Bleeping Computer writes that experts have discovered the SolarLeaks website (solarleaks[.]net), where unknown persons sell data, allegedly stolen from SolarWinds, Microsoft, Cisco and FireEye during a recent attack on the supply chain.
Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.
In early January, the FBI, NSA, CISA and ODNI issued a joint statement, according to which an unnamed APT group of “probably Russian origin” was behind the massive attack.
The SolarWinds hack itself was described by officials as “an attempt to gather intelligence.”
Now unknown persons report that they are ready to sell the following stolen data:
- $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
- $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
- $50,000: private red team FireEye tools, source codes, binaries and documentation (39 MB);
- $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).
Hackers offer to buy all this data in bulk for one million dollars. In addition, the site operators act like the well-known hack group The Shadow Brokers and write that at first the stolen information will be sold in batches, and later it will be freely published in the public domain.
It is worth noting that if Microsoft representatives previously confirmed that attackers could have stolen the source codes, then Cisco announced that it had no evidence of theft of its intellectual property. Interestingly, the solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. So, when you try to look at WHOIS, you can see the message “You can get no info”.
It is not yet known whether the site operators actually have the data they are writing about, or if SolarLeaks is just a very ambitious scam attempt. Journalists attempted to contact the attackers at the email address indicated on the website, but it turned out that it did not exist.