Spy Games: Inside the Convoluted Plot to Bring Down WikiLeaks

Spy Games: Inside the Convoluted Plot to Bring Down WikiLeaks

By Nate Anderson, Ars Technica

February 14, 2011 |

6:51 pm |

Categories: The Ridiculous, WikiLeaks

When Aaron Barr was finalizing a recent computer security presentation for the U.S. Transportation Security Administration, a colleague had a bit of good-natured advice for him: “Scare the shit out of them!”

In retrospect, this may not have been the advice Barr needed. As CEO of the government-focused infosec company HBGary Federal, Barr had to bring in big clients — and quickly — as the startup business hemorrhaged cash. To do so, he had no problem with trying to “scare the sh*t out of them.” When working with a major DC law firm in late 2010 on a potential deal involving social media, for instance, Barr decided that scraping Facebook to stalk a key partner and his family might be a good idea. When he sent his law firm contact a note filled with personal information about the partner, his wife, her family and her photography business, the result was immediate.

“Thanks. I am not sure I will share what you sent last night — he might freak out.”

This rather creepy behavior became common; Barr used it as a sign of his social media prowess. Another target of his investigations went to “a Jewish Church in DC, the Temple Micah.” Someone else “married @ the Inn at Perry Cabin in St. Michaels, MD (non-denominational ceremony).” Barr was even willing to helpfully guesstimate the ages of children in photographs (“they have 2 kids, son and daughter look to be 7 and 4″).

Barr's rundown on his H&W contact

With one potential client, Barr sifted the man’s social media data and then noted that “I am tempted to create a person from his highschool and send him a request, but that might be overstepping it.”

As the money ran out on HBGary Federal, Barr increasingly had no problem “overstepping it.” In November, when a major U.S. bank wanted a strategy for taking down WikiLeaks, Barr immediately drafted a presentation in which he suggested “cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France, putting a team together to get access is more straightforward.”

HBGary's "special ops," from an early slide

Faking documents seemed like a good idea, too, documents which could later be “called out” so as to make WikiLeaks look unreliable.

And Barr wanted to go further, pushing on people like civil liberties Salon.com columnist Glenn Greenwald — apparently hoping to threaten their livelihoods. “These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals,” he wrote. “Without the support of people like Glenn WikiLeaks would fold.”

When the U.S. Chamber of Commerce wanted to look into some of its opponents, Barr teamed with two other security companies and went nuts, proposing that the Chamber create an absurdly expensive “fusion cell” of the kind “developed and utilized by Joint Special Operations Command (JSOC)” — and costing $2 million a month. And if the fusion cell couldn’t turn up enough opposition research, the security firms would be happy to create honeypot websites to lure the Chamber’s union-loving opponents in order to grab more data from them.

The security companies even began grabbing tweets from liberal activists and mapping the connections between people using advanced link analysis software most often used by the intelligence community. (Some of the Chamber material was unearthed by ThinkProgress and other liberal bloggers, while The Tech Herald and Crowdleaks.org first wrote about the proposed WikiLeaks attacks.)

While waiting to see if his proposals would result in work for HBGary Federal, Barr turned in January to unmask the leadership of the hacker collective Anonymous. This part of the story is well known by now (read our investigative feature): when Barr went public with his findings, Anonymous took down his website, stole his e-mails, deleted the company’s backup data, trashed Barr’s Twitter account and remotely wiped his iPad.

In the days since the attack and the publication of Barr’s e-mails, his partners at other security firms threw him under the bus. “I have directed the company to sever any and all contacts with HB Gary,” said the CEO of Palantir.

Berico Technologies, another private security firm, said that it “does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal.”

Glenn Greenwald unleashed both barrels of his own, claiming that “what is set forth in these proposal… quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well. Attacking WikiLeaks’ computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws.”

How did Barr, a man with long experience in security and intelligence, come to spend his days as a CEO e-stalking clients and their wives on Facebook? Why did he start performing “reconnaissance” on the largest nuclear power company in the United States? Why did he suggest pressuring corporate critics to shut up, even as he privately insisted that corporations “suck the lifeblood out of humanity”? And why did he launch his ill-fated investigation into Anonymous, one which may well have destroyed his company and damaged his career?

Thanks to his leaked e-mails, the downward spiral is easy enough to retrace. Barr was under tremendous pressure to bring in cash, pressure which began on Nov. 23, 2009.

“A” players attract “A” players

That’s when Barr started the CEO job at HBGary Federal. Its parent company, the security firm HBGary, wanted a separate firm to handle government work and the clearances that went with it, and Barr was brought in from Northrup Grumman to launch the operation.

In an e-mail announcing Barr’s move, HBGary CEO Greg Hoglund told his company that “these two are A+ players in the DoD contracting space and are able to ‘walk the halls’ in customer spaces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. ‘A’ players attract ‘A’ players.”

Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the “3rd night in a row I have woken up in the middle of the night and can’t sleep because my mind is racing. It’s nice to be excited about work, but I need some sleep.”

Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.

On Oct. 3, 2010, HBGary CEO Greg Hoglund told Aaron that “we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn’t really been a success… You guys are basically out of money and none of the work you had planned has come in.”

Aaron agreed. “This has not worked out as any of us have planned to date and we are nearly out of money,” he said.

While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.

Steve Jobs is certainly cool with this

The training sessions, following the old “scare the sh*t out of them” approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts were needed, preferably multi-year ones.

Social media training bill

The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg’s wife), sent an e-mail to her sales team, telling them “to work a quota and to bring in revenue in a timely manner. It’s not ‘optional’ as to when it needs to close, if you haven’t met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT… Guys, no one is making their quota.”

She concluded darkly, “I have some serious doubts about some people’s ability to do their job. There will be changes coming shortly and those decisions will be new people’s to make.”

And then, unexpectedly, came the hope of salvation.

“Bond, Q, and Monneypenny”

By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.

On Oct. 19, a note arrived. HBGary Federal might be able to provide part of “a complete intelligence solution to a law firm that approached us.” That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.

Team Themis logo

Palantir would provide its expensive link analysis software running on a hosted server, while Berico would “prime the contract supplying the project management, development resources and process/methodology development.” HBGary Federal would come alongside to provide “digital intelligence collection” and “social media exploitation” — Barr’s strengths.

Team Themis logo

The three companies needed a name for their joint operation. One early suggestion: a “Corporate Threat Analysis Cell.” Eventually, a sexier name was chosen: Team Themis.

Barr went to work immediately, tracking down all the information he could find on the team’s H&W contact. This was the result of few hours’ work:

A bit of what I have on [redacted]. He was hard to find on Facebook as he has taken some precautions to be found. He isn’t even linked with his wife but I found him. I also have a list of his friends and have defined an angle if I was to target him. He has attachment to UVA, a member of multiple associations dealing with IP, e-discovery, and nearly all of this facebook friends are of people from high school. So I would hit him from one of these three angles. I am tempted to create a person from his highschool and send him a request, but that might be overstepping it. I don’t want to embarrass him, so I think I will just talk about it and he can decide for himself if I would have been successful or not.

Team Themis didn’t quite understand what H&W wanted them to do, so Barr’s example was simply a way to show “expertise.” But it soon became clear what this was about: the U.S. Chamber of Commerce wanted to know if certain groups attacking them were “astroturf” groups funded by the large unions.

“They further suspect that most of the actions and coordination take place through online means — forums, blogs, message boards, social networking and other parts of the ‘deep web,’” a team member explained later. “But they want to marry those online, ‘cyber’ sources with traditional open source data-tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions.”

H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.)

Barr’s plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums and web searches and dump it into Palantir for analysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.

An early version of the Team Themis goal

Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of “sample reports” filled with action ideas like:

Create a false document, perhaps highlighting periodical financial information, and monitor to see if U.S. Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual documents at a specified time and explain the activity as a CtW contrived operation.

If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions U.S. Chamber Watch will likely ask.

Create a humor piece about the leaders of CtW.

The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The attitude could be seen in e-mails which exhorted Team Themis to “make [H&W] think that we are Bond, Q, and Moneypenny all packaged up with a bow.”

Two million a month

But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, “Their client is loaded!” Besides, that money would buy access to Palantir, Berico, and “super sleuth Aaron Barr.”

Barr's investigation in an H&W partner

As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might “freak out” the partner.

Barr’s investigation in an H&W partner

If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. “This will put us in a healthy position to chart our direction with a healthy war chest,” he wrote.

Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal’s pocket.

But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go “way up the chain (as you can imagine),” wrote the Palantir contact for Team Themis. “The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let’s demonstrate success and then take over this market ).”

The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn’t kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who “ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks.”

(Update: a reader points to additional emails which suggest that the “foreign fighter campaign” operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as “key personnel,” drawing on their “creds to show our strengths,” but might actually staff the project with others.)

“I don’t think we can make it any further”

But the cash, which “will seem like money falling from the sky for those of us used to working in the govt sector,” was not forthcoming. H&W didn’t make a decision in November. Barr began to worry.

“All things we are chasing continue to get pushed to the right or just hang in limbo,” he wrote. “I don’t think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough.” He noted that Palantir was asking “way too much money” from H&W.

As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were “prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original “Phase I” proposed costs). Does this sound like a more reasonable range in terms of pricing?”

But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major U.S. bank had come to H&W seeking help against WikiLeaks (the bank has been widely assumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.)

“We want to sell this team as part of what we are talking about,” said the team’s H&W contact. “I need a favor. I need five to six slides on Wikileaks — who they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon.”