HBGary, Inc., sister company to now infamous HBGary Federal, has released an open letter addressed to their customers and the defense marketplace in general.
The letter attempts to set the record straight in the wake of a devastating breach and disclosure of some less than flattering business practice details.
In January, the companies were breached in an operation conducted by the rogue movement Anonymous, and the subsequent release of tens-of-thousands of company emails revealed multiple instances of ethically questionable covert operations involving the security company.
The leaked emails showed that HBGary Federal, Palantir Technologies and Berico Technologies were involved in developing WikiLeaks counter-operations strategies for Bank of America and proposed disinformation campaigns, cyber attacks against network systems, and strong-arming journalists.
Other information released in the breach show the companies were engaged in developing strategies to infiltrate other civil activist groups, and plans to use social media for distributing government propaganda. There was also evidence that HBGary Federal was involved in developing an undetectable, full command and control cyber offensive weapon called Magenta.
The open letter HBGary Inc. released recently seeks to clarify some of the details of the breach event, as well as rehabilitate the company's image regarding some of the more embarrassing revelations.
While some details in the brief letter seem to jibe with the information contained in the tens-of-thousands of leaked emails, the letter for the most part just comes off as a generic attempt to rewrite the record, further distance HBGary Inc. from the activities of Aaron Barr and HBGary Federal, and get the company back on track to do business.
HBGary Inc. and HBGary Federal
The letter clarifies the relationship between the two legally separate entities:
"HBGary, Inc. and HBGary Federal are two distinct companies with completely different management, employees and missions. As is evident from the released emails, while members of HBGary Inc. served on the Board of Directors for HBGary Federal, the Board was not involved in the day to day activities of the Company but rather only in the overarching financial direction of the business, especially since much of the work of HBGary Federal is classified."
HBGary asserts that no proprietary source code was compromised in the breach, contrary to several reports in the media:
"HBGary, Inc's internal networks were not penetrated. The internal networks are secure and compartmented with a full-time security monitoring team. After the incident, HBGary conducted an extensive forensic examination of its networks and determined that the hackers had not been able to gain access and no other data was compromised. HBGary, Inc. is a COTS software development company and our most valuable asset is our source code. Our source code has always been air gapped from the Internet. The forensic examination confirmed that software development servers and workstations were not affected by the incident. Despite allegations otherwise, our commercial product source code was not stolen."
The letter seeks to make it clear that HBGary Inc. was not involved in any way with actions carried out by HBGary Federal or the company's former CEO Aaron Barr:
"...it is our understanding that Anonymous launched its attack against both HBGary Federal and HBGary, Inc. as retaliation for research conducted solely by HBGary Federal and specifically, Aaron Barr, its former CEO. HBGary, Inc., the COTS software company, was not involved in Mr. Barr's research or his proposals for social networking surveillance. Rather, HBGary Inc. was a victim of circumstance, caught within the storm of a vengeful retribution attack against Mr. Barr for his claim that he had infiltrated the hacking group. In short, HBGary, Inc's emails were compromised merely because it shared the same cloud-based email system with HBGary Federal."
The letter seeks to dispel any notion that HBGary Inc. was involved in the development of the Stuxnet virus, though the allegations were already generally considered to be baseless by most analysts:
"...HBGary Inc. did not develop Stuxnet. We did however perform some analysis of Stuxnet as part of efficacy testing to ensure that HBGary Inc.'s Digital DNA product could detect it as malware. Unfortunately, the Press has misconstrued a quote taken from Greg Hoglund's email, "do not discuss Stuxnet" to mean that HBGary Inc had greater involvement in Stuxnet. However, at the time this email was written, Stuxnet was drawing a great deal of press attention; thus, this email was merely intended to prevent HBGary team members from participating in the discussion. At the time, HBGary felt it was unwise to comment on this malware in the public forum partly due to the sensitive nature of its alleged targets.
Offensive Rootkit Development
HBGary seeks to portray its work on projects such as the "Magenta" cyber offensive tool as being purely benign in nature:
"Fifth, HBGary does extensive work in exploitation analysis, rootkit analysis and development in order to improve our products. We do this to understand the offensive nature of our foes and to help develop a better security product. It is not to "attack" foreign countries and we do not know of any instance where our investigation or development of these tools has resulted in deployment."
Kill the Messengers
The letter concludes with a slam on the "blog-o-sphere" for its coverage of the breach event and for attempts to interpret the information contained in the leaked emails:
"HBGary, Inc. is focused on continued efforts to develop world class cyber security defense software and meeting the needs of our customers. It is business as usual. It's unfortunate that our internal communications were stolen and interpreted without context. We wish to thank our customers for standing by us and the industry for its support. We wish the journalistic standards of fact-checking and verification were uniform across the press, but unfortunately, the blog-o-sphere makes that impossible."
The letter does a good job of downplaying the significance of some of the more serious allegations that were made based on information in the leaked emails. What it does not do is address any of ethical questions raised that were based on revelations of the company's involvement in some very questionable projects.
Blaming everything on former CEO Aaron Barr and claiming ignorance of HBGary Federal's business activities simply falls short of an acceptable set of explanations.
The full letter can be found HERE.