Bleeping Computer writes that SolarLeaks (solarleaks [.] Net) has appeared on the network, where unknown persons sell data that was allegedly stolen from Microsoft, Cisco, FireEye and SolarWinds during a recent attack on the supply chain .
Let me remind you that in December 2020 it became known that unknown attackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.
As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.
In early January, the FBI, NSA, CISA and ODNI issued a joint statement according to which an unnamed APT group of “probably Russian origin” was behind the massive attack. The SolarWinds hack itself was described by officials as “an attempt to gather intelligence.”
Now unknown persons report that they are ready to sell the following stolen data:
- $ 600,000: Microsoft Windows source code and other data from the company’s repositories (2.6 GB);
- $ 500,000: source codes for various Cisco products and an internal bug tracker dump (1.7 GB);
- $ 50,000: private red team FireEye tools, source codes, binaries and documentation (39 MB);
- $ 250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).
Hackers offer to buy all this data in bulk for one million dollars. In addition, the site operators act like the well-known hack group The Shadow Brokers and write that at first the stolen information will be sold in batches, and later it will be freely published in the public domain.
It should be noted that if Microsoft representatives previously confirmed that attackers could steal the source codes, then Cisco announced that it has no evidence of theft of its intellectual property.
Interestingly, the solarleaks [.] Net domain is registered through the NJALLA registrar, which is popular with hackers. So, when you try to look at WHOIS, you can see the message “You can get no info”.
It is not yet known whether the site operators actually have the data they are writing about, or if SolarLeaks is just a very ambitious scam attempt. Journalists attempted to contact the attackers at the email address indicated on the website, but it turned out that it did not exist.