Operation Aurora targeted dozens of large firms, including Adobe, Northrop Grumman, Dow Chemical, and most famously Google.
Morgan Stanley is first financial company to be identified as being a target of the Aurora attacks which began in mid-2009.
"They were hit hard by the real Aurora attacks (not the crap in the news)," read an e-mail by a senior security engineer at HBGary, Phil Wallisch.
The leaked emails do not discuss what systems were compromised, what data may have been exposed, or the extent and duration of the unauthorized access, but the intrusion may have gone unnoticed for several months.
HBGary had been hired by Morgan Stanley in 2010 to investigate other network security events unrelated to Aurora when malicious software designed to harvest sensitive data and communications was discovered on the financial firm's systems.
HBGary Federal was in turn the target of a hacking operation conducted by the hacktivist movement known as Anonymous which resulted in the release of tens-of-thousands of company emails.
HBGary Federal's CEO Aaron Barr announced his resignation from the company in the wake of the devastating breach and subsequent criticism regarding some of the company's business practices.
Lack of mandatory reporting statutes requiring companies like Morgan Stanley to disclose system breaches and relevant details leaves consumers, investors, business partners, and clients in the dark when it comes to security events.
The Department of Health and Human Services and the Office for Civil Rights are the first agencies able to enforce mandatory reporting and notification related to network breaches under the HIPAA and HITECH regulations.
Legislative proposals are in the works that may expand mandatory reporting to sectors outside of healthcare, including for financial firms.