HBGary has "completely unplugged from the internet" as the security firm moves into investigatory and damage control mode following the infiltration of its network over the weekend to steal some 50,000 corporate emails and credentials.
The hacker group Anonymous took responsibility for the hijack, apparently orchestrated out of revenge for plans by Aaron Barr, CEO of HBGary Federal, a sister firm to HBGary, to release information about the activist collective during a talk about social networking at the upcoming Security B-Sides show in San Francisco.
The group compromised a web server belonging to HBGary Federal, possibly exploiting an SQL vulnerability, to gain access to the network and discover the credentials for the company's Google email account, for which Barr was the administrator, HBGary CEO Greg Hoglund told SCMagazineUS.com on Monday.
Anonymous apparently became motivated by a Financial Times story published Friday that quoted Barr and described his research into what he said were key members of the vigilante group. Anonymous also claimed that HBGary Federal was preparing to sell a document containing the identities of several Anonymous members to the FBI.
In a defacement letter posted Sunday on the home page of HBGary (now replaced with a placeholder page), the group said: "Your recent claims of 'infiltrating' Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself. How's this for attention?...What you seem to have failed to realize is that just because you have the title and general appearance of a 'security' company, you're nothing compared to Anonymous. You have little to no security knowledge."
Hoglund deemed the intrusion a classic case of hackers finding the weakest entry point and using that access to laterally move into more sensitive parts of the network.
At least 50,000 emails belonging to security firm HBGary were stolen, all of which have been posted to torrent sites, according to an Anonymous press release posted Monday. Also compromised were the Twitter account belonging to Barr and the LinkedIn profile belonging to HBGary Federal COO Ted Vera.
They remained under control of the Anonymous group as of Monday early afternoon EST, and the hackers are leveraging Barr's Twitter account to provide links to confiscated emails, as well as his home address, telephone number and Social Security number.
Hoglund said he first learned of the attack after attempting to login to his work email after spending much of Sunday afternoon doing work in his garage, purposely avoiding being around his computer.
"I have a ridiculously long password, so I thought I mistyped it," a noticeably distraught Hoglund recalled in a telephone interview. When it didn't work after a couple of tries, "That's when I realized there was a problem."
Anonymous also was able to hijack a web server for rootkit.com, a domain owned by Hoglund that provides a forum to discuss rootkits, he said.
Hoglund said the timing of the incident couldn't be worse, considering the RSA Conference in San Francisco is taking place next week, and HBGary was planning a major product release at the show.
"They are causing me a great deal of pain right now," he said. "What they're doing right now is not hacktivism, it's terrorism. They've really crossed a line here. I've worked so many years on HBGary, and I don't deserve this. I never did anything to those people. They completely overreacted to [the Financial Times article]. Why did they need to do that?"
Anonymous is a loosely affiliated band of individuals who have previously gained notoriety for launching distributed denial-of-service (DDoS) attacks against parties with which they don't agree, such as the Church of Scientology or companies such as MasterCard and Amazon, after they ceased doing business with whistleblower website WikiLeaks.
Hoglund said the fact that Anonymous, in this case, shifted its actions from politically motivated cyber protests to a more egregious data breach is "setting the stage that cyberterrorism is possible."
"Now we have an example of a loosely organized group of people worldwide who clearly have the capability to penetrate anything they want, just because they feel like it," Hoglund said. "They have no platform. They have no agenda."
Last week, police in London charged five Anonymous members for their role in DDoS attacks against commercial websites. Also last week, the FBI executed 40 search warrants as part of its investigation into the group.
An FBI spokeswoman on Monday said the agency has no comment on the HBGary incident.
Anonymous said in its release: "What we have done today will appear harsh. It is harsh. We will respond to those who seek to threaten us. We understand that our participants have been concerned about recent FBI raids and companies such as HBGary Federal lurking and logging our chats, so we've given all of Anonymous a message: We will fight back."
Hoglund acknowledged the irony of a security services company being overtaken."If anything, it will help us increase our security posture, but at what cost?" said Hoglund, who believes the damage to his company increases with each exposed email.
