“Cyberwar” is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode.
Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction.
Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena.
Recent activities with one government contractor and Anonymous, however, show clearly that cyber operations have been going on for a long while, and that the private sector has been only too ready to fill the cyber mercenary role for piles of cash.
Anonymous vs. HBGary
Early in 2011, Aaron Barr submitted a talk to a security conference in which he planned to “focus on outing the major players of the anonymous group”.
Barr, the CEO of Washington-based HBGary Federal, had spent time “infiltrating the group” using multiple identities on social networks and Anonymous IRC channels.
He was confident enough of his analysis to publish parts of it through the Financial Times. Barr (and indeed the rest of the company) planned to milk the exposure, lining up a string of meetings to profit from the research, from an interview with 60 Minutes to multiple potential deals with federal agencies.
The CEO of HBGary prepared a post explaining how they had flexed their “muscle today by revealing the identities of all the top management within the group Anonymous.”
Anonymous were quick to respond.
Even while Barr was proclaiming victory and threatening to “take the gloves off”, Anonymous were burrowing deeper into his network.
By the end of the attack, Barr’s iPad was reputedly erased, his LinkedIn and Twitter accounts were hijacked, the HBGary Federal website was defaced, proprietary HBGary source code was stolen and with over 71,000 private emails now published to the internet, HBGary was laid bare.
In this, was our first lesson: The asymmetry of cyber warfare.
HBGary, a well-funded, pedigreed security company with strong offensive cyber capabilities was given a beating by a non-funded, loosely organised hacker collective.
The incident holds a string of lessons for those wishing to secure their networks from attack, but what’s far more interesting is the leaked emails that give us insight into the murky world of “cyber contractors” and what’s being called “the military digital complex”.
HBGary: cyberwar arms dealer
HBGary was formed by security research veteran Greg Hoglund, who has made a name for himself over the years doing research on rootkit technology.
A rootkit is a piece of software installed to ensure that an attacker is able to maintain control of a compromised computer. Rootkits are designed to avoid detection once installed.
Hoglund’s emails claim that his current products were built with “about 2 million in Uncle Sam’s money”, but this alone is no shocker. Governments fund technology research all the time, and HBGary were also building a commercial product.
What is shocking though, are some of the other details that came out in the wash.
The emails make it clear that HBGary sold rootkits and keyloggers (tools to record and exfiltrate keystrokes surreptitiously) to government contractors for prices between $60,000 and $200,000 each.
These pieces of “malware” would be tailored specifically to the clients needs, which undoubtedly reflected the state of the ultimate targets e.g.: “..test the tool against McAfee and Norton”.
Some rootkits were fairly routine, while others clearly betrayed specific needs: “Runs on MS Windows XP sp2 and Office 2003, finds MS Office files using the XRK technique to exfiltrate files”.
Even next generation rootkits were explored – to remain active despite the removal of a hard drive or to persist on a machine through the video card.
Make no mistake, these were offensive cyber tools, made to order.
Rootkits allow you to maintain control of a compromised machine, but one would still need an initial compromise vector.
Once again, the mail archives deliver: HBGary sales personnel can be seen making reference to “Juicy Fruit”, their internal name for HBGary supplied 0day exploits.
0day refers to exploits that are currently unknown to the software vendor, making defence against 0day attacks sometimes impossible.
One email lists their 0day arsenal, which included attacks against Adobe Flash, Windows 2003, Sun Java and a host of other products.
The emails even differentiate between exploits that have been sold to a customer and those that are still exclusive.
Other emails include discussions on selling back-doored software to foreign governments and plans to create “themes for video games and movies appropriate for Middle East & Asia. These theme packs would contain back doors.”
Clearly cyber attacks against foreign nationals appear to be fair game.
If the ethical line on such matters was slightly blurry, the line was completely obliterated with plans to combat WikiLeaks by targeting supporters of the cause:
Subject: Re: first cut
One other thing. I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH transition and helped wikileaks provide access to information during the transition.
(Subsequent emails show that the project to target WikiLeaks was to be sold for $2 million dollars.)
Maybe HBGary was an outlier?
At this point we could make the jump that HBGary was a single bad apple, operating on the other side of the ethical line all on its own, but we would be wrong.
The email above indicates that the project to discredit WikiLeaks (and their supporters) was a joint operation by HBGary Federal, Palantir and BericoTechnologies, although the other companies involved were quick to distance themselves from HBGary after the Anonymous hack.
Endgame Systems, a company with almost no public footprint were also thrust into the spotlight, when several of their previously well-guarded reports and company presentations were shared amongst the emails.
In an early email to Aaron Barr, Endgame Systems made it clear that they had “been very careful NOT to have public face on our company”. The CEO of Endgame Systems was clear: “Please let HBgary know we don’t ever want to see our name in a press release.”
So what exactly do the secretive Endgame Systems do? The company started by ex ISS and CIA executives promises (in private) “to provide our customers with the highest quality offensive CNA/CNE (Computer Network Attack/Computer Network Exploitation) software in the world”.
Their overview makes it clear that they serve “the special requirements of the United States DoD and Intelligence Community”.
Their leaked PowerPoint deck advertises subscriptions of $2,500,000 per year for access to 0day exploits, with slightly more affordable “intelligence feeds” effectively selling information on vulnerable servers by geographic region.
With a single report (and a big enough chequebook) you can find out all the servers vulnerable to attack in the Venezuelan government, along with the software required to exploit them. [Downloadable file]
Even just the CV’s sent to HBGary for job applications turned out to be instructive, revealing details that are not often circulated in the public arena.
One candidate had “managed team of 15 persons, responsible for coordinating offensive computer network operations for the United States Department of Defense and other federal agencies.”
Clearly offensive cyber operations far predate the 2009 founding of USCYBERCOM.
The email conversations make clear what many have known, that offensive cyber operations against individuals and nation states have been going on for a long, long time.
Experts who claim otherwise are misinformed at best, or actively spreading misinformation at worst. When it comes to cyberwar, the matter is best handled by William Gibson’s famous quote: “The future is already here – it’s just not very evenly distributed.”
Haroon Meer is the founder of Thinkst, an applied research company with a deep focus on information security. He has contributed to several books on information security and has presented research at industry and academic conferences around the world.
The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’ s editorial policy.