SolarWinds aftermath continues with SolarLeaks
Earlier this week a website presumably owned by the actors behind the SolarWinds breach surfaced, claiming to be selling data obtained using the SolarWinds backdoor.
The site, using the domain solarleaks.net, displays only a PGP signed message, in which the actors share links to download the stolen information, which has already been encrypted. The message was signed on the 12th of January, using the RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0.
The domain solarleaks.net was registered on the 11th of January in the afternoon, and has a sister domain located on the dark web, presumably to provide access in case of a takedown:
$ whois solarleaks.net ↵ 1
Domain Name: SOLARLEAKS.NET
Registry Domain ID: 2584153959_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://www.tucows.com
Updated Date: 2021-01-11T20:44:27Z
Creation Date: 2021-01-11T20:44:26Z
Registry Expiry Date: 2022-01-11T20:44:26Z
Registrar: Tucows Domains Inc.
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: 1-YOU.NJALLA.NO
Name Server: 2-CAN.NJALLA.IN
Name Server: 3-GET.NJALLA.FO
Among the files offered, there is source code for Microsoft Windows, Cisco, and SolarWinds, as well as FireEye’s private redteam tools, sources, and documentation, and the message promises that there is more to come.
On the 12th of January, Cisco provided a response in their FAQ page regarding the Solarwinds incident, in which they state [1] they haven’t found any traces of an intrusion yet:
Q: Is Cisco aware of alleged stolen source code on a website solarleaks[.]net?
Cisco is aware of this website and has no evidence at this time of any theft of intellectual property related to recent events. We are committed to transparency and should we find information our customers need to be aware of, we will share it through our established channels.
The encrypted files, which were hosted on the cloud storage and file sharing site Mega, are no longer available.
Update 14/01/2021: The authors of the website have published an update in which they offer proof of life to “serious buyers” in exchange for 100 XMR (about $16k USD). The PoF includes file metadata (such as content listing), and the SolarWinds customer portal database.
At the end of the message, the authors also included a hash that is supposed to be related to how they stole this data:
25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e
The message, signed on the 13th of January using the same key they used to sign the original, can be read here, and the original message is below it:
—–BEGIN PGP SIGNED MESSAGE—–
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)
We are putting data found during our recent adventure for sale.
[Microsoft Windows (partial) source code and various Microsoft repositories]
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0
[Cisco multiple products source code + internal bugtracker dump]
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o
[SolarWinds products source code (all including Orion) + customer portal dump]
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM
[FireEye private redteam tools, source code, binaries and documentation]
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0
[More to come in the next weeks]
ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)
Data is encrypted with strong key.
Q: Is this really happening? Can you provide proof?
A: We aren’t fully done yet and we want to preserve the most of our current access. Consider this a first batch.
Q: I’m [vendor] and want my data back?
Q: Why not leak it for free?
A: Nothing comes free in this world.
A: Contact us for more information.
UPDATE: We received too many messages at the moment and can’t reply to everyone in a timely fashion.
Also, we are being censored as we speak and must act quickly. Our main and backup email addresses has been shut down.
We understand you want more information but we can’t give away data for free. That would be an insult to our trusted buyers.
However we can provide sample data (for all leaks + bonus) as proof of ownership.
As we are considering serious partners only, this is how we will be dealing with inquiries:
Send exactly 100 XMR to the address below, add a payment id with your email address so we can contact you back. You should encode your email address as 32 bytes data in the payment id.
486FSvAbzo9X3PPvoP5xoBb1iVewDqhJ44MCRuUW8BCsJ8TuiSyiaW4ZwLGLJJ1UTgRDUSi6X9cwwJjMF594Dd31P97Sx4o
The payment id part is very important because this is our only way to contact you back (protonmail decided to shut us down). Only a matter of time before this website goes down too.
We will then discuss with another private email address (we will use the same gpg key 24516C2E1CC7890832771178E2C73BC53B9118A0).
This payment will be considered a small down payment, which will be substracted to your final purchase. We won’t refund if you’re not interested in the data after seeing the archive content.
What will you get? Sample data contains all of the archives metadata (content listing) + SolarWinds customer portal SQL dump as a gift.
NO NEGOTIATION. Don’t waste our time. We will be in touch after your first confirmed payment.
Some hints on how we got our data:
25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e
People with knowledge will know.
iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/+6kkACgkQ4sc7xTuR
GKBtBgf/YdTgNcacc+akoNQjW7thmAcjaTWNo5RhAn+7YblwBhiF4mlgjuyilHCH
bhL8S5oL8keoa1WNQ1DSZZHtbYO6iF+iMpEcbfnUWSUeIED7/WN8ffD1hFE/soi8
LZ7gpyvuTD5zz9Maw/JKeHk9sCqo2O9IODV5YZrCzX+eBI5wvW8ub65NhwXdUfX1
nNLz5v23vShovf9bbV/tPcuVf7fIns5Lq9I3ndKiqV68u39qXvChDh1PwNikjdUp
TdkXG293BMry3lJVAzL3YRWQrXzr0YL9nBzf5PTjflu4m4RBeeyDXDcMtMY/VS/n
DQag3iEcETK7RuMrqmSatj/Ti31RDg==
Original message:
—–BEGIN PGP SIGNED MESSAGE—–
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)
We are putting data found during our recent adventure for sale.
[Microsoft Windows (partial) source code and various Microsoft repositories]
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0
[Cisco multiple products source code + internal bugtracker dump]
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o
[SolarWinds products source code (all including Orion) + customer portal dump]
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM
[FireEye private redteam tools, source code, binaries and documentation]
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0
[More to come in the next weeks]
ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)
Data is encrypted with strong key.
Serious buyers only: solarleaks@protonmail.com
Q: Is this really happening? Can you provide proof?
A: We aren’t fully done yet and we want to preserve the most of our current access. Consider this a first batch.
Q: I’m [vendor] and want my data back?
Q: Why not leak it for free?
A: Nothing comes free in this world.
A: Contact us for more information.
iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/9yCsACgkQ4sc7xTuR
GKC/NwgAk/KZ9id9++Fi68M10rzd9uiC2DKTEX+qgJ9kEIASIvB/vh1uaS/mRZnj
GHf7I8D69zyI6FYlbndDN3DH6VUA21gD2dYxj7q79RpERQwV4PAO0iYRFBp0e3ho
nezYmVMMxB1GSsd+6AcdybLRJ1dmeIDB/mWnNa4S0jf45IkIw8/6j5965QxKlXBb
QlUShGTNom60BgpUOq7ud1ocH8c+HXbQdZpJ2LCq+CrQ+KuktMCsKUc1uydvTfDH
9zyjUtb3H9TC+zVugN3ANhtjDq0cIdOJQQ4vaGhnvLnXIDMvNQ1B4wxK+Ij50M8u
HD6LF0GUszJaNBdKylQaPV78sGqu3Q==
[1] https://tools.cisco.com/security/center/resources/solarwinds_orion_event_response
