Part 2 (1/2)
In an e-mail announcing Barr's move, HBGary CEO Greg Hoglund told his company that ”these two are A+ players in the DoD contracting s.p.a.ce and are able to 'walk the halls' in customer s.p.a.ces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. 'A' players attract 'A' players.”
Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the ”3rd night in a row I have woken up in the middle of the night and can't sleep because my mind is racing. It's nice to be excited about work, but I need some sleep.”
Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.
On October 3, 2010, HBGary CEO Greg Hoglund told Aaron that ”we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn't really been a success... You guys are basically out of money and none of the work you had planned has come in.”
Aaron agreed. ”This has not worked out as any of us have planned to date and we are nearly out of money,” he said.
While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.
The training sessions, following the old ”scare the sh*t out of them” approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter, and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts contracts were needed, preferably multi-year ones. were needed, preferably multi-year ones.
The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg's wife), sent an e-mail to her sales team, telling them ”to work a quota and to bring in revenue in a timely manner. It's not 'optional' as to when it needs to close, if you haven't met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT... Guys, no one is making their quota.”
She concluded darkly, ”I have some serious doubts about some people's ability to do their job. There will be changes coming shortly and those decisions will be new people's to make.”
And then, unexpectedly, came the hope of salvation.
”Bond, Q, and Monneypenny”
By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.
On October 19, a note arrived. HBGary Federal might be able to provide part of ”a complete intelligence solution to a law firm that approached us.” That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.
Palantir would provide its expensive link a.n.a.lysis software running on a hosted server, while Berico would ”prime the contract supplying the project management, development resources, and process/methodology development.” HBGary Federal would come alongside to provide ”digital intelligence collection” and ”social media exploitation”-Barr's strengths.
The three companies needed a name for their joint operation. One early suggestion: a ”Corporate Threat a.n.a.lysis Cell.” Eventually, a s.e.xier name was chosen: Team Themis.
Barr went to work immediately, tracking down all the information he could find on the team's H&W contact. This was the result of few hours' work: A bit of what I have on [redacted]. He was hard to find on Facebook as he has taken some precautions to be found. He isn't even linked with his wife but I found him. I also have a list of his friends and have defined an angle if I was to target him. He has attachment to UVA, a member of multiple a.s.sociations dealing with IP, e-discovery, and nearly all of this facebook friends are of people from high school. So I would hit him from one of these three angles. I am tempted to create a person from his highschool and send him a request, but that might be overstepping it. I don't want to embarra.s.s him, so I think I will just talk about it and he can decide for himself if I would have been successful or not.
Team Themis didn't quite understand what H&W wanted them to do, so Barr's example was simply a way to show ”expertise.” But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were ”astroturf” groups funded by the large unions.
”They further suspect that most of the actions and coordination take place through online means-forums, blogs, message boards, social networking, and other parts of the 'deep web,'” a team member explained later. ”But they want to marry those online, 'cyber' sources with traditional open source data-tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions.”
H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.) Barr's plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums, and Web searches and dump it into Palantir for a.n.a.lysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.
Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of ”sample reports” filled with action ideas like: - Create a false doc.u.ment, perhaps highlighting periodical financial information, and monitor to see if US Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual doc.u.ments at a specified time and explain the activity as a CtW contrived operation.
- If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions US Chamber Watch will likely ask.
- Create a humor piece about the leaders of CtW.
The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The att.i.tude could be seen in e-mails which exhorted Team Themis to ”make [H&W] think that we are Bond, Q, and money penny [sic] all packaged up with a bow.”
Two million a month But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, ”Their client is loaded!” Besides, that money would buy access to Palantir, Berico, and ”super sleuth Aaron Barr.”
As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might ”freak out” the partner.
If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. ”This will put us in a healthy position to chart our direction with a healthy war chest,” he wrote.
Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal's pocket.
But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go ”way up the chain (as you can imagine),” wrote the Palantir contact for Team Themis. ”The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let's demonstrate success and then take over this market :)).”
The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn't kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who ”ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks.”
(Update: a reader points to additional emails which suggest that the ”foreign fighter campaign” operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as ”key personnel,” drawing on their ”creds to show our strengths,” but might actually staff the project with others.) ”I don't think we can make it any further”
But the cash, which ”will seem like money falling from the sky for those of us used to working in the govt sector,” was not forthcoming. H&W didn't make a decision in November. Barr began to worry.
”All things we are chasing continue to get pushed to the right or just hang in limbo,” he wrote. ”I don't think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough.” He noted that Palantir was asking ”way too much money” from H&W.
As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were ”prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original ”Phase I” proposed costs). Does this sound like a more reasonable range in terms of pricing?”
But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major US bank had come to H&W seeking help against WikiLeaks (the bank has been widely a.s.sumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.) ”We want to sell this team as part of what we are talking about,” said the team's H&W contact. ”I need a favor. I need five to six slides on Wikileaks-who they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon.”
”Attack their weak points”
By 11:30pm on the evening of December 2, Barr had cranked out a PowerPoint presentation. It called for ”disinformation,” ”cyber attacks,” and a ”media campaign” against WikiLeaks.
What could HBGary Federal do?
- Computer Network Attack/Exploitation - Influence and Deception Operations - Social Media Collection, a.n.a.lysis, Exploitation - Digital Media Forensic a.n.a.lysis This attack capability wasn't mere bl.u.s.ter. HBGary had long publicized to clients its cache of 0-day exploits-attacks for which there is no existing patch. A slide from a year earlier showed that HBGary claimed unpublished 0-day exploits in everything from Flash to Java to Windows 2000.
Another slide made clear that the company had expertise in ”computer network attack,” ”custom malware development,” and ”persistent software implants.”
In October 2010, HBGary CEO Greg Hoglund had tossed out a random idea for Barr, one that did not apparently seem unusual: ”I suggest we create a large set of unlicensed windows-7 themes for video games and movies appropriate for middle east & asia. These theme packs would contain back doors.”
Barr's ideas about WikiLeaks went beyond attacks on their infrastructure. He wrote in a separate doc.u.ment that WikiLeaks was having trouble getting money because its payment sources were being blocked. ”Also need to get people to understand that if they support the organization we will come after them,” he wrote. ”Transaction records are easily identifiable.”
As an idea that Barr knew was being prepared for a major US bank, the suggestion is chilling. Barr also reiterated the need to ”get to the Swedish doc.u.ment submission server” that allowed people to upload leaked doc.u.ments.
At 7:30am the next morning, Barr had another great idea-find some way to make WikiLeaks supporters like Glenn Greenwald feel like their jobs might be at stake for supporting the organization.
”One other thing,” he wrote in his morning message. ”I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH [data center] transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack. These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn WikiLeaks would fold.”
This seems an absurd claim on a number of levels, but it also upped the ”creep factor” dramatically. Barr was now suggesting that a major US corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the US right to freedom of speech, had no apparent qualms about his idea.
”Discontinued all ties with HBGary Federal”
The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main partic.i.p.ants in the Anonymous hacker collective-and by doing so to drum up business.
The decision seems to have stemmed from Barr's work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its US nuclear plants. ”I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them,” he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere: Example. If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link a.n.a.lysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.