Cyber Incident Victim: Hewlett Packard Enterprise

In October 2014, Hewlett-Packard (HP) announced it would revoke a digital certificate after discovering it had been used to sign malware. The issue came to light when Symantec alerted HP to a four-year-old Windows Trojan bearing the company’s valid digital signature. HP’s investigation revealed that the malware had infected a developer’s computer within the organization. During routine software signing processes, the Trojan was inadvertently included in a legitimate software package and received HP’s digital signature. The signed malware then transmitted itself back to its command-and-control server, enabling further distribution across the internet with HP’s trusted certificate. HP Global Chief Information Security Officer Brett Wahlin emphasized that the company’s certificate authority and code-signing infrastructure remained uncompromised, attributing the incident solely to the infected developer’s system. The malware was never distributed to HP customers through official software channels.

The certificate revocation, scheduled for October 21 through Verisign, required HP to re-sign and reissue numerous affected software packages, including hardware drivers critical for older HP systems. While existing installations remained functional, users reinstalling software from original media would encounter certificate warnings post-revocation. HP notified customers about the impending revocation but could not fully assess the operational impact until after the certificate was invalidated. The incident underscored risks associated with code-signing processes, particularly when malware infiltrates development environments. HP did not disclose the number of systems infected by the signed Trojan or specify remediation steps beyond certificate replacement. The company maintained public assurances about its infrastructure security while managing logistical challenges tied to resigning its software catalog.