SolarWinds aftermath continues with SolarLeaks
Earlier this week a website presumably owned by the actors behind the SolarWinds breach surfaced, claiming to be selling data obtained using the SolarWinds backdoor.
The site, using the domain solarleaks.net, displays only a PGP signed message, in which the actors share links to download the stolen information, which has already been encrypted. The message was signed on the 12th of January, using the RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0.
The domain solarleaks.net was registered on the 11th of January in the afternoon, and has a sister domain located on the dark web, presumably to provide access in case of a takedown:
The encrypted files, which were hosted on the cloud storage and file sharing site Mega, are no longer available.
Update 14/01/2021: The authors of the website have published an update in which they offer proof of life to “serious buyers” in exchange for 100 XMR (about $16k USD). The PoF includes file metadata (such as content listing), and the SolarWinds customer portal database.
At the end of the message, the authors also included a hash that is supposed to be related to how they stole this data: