Attackers who claim they are responsible for the supply chain attack on SolarWinds, a Texas company, say they have data they want to sell from their exploits.
Allegedly obtained from Microsoft, Cisco, SolarWinds and FireEye, the SolarLeaks website offers source code. “In a 2.6 Gb file, the information allegedly taken from Microsoft, offered for $600,000, is contained and the seller claims that it includes partial Windows source code and “different Microsoft repositories.
While all four organizations are confirmed victims, security experts question whether the offer is legitimate and note that it parallels previous efforts, including by Russia, designed to foil hack attack attribution.
The appearance of the website leaks comes just four weeks after a public alert was discovered and issued by cybersecurity firm FireEye, warning that as part of a sophisticated, month-long campaign, Texas-based SolarWinds’ Orion network monitoring software had been backdoored.
The new website for leaks, solarleaks.net, contains a single text file through which the operator claims to sell four batches of stolen data from Cisco, FireEye, Microsoft and SolarWinds, with the batch retailing for each victim for between $50,000 and $600,000. The website also offers the sale of “all leaked data for $1 million,” as well as an unnamed bonus.
Would-be buyers are directed to email “[email protected]” – an email address registered with ProtonMail, a free, encrypted email service. Emails sent to that address, however, bounced back as being undeliverable.
The site is available via the internet and mirrored as a .onion site reachable only via the anonymizing Tor browser.
This is what the site offers for the sale :
|Microsoft||“Microsoft Windows (partial) source code and various Microsoft repositories”||2.6GB||$600,000|
|Cisco||“Multiple products’ source code and internal bug tracker dump”||1.7GB||$500,000|
|SolarWinds||Source code for all products – including Orion – as well as a “customer portal dump”||612MB||$250,000|
|FireEye||Private “red team tools,” plus “source code, binaries and documentation”||39MB||$50,000|
Each of the four listings includes a link to an archive that the site says has been “encrypted with a strong key,” stored on the Mega file-sharing service, suggesting that buyers would receive a decryption key that would allow them to unseal the archives.
Mega had removed all four files from its service as of Wednesday. But they are probably already circulating for posterity via BitTorrent sites.
Additional information posted to the site of the leak states that the site isn’t including information from any additional victims, but will do so in the future. “We aren’t fully done yet and we want to preserve the most of our current access,” the site reads. “Consider this the first batch.”
Microsoft recently acknowledged that the SolarWinds attackers were targeted and admitted that they had access to some source code, but the tech giant reported that the incident was not a security risk to services or customer data.
The company admitted that SolarWinds products were found on a “small number” of its systems, but said it did not use SolarWinds solutions for enterprise network management. Cisco said it was aware of the SolarLeaks website, but claimed it “has no evidence at this time of any theft of intellectual property related to recent events.”
“At this time, there is no known impact to Cisco products, services, or to any customer data,” Cisco said in an advisory.
While some members of the cybersecurity industry believe SolarLeaks is likely a scam, others believe the seller could really possess the files they are offering.
Looking at the SolarLeaks site, “the alleged sale is only for things that are commercially interesting, not data of intelligence value. The fact that no intelligence data – Treasury, Commerce, etc. – was offered for suggests this could be the real group,” tweets Jake Williams (@MalwareJake), president of cybersecurity consultancy Rendition Infosec and a former member of the NSA’s elite hacking team.
As Bleeping Computer has reported, whoever is behind the SolarLeaks site appears to already be taunting researchers. Notably, the site – created on Monday – embeds this message in its domain information listing, in the form of its nameservers: “You can get no info.”
On Monday, SolarWinds CEO Sudhakar Ramakrishna published a blog post detailing the company’s latest findings.
SolarWinds, working with law enforcement and intelligence agencies, says the breach and subsequent supply chain attack are continuing to be investigated. The investigation by the U.S. government is being led by the FBI, with the U.S. The Cybersecurity and Infrastructure Security Department provides public and private sector incident management services and the National Intelligence Director’s Office communicates with the intelligence community.