Leaked Emails Reveal Morgan Stanley Hit in Aurora Attacks

Tuesday, March 01, 2011



Emails leaked in the HBGary Federal network breach reveal that financial firm Morgan Stanley was also a victim of the highly sophisticated Operation Aurora cyber attacks.

Operation Aurora targeted dozens of large firms, including Adobe, Northrop Grumman, Dow Chemical, and most famously Google.

Morgan Stanley is first financial company to be identified as being a target of the Aurora attacks which began in mid-2009.

"They were hit hard by the real Aurora attacks (not the crap in the news)," read an e-mail by a senior security engineer at HBGary, Phil Wallisch.

The leaked emails do not discuss what systems were compromised, what data may have been exposed, or the extent and duration of the unauthorized access, but the intrusion may have gone unnoticed for several months.

HBGary had been hired by Morgan Stanley in 2010 to investigate other network security events unrelated to Aurora when malicious software designed to harvest sensitive data and communications was discovered on the financial firm's systems.

HBGary Federal was in turn the target of a hacking operation conducted by the hacktivist movement known as Anonymous which resulted in the release of tens-of-thousands of company emails.

HBGary Federal's CEO Aaron Barr announced his resignation from the company in the wake of the devastating breach and subsequent criticism regarding some of the company's business practices.

Lack of mandatory reporting statutes requiring companies like Morgan Stanley to disclose system breaches and relevant details leaves consumers, investors, business partners, and clients in the dark when it comes to security events.

The Department of Health and Human Services and the Office for Civil Rights are the first agencies able to enforce mandatory reporting and notification related to network breaches under the HIPAA and HITECH regulations.

Legislative proposals are in the works that may expand mandatory reporting to sectors outside of healthcare, including for financial firms.

Possibly Related Articles:
breaches Network Security Financial Operation Aurora Mandatory Reporting HBGary Federal Morgan Stanley
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.