When Aaron Barr was finalizing a recent computer security presentation for the U.S. Transportation Security Administration, a colleague had a bit of good-natured advice for him: "Scare the shit out of them!"
In retrospect, this may not have been the advice Barr needed. As CEO of the government-focused infosec company HBGary Federal, Barr had to bring in big clients — and quickly — as the startup business hemorrhaged cash. To do so, he had no problem with trying to "scare the sh*t out of them." When working with a major DC law firm in late 2010 on a potential deal involving social media, for instance, Barr decided that scraping Facebook to stalk a key partner and his family might be a good idea. When he sent his law firm contact a note filled with personal information about the partner, his wife, her family and her photography business, the result was immediate.
"Thanks. I am not sure I will share what you sent last night — he might freak out."
This rather creepy behavior became common; Barr used it as a sign of his social media prowess. Another target of his investigations went to "a Jewish Church in DC, the Temple Micah." Someone else "married @ the Inn at Perry Cabin in St. Michaels, MD (non-denominational ceremony)." Barr was even willing to helpfully guesstimate the ages of children in photographs ("they have 2 kids, son and daughter look to be 7 and 4").
With one potential client, Barr sifted the man's social media data and then noted that "I am tempted to create a person from his highschool and send him a request, but that might be overstepping it."
As the money ran out on HBGary Federal, Barr increasingly had no problem "overstepping it." In November, when a major U.S. bank wanted a strategy for taking down WikiLeaks, Barr immediately drafted a presentation in which he suggested "cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France, putting a team together to get access is more straightforward."
Faking documents seemed like a good idea, too, documents which could later be "called out" so as to make WikiLeaks look unreliable.
And Barr wanted to go further, pushing on people like civil liberties Salon.com columnist Glenn Greenwald — apparently hoping to threaten their livelihoods. "These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals," he wrote. "Without the support of people like Glenn WikiLeaks would fold."
When the U.S. Chamber of Commerce wanted to look into some of its opponents, Barr teamed with two other security companies and went nuts, proposing that the Chamber create an absurdly expensive "fusion cell" of the kind "developed and utilized by Joint Special Operations Command (JSOC)" — and costing $2 million a month. And if the fusion cell couldn't turn up enough opposition research, the security firms would be happy to create honeypot websites to lure the Chamber's union-loving opponents in order to grab more data from them.
The security companies even began grabbing tweets from liberal activists and mapping the connections between people using advanced link analysis software most often used by the intelligence community. (Some of the Chamber material was unearthed by ThinkProgress and other liberal bloggers, while The Tech Herald and Crowdleaks.org first wrote about the proposed WikiLeaks attacks.)
While waiting to see if his proposals would result in work for HBGary Federal, Barr turned in January to unmask the leadership of the hacker collective Anonymous. This part of the story is well known by now (read our investigative feature): when Barr went public with his findings, Anonymous took down his website, stole his e-mails, deleted the company's backup data, trashed Barr's Twitter account and remotely wiped his iPad.
In the days since the attack and the publication of Barr's e-mails, his partners at other security firms threw him under the bus. "I have directed the company to sever any and all contacts with HB Gary," said the CEO of Palantir.
Berico Technologies, another private security firm, said that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
Glenn Greenwald unleashed both barrels of his own, claiming that "what is set forth in these proposal... quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well. Attacking WikiLeaks' computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws."
How did Barr, a man with long experience in security and intelligence, come to spend his days as a CEO e-stalking clients and their wives on Facebook? Why did he start performing "reconnaissance" on the largest nuclear power company in the United States? Why did he suggest pressuring corporate critics to shut up, even as he privately insisted that corporations "suck the lifeblood out of humanity"? And why did he launch his ill-fated investigation into Anonymous, one which may well have destroyed his company and damaged his career?
Thanks to his leaked e-mails, the downward spiral is easy enough to retrace. Barr was under tremendous pressure to bring in cash, pressure which began on Nov. 23, 2009.
That's when Barr started the CEO job at HBGary Federal. Its parent company, the security firm HBGary, wanted a separate firm to handle government work and the clearances that went with it, and Barr was brought in from Northrup Grumman to launch the operation.
In an e-mail announcing Barr's move, HBGary CEO Greg Hoglund told his company that "these two are A+ players in the DoD contracting space and are able to 'walk the halls' in customer spaces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. 'A' players attract 'A' players."
Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the "3rd night in a row I have woken up in the middle of the night and can't sleep because my mind is racing. It's nice to be excited about work, but I need some sleep."
Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.
On Oct. 3, 2010, HBGary CEO Greg Hoglund told Aaron that "we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn't really been a success... You guys are basically out of money and none of the work you had planned has come in."
Aaron agreed. "This has not worked out as any of us have planned to date and we are nearly out of money," he said.
While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.
The training sessions, following the old "scare the sh*t out of them" approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts were needed, preferably multi-year ones.
The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg's wife), sent an e-mail to her sales team, telling them "to work a quota and to bring in revenue in a timely manner. It's not 'optional' as to when it needs to close, if you haven't met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT... Guys, no one is making their quota."
She concluded darkly, "I have some serious doubts about some people's ability to do their job. There will be changes coming shortly and those decisions will be new people's to make."
And then, unexpectedly, came the hope of salvation.
By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.
On Oct. 19, a note arrived. HBGary Federal might be able to provide part of "a complete intelligence solution to a law firm that approached us." That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.
Palantir would provide its expensive link analysis software running on a hosted server, while Berico would "prime the contract supplying the project management, development resources and process/methodology development." HBGary Federal would come alongside to provide "digital intelligence collection" and "social media exploitation" — Barr's strengths.
Team Themis logo
The three companies needed a name for their joint operation. One early suggestion: a "Corporate Threat Analysis Cell." Eventually, a sexier name was chosen: Team Themis.
Barr went to work immediately, tracking down all the information he could find on the team's H&W contact. This was the result of few hours' work:
Team Themis didn't quite understand what H&W wanted them to do, so Barr's example was simply a way to show "expertise." But it soon became clear what this was about: the U.S. Chamber of Commerce wanted to know if certain groups attacking them were "astroturf" groups funded by the large unions.
"They further suspect that most of the actions and coordination take place through online means — forums, blogs, message boards, social networking and other parts of the 'deep web,'" a team member explained later. "But they want to marry those online, 'cyber' sources with traditional open source data-tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions."
H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.)
Barr's plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums and web searches and dump it into Palantir for analysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.
Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of "sample reports" filled with action ideas like:
- Create a false document, perhaps highlighting periodical financial information, and monitor to see if U.S. Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual documents at a specified time and explain the activity as a CtW contrived operation.
- If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions U.S. Chamber Watch will likely ask.
- Create a humor piece about the leaders of CtW.
The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The attitude could be seen in e-mails which exhorted Team Themis to "make [H&W] think that we are Bond, Q, and Moneypenny all packaged up with a bow."
But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, "Their client is loaded!" Besides, that money would buy access to Palantir, Berico, and "super sleuth Aaron Barr."
As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might "freak out" the partner.
Barr's investigation in an H&W partner
If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. "This will put us in a healthy position to chart our direction with a healthy war chest," he wrote.
Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal's pocket.
But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go "way up the chain (as you can imagine)," wrote the Palantir contact for Team Themis. "The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let's demonstrate success and then take over this market :))."
The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn't kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who "ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks."
(Update: a reader points to additional emails which suggest that the "foreign fighter campaign" operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as "key personnel," drawing on their "creds to show our strengths," but might actually staff the project with others.)
But the cash, which "will seem like money falling from the sky for those of us used to working in the govt sector," was not forthcoming. H&W didn't make a decision in November. Barr began to worry.
"All things we are chasing continue to get pushed to the right or just hang in limbo," he wrote. "I don't think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough." He noted that Palantir was asking "way too much money" from H&W.
As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were "prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original "Phase I" proposed costs). Does this sound like a more reasonable range in terms of pricing?"
But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major U.S. bank had come to H&W seeking help against WikiLeaks (the bank has been widely assumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.)
"We want to sell this team as part of what we are talking about," said the team's H&W contact. "I need a favor. I need five to six slides on Wikileaks — who they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon."
By 11:30pm on the evening of Dec. 2, Barr had cranked out a PowerPoint presentation. It called for "disinformation," "cyber attacks," and a "media campaign" against WikiLeaks.
What could HBGary Federal do?
- Computer Network Attack/Exploitation
- Influence and Deception Operations
- Social Media Collection, Analysis, Exploitation
- Digital Media Forensic Analysis
This attack capability wasn't mere bluster. HBGary had long publicized to clients its cache of zero-day exploits — attacks for which there is no existing patch. A slide from a year earlier showed that HBGary claimed unpublished zero-day exploits in everything from Flash to Java to Windows 2000.
Another slide made clear that the company had expertise in "computer network attack," "custom malware development," and "persistent software implants."
In October 2010, HBGary CEO Greg Hoglund had tossed out a random idea for Barr, one that did not apparently seem unusual: "I suggest we create a large set of unlicensed windows-7 themes for video games and movies appropriate for middle east & asia. These theme packs would contain back doors."
Barr's ideas about WikiLeaks went beyond attacks on their infrastructure. He wrote in a separate document that WikiLeaks was having trouble getting money because its payment sources were being blocked. "Also need to get people to understand that if they support the organization we will come after them," he wrote. "Transaction records are easily identifiable."
As an idea that Barr knew was being prepared for a major U.S. bank, the suggestion is chilling. Barr also reiterated the need to "get to the Swedish document submission server" that allowed people to upload leaked documents.
At 7:30am the next morning, Barr had another great idea — find some way to make WikiLeaks supporters like Glenn Greenwald feel like their jobs might be at stake for supporting the organization.
"One other thing," he wrote in his morning message. "I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH [data center] transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack. These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn WikiLeaks would fold."
This seems an absurd claim on a number of levels, but it also upped the "creep factor" dramatically. Barr was now suggesting that a major U.S. corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the First Amendment right to freedom of speech, had no apparent qualms about his idea.
The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main participants in the Anonymous hacker collective — and by doing so to drum up business.
The decision seems to have stemmed from Barr's work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its U.S. nuclear plants. "I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them," he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere:
Knowing about a target's spouse and college and business and friends makes it relatively easy to engage in a "spear phishing" attack against that person — say, a fake e-mail from an old friend, in which the target eventually reveals useful information.
Ironically, when Anonymous later commandeered Greg Hoglund's separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund's site administrator — who promptly turned off the site's defenses and issued a new password ("Changeme123") for a user he believed was Hoglund. Minutes later, the site was compromised.
After the Anonymous attacks and the release of Barr's e-mails, his partners furiously distanced themselves from Barr's work. Palantir CEO Dr. Alex Karp wrote, "We do not provide — nor do we have any plans to develop — offensive cyber capabilities... The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters."
Berico said (PDF) that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
But both of the Team Themis leads at these companies knew exactly what was being proposed (such knowledge may not have run to the top). They saw Barr's e-mails, and they used his work. His ideas on attacking WikiLeaks made it almost verbatim into a Palantir slide about "proactive tactics."
And Palantir had no problem scraping tweets from union supporters and creating linkages from them.
As for targeting American organizations, it was a Berico analyst who sent out the Team Themis "sample reports," the documents suggesting that the U.S. Chamber of Commerce create false documents and false personae in its effort to "discredit the organization" U.S. Chamber Watch.
The U.S. Chamber of Commerce expressed shock when the Team Themis work came to light. "We’re incredulous that anyone would attempt to associate such activities with the Chamber as we’ve seen today from the Center for American Progress," said Tom Collamore on Feb. 10. "The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber’s behalf. We have never seen the document in question nor has it ever been discussed with us."
Indeed, the meeting between H&W and the Chamber on this issue was set to take place today, Feb. 14. On Feb. 11, the Chamber went further, issuing a new statement saying that "it never hired or solicited proposals from HBGary, Palantir or Berico, the security firms being talked about on the web ... The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary’s e-mails leaked."
"No money, for any purpose, was paid to any of those three private security firms by the Chamber, or by anyone on behalf of the Chamber, including Hunton & Williams."
As for Hunton & Williams, they have yet to comment publicly. On Feb. 7, however, the firm celebrated its top ranking in Computerworld's report on "Best Privacy Advisers."
