkit.com's user database. HBGary Federal had also entered into talks about working on behalf of Bank of America to discredit the website Wikileaks and its perceived allies in the media. The e-mail trail ends on February 6; the Chamber, despite e-mails showing it met with Hunton and Williams to discuss the project, denied any knowledge of the proposal and said it had never compensated the firms or entered into any agreement for the work described in the proposals.
HBGary Federal, which shared the same owners and office space as HBGary, shut down in the wake of the leaked e-mails. Last year, HBGary was acquired by a military contracting firm called ManTech International for $23.8 million, according to disclosures with the Securities and Exchange Commission. The spokesperson for HBGary declined to comment on this story.
Although Rootkit.com is no longer online, similar websites like MetaSploit and TrustedSec offer hackers and cyber security professionals an array of software that could be used by anyone seeking to break into an organization, take control of their network and seize data.
"There's nothing so unique about how you break into an organization," said Nick Levay, the director of technical operations information security at the Center for American Progress, who spoke to The Nation by telephone. Levay, an expert on computer security, said there's "lots of overlap" between the documented Chinese military cyber hacking incidents described by The New York Times and the Mandiant report and the tactics proposed by the contractors working with the Chamber's attorneys.
Mandiant's Richard Bejtlich described the malware tools as a firearm that could be used by anyone. "You could buy a firearm, but what are you going to do with it? Is it for hunting or self-defense?" Researchers commonly use sites like MetaSploit to develop defense software against certain cyber attacks. Or, Bejtlich said, "Are you outfitting an army to conduct an insurgency where you're going to harass a foreign military for ten years?"
Levay said that malware or phishing attempts may be difficult to detect if the perpetrator is only interested in gathering intelligence. However, "any disruption or sabotage, they're going to get caught," said Levay. Bejtlich made a similar case, arguing that if domestic political organizations or cyber criminals attempt to sabotage computers in the United States, "the Bureau's going to find you."
Large firms that have been victimized by malicious hacking, including Google and Intel, at least have the resources to detect and counter most forms of computer crimes. But what about a small company, or political advocacy group with little resources?
"Political campaigns, absolutely, they have to be vigilant that they will be attacked," said Ajay Uggirala, the director of product and technical marketing at the cyber security firm Solera Networks. "It's going to be a dynamic," Uggirala explained, "I wouldn't be surprised if people use the good tools we have for bad purposes on political candidates."
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
1
