In an effort to confirm this was in fact Stuxnet, Crowdleaks has decompiled some of the source code, which can be found here.
Throughout the following emails it is revealed that HBGary Federal may have been planning to use Stuxnet for their own purposes.
Throughout the following emails it is revealed that HBGary Federal may have been planning to useStuxnet for their own purposes.
from: Charles Copeland
date: Sat, Sep 25, 2010 at 9:54 PM
subject: Stuxnet Worm Mailing List
Filter messages from this mailing list. mailed-byhbgary.com
hide details 9/25/10
Computerworld – Officials in Iran have confirmed that the Stuxnet worm infected at least
30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systemsI’ve already got a email asking about stuxnet, this came out late Friday. Does anyone have a dropper I have been unable to find it.
from: David D. Merritt
to: Aaron Barr
date: Sun, Oct 3, 2010 at 9:35 PM
subject: Re: Hunter Killer Insanity 285mailed-bygmail.com
hide details 10/3/10
contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec….
i’m seeing TSA becoming a malware testbed…
On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote:
> We haven’t but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though.
> In doing a little research:
> While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value.
> Aaron Barr
> HBGary Federal, LLC
Greg Hoglund, it’s made clear that HBGary wanted to hide their work onStuxnet.
from: Greg Hoglund
date: Sun, Sep 26, 2010 at 10:26 PM
subject: stuxnet mailing list
Filter messages from this mailing listmailed-byhbgary.com
hide details 9/26/10
HBGary has no official position on Stuxnet. Please do not comment to the press on Stuxnet. We know nothing about Stuxnet.
CEO, HBGary, Inc.
Sent from my iPad
> From: Aaron Barr
> To: Peace, Cheryl D
> Sent: Mon Aug 09 13:54:23 2010
> Subject: Re: Number
> Hi Cheryl,
> It does. I haven’t met him personally. Our sister company does work
> in a few different pockets on the bldg. And i am on the extended NANA
> team. I recently joined to stand up HBGary federal, a related but
> separate company. We manage all the work that requires clearances.
> We exchange some technologies, but we have some separate developments
> as well. Mostly around threat intelligence and CNO/social media.
> I think there are some enabling tech to your mission but really need
> that qualified.
> Interested to run some of the stuxnet stuff by u as well.
> Sent from my iPhone
On Aug 9, 2010, at 9:27 AM, “Peace, Cheryl D” wrote:
>> Did a little checking and we already do busy with you guys. Does the name
>> Tony Seager ring a bell?
>> —–Original Message—–
>> From: Aaron Barr [mailto:firstname.lastname@example.org]
>> Sent: Friday, August 06, 2010 10:56 AM
>> To: Peace, Cheryl D
>> Subject: Re: Number
>> OK. If interested do you have some time to get together when you get back?
>> either next Friday or early the following week?
>> On Aug 6, 2010, at 10:44 AM, Peace, Cheryl D wrote:
>>> I am in Europe till mid next week
>>> —–Original Message—–
>>> From: Aaron Barr [mailto:email@example.com]
>>> Sent: Thursday, August 05, 2010 10:57 PM
>>> To: Peace, Cheryl D
>>> Subject: Re: Number
>>> Hi Cheryl,
>>> Can I schedule an appointment with you to come by and chat for a few
>>> On Jul 30, 2010, at 10:41 PM, Peace, Cheryl D wrote:
>>>> I am at Rao at the bar if you want to come by for a few. Meeting friends
>>> for a cocktail in a few
>>>> Sent using BlackBerry
>>>> —– Original Message —–
>>>> From: Aaron Barr
>>>> To: Peace, Cheryl D
>>>> Sent: Fri Jul 30 20:02:44 2010
>>>> Subject: Number
>>>> Sorry to bother you but do you have a minute to talk. I don’t have
>>>> your number handy. It will only take moment, but I have some
>>>> information for you.
>>>> Aaron Barr
>>>> HBGary Federal
from: Greg Hoglund
to: Rich Cummings
date: Mon, Nov 16, 2009 at 9:30 PM
subject: Govt dropper in this word DOC, zipped up for youmailed-byhbgary.com
hide details 11/16/09Phil, Rich,I got this word doc linked off a dangler site for Al Qaeda peeps. I think it has a US govvy payload buried inside. Would be neat to REcon it and see what it’s about. DONT open it unless in a VM obviously. password is meatflower. Remove the .txt extension too. DONT let it FONE HOME unless you want black suits landing on your front acre. 🙂-Greg
“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”
“Probably a corporation by request of a government, it was clearly tested and put together by pro’s. It really looks like outsourced work.” – See more at: http://webcache.googleusercontent.com/search?q=cache:ld1YZvZkTFUJ:thehackernews.com/2011/02/exposed-hbgary-wanted-to-suppress.html+&cd=1&hl=en&ct=clnk&gl=us#sthash.39BcBvxo.dpuf