Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack.
Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.
As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.
In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”
Now, the unknown individuals claim to be ready to sell the following stolen data:
- $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
- $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
- $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
- $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).
The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.
It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.
It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.