'SolarLeaks' Site Claims to Offer Attack Victims' DataAdvertised: Unverified Cache of Stolen Microsoft, Cisco, FireEye and SolarWinds Data
A new leaks site claims to be selling data from Cisco, FireEye, Microsoft and SolarWinds that was stolen via the SolarWinds supply chain attack.
While all four organizations are confirmed victims, security experts question whether the offer is legitimate and note that it parallels previous efforts, including by Russia, designed to foil hack attack attribution.
The appearance of the leaks website comes just four weeks after cybersecurity firm FireEye discovered and issued a public alert, warning that Texas-based SolarWinds' Orion network monitoring software had been backdoored as part of a sophisticated, monthslong campaign.
Subsequently, numerous Orion-using organizations have confirmed that they were victims of second-stage attacks, launched by hackers who accessed the Orion backdoor - dubbed "Sunburst" - that may have compromised data and led to further compromises. Confirmed second-stage victims include, among others, FireEye, Microsoft and up to 10 U.S. government agencies, including the Department of Justice and branches of the Pentagon, as well as the Commerce, Homeland Security, State, Energy and Treasury departments.
The new leaks website, solarleaks.net, contains a single text file, via which the operator claims to be selling four batches of stolen data from Cisco, FireEye, Microsoft and SolarWinds, with each victim's batch retailing for between $50,000 and $600,000. The site also offers to sell "all leaked data for $1 million," as well as to include an unnamed bonus. Would-be buyers are directed to email "email@example.com" - an email address registered with ProtonMail, a free, encrypted email service. Emails sent to that address, however, bounced back as being undeliverable.
The site is available via the internet and mirrored as a .onion site reachable only via the anonymizing Tor browser.
Here's what the site claims is on offer:
|"Microsoft Windows (partial) source code and various Microsoft repositories"
|"Multiple products' source code and internal bugtracker dump"
|Source code for all products - including Orion - as well as a "customer portal dump"
|Private "red team tools," plus "source code, binaries and documentation"
Each of the four listings includes a link to an archive stored on the Mega file-sharing service, which the site says has been "encrypted with strong key," thus suggesting that buyers would receive a decryption key enabling them to unseal the archives.
As of Wednesday, Mega had removed all four files from its service. But they're likely already circulating via BitTorrent sites for posterity.
Additional information posted to the leaks site states that the site isn't including information from any additional victims, but will do so in the future. "We aren't fully done yet and we want to preserve the most of our current access," the site reads. "Consider this a first batch."
Cisco: 'No Evidence … of Any Theft'
Is the content being offered legitimate?
"The SolarLeaks site claiming to sell the commercially valuable elements harvested from Microsoft, Cisco, et al. is very good at their OPSEC but content for sale has yet to be verified," tweets cybercrime expert Alan Woodward, a visiting professor of computer science at England's University of Surrey.
“We are aware of the reports indicating that SolarWinds product and customer portal data is for sale," a SolarWinds spokesman tells Information Security Media Group. "We are currently investigating the legitimacy of the post and site and sharing information with law enforcement.”
A FireEye spokeswoman tells ISMG: "We are aware of a website purporting to have confidential information related to the attack. We are looking into the situation, but at this time there is no evidence their claims are valid, and we are continuing to investigate."
Cisco has cast doubt on the veracity of the leaks site. "Cisco is aware of this website and has no evidence at this time of any theft of intellectual property related to recent events," Cisco says in an update on its investigation. "We are committed to transparency, and should we find information our customers need to be aware of, we will share it through our established channels."
Cisco has confirmed that it has used SolarWinds' Orion software and that it was running some versions that contained the Sunburst backdoor.
"To date, Cisco has isolated and removed the small number of Orion installations based on the data available," it says. "At this time, there is no known impact to Cisco products, services, or to any customer data," nor any signs that "customer data has been exposed as a result of this incident."
Microsoft could not be immediately reached for comment.
Potential Impetus: 'Attribution Misdirection'
Offering stolen information for sale in this manner mirrors previous efforts - many attributed to Russian intelligence - designed to disrupt Western democracy, sow chaos, leave false flags and make victims look inept.
Examples include the use of the Guccifer 2.0 cutout to disseminate stolen Democratic National Committee data in advance of the 2016 U.S. election, which intelligence officials traced to Russia's military intelligence agency, the GRU, and its "Fancy Bear," aka APT28, hacking team. Another example: Shadow Brokers, which possessed attack tools stolen from the National Security Agency, which the group claimed to want to sell or auction. Officials say that also appears to have been a Russian operation.
Looking at the SolarLeaks site, "the alleged sale is only for things that are commercially interesting, not data of intelligence value. The fact that no intelligence data - Treasury, Commerce, etc. - was offered for suggests this could be the real group," tweets Jake Williams (@MalwareJake), president of cybersecurity consultancy Rendition Infosec and a former member of the NSA's elite hacking team.
"At these prices, nobody is buying any of this commercial data, so still I'm leaning toward attribution misdirection," says Williams, who's previously spoken at the Black Hat Europe conference on false flag hacking operations.
There's no meat on this bone until more is released. The only takeaways are:— Jake Williams (@MalwareJake) January 12, 2021
1. We've seen Russian threat actors use this type of misdirection before to muddy attribution
2. You shouldn't fall for it
That's it. That's the whole story. 2/2
As Bleeping Computer has reported, whoever is behind the SolarLeaks site appears to already be taunting researchers. Notably, the site - created on Monday - embeds this message in its domain information listing, in the form of its nameservers: "You can get no info."
In addition, the site was registered via Njalla, a registrar that has been previously used by Russia's Fancy Bear and Cozy Bear, aka APT29, hacking teams, notes Rickey Gevers, a security researcher at Bitdefender.
The domain is 1 day old and registered through NJALLA. Njalla is a preferred registrar from Fancy Bear and Cozy Bear. This alone already shows the people behind this website have at least a little knowledge about Russian MO.— Rickey Gevers (@UID_) January 12, 2021
Gevers notes that whoever is running the leaks site is "mimicking the Shadow Brokers."
SolarWinds, working with law enforcement and intelligence agencies, says it's continuing to probe the breach and subsequent supply chain attack. The U.S. government's investigation is being led by the FBI, with the U.S. Cybersecurity and Infrastructure Security Agency providing incident response for the public and private sector and the Office of the Director of National Intelligence coordinating with the intelligence community.
On Monday, SolarWinds CEO Sudhakar Ramakrishna published a blog post detailing the company's latest findings.
Ramakrishna said that the company's internal investigation, being led by CrowdStrike and KPMG, found that attackers had breached SolarWinds' infrastructure by September 2019. By February 2020, attackers began injecting an implant - dubbed "Sunspot" - into SolarWinds' Orion software-build process, which was designed to install Sunburst. Backdoored software was shipped to customers beginning in March of last year and was still being used when the breach was discovered last month.
Up to 18,000 customers were running the backdoored software, although investigators suspect that only a few hundred were subjected to second-stage attacks.
The U.S. intelligence community and other officials say the attack appears to trace to Russia, and likely Russia's SVR foreign intelligence service, as part of an espionage operation.
One U.S. intelligence official says the imperative now is to move beyond basic attribution questions, which are a policy matter for the White House, and to try to catalog everything that may have been stolen.
"I believe it was the Russians and I think that will vet itself out in the future," William Evanina, director of the ODNI's National Counterintelligence and Security Center, told The Washington Post in a Tuesday interview that was broadcast live.
"We have to really - in my space - pivot away from whether it was the Russians or who it was," he added, saying the focus needs to shift toward: "What did they do? ... What were they seeking? Let's remember that the first rule of espionage is to identify the plans and intentions of foreign leaders and their governments. And I think that's what we see here."
Evanina said the list of known victims seems set to grow. "I think you'll also see some more private sector companies that have been affected," he said. "The hard part for the investigators is we don't know what we don't know."