In the aftermath of the notorious SolarWinds breach, occurring in mid-December 2020, a nefarious website was observed on 12 January 2021 and, presumably linked to the threat actors involved in the original supply chain attacks, purports to offer stolen data from four victim companies for sale:
- Cisco - Source code for multiple products and an alleged 'bug tracker' dump;
- FireEye - Red Team tools, source code, binaries and documentation;
- Microsoft - Proprietary source code;
- SolarWinds - Product source code (including Orion) and a customer portal dump.
Other than the above, no file listings, screenshots or detailed 'proof' have been provided although links to four encrypted archive files, one for each potential victim organization, were uploaded to the popular filesharing service 'Mega', since taken down, as well as being hosted on the 'leak' domain itself.
Given that the files appear to be encoded with asymmetric encryption, it is not possible to validate the authenticity of the alleged leaks. In addition, the price requested by the attackers, a total of $1,000,000, adds to suspicion and speculation by numerous researchers to suggest that these files are in fact not valid and an attempt to defraud any would-be purchaser.
Furthermore, the email contact email address provided on the leak domain does not appear to exist at this time, potentially due to the webmail host ProtonMail taking it down, further adding to speculation about the mystery.
Notably, Cyberint Research were able to acquire the 'encrypted' files in question and will continue to monitor the situation to determine if a true data theft/leak threat is present.
Seemingly first announced on Reddit at 1716hrs GMT on 12 January 2021 within the SolarWinds subreddit,
r/Solarwinds, a user named
u/solarleaks posted a message, since removed, claiming to have SolarWinds' data for sale along with a link to the
solarleaks[.]net website (Figure 1).
Figure 1 - SolarWinds leak announcement on Reddit
This Reddit post appears to have been made one hour after the conclusion of the leak website being configured, as determined by the last modified timestamps of the site content being between 1316hrs and 1616hrs on 12 January 2021.
For reference, a full copy of the text, including download links, is provided in Appendix A.
Based on the location of this post, and the identifiers used, such as user name and domain name, it is implied that access to this data was as a result of the recent SolarWinds critical vulnerability  and subsequent supply chain attack .
In order to protect the identity of those behind this supposed leak, the domain appears to be registered through 'Njalla', a privacy-aware service that accepts payment using common cryptocurrencies and has previously been favoured by Russian-nexus threat actors.
In addition to making use of their domain registration service, the website appeared to be hosted on a Njalla VPS resolving to the IP address
Somewhat amusingly, the use of this service, and their privacy mantra, can be seen when reviewing the name servers that include the 'you can get no info' message within their host names:
Threat Actor Email
Parties interested in purchasing these alleged data leaks are encouraged to contact the threat actor via email,
email@example.com, and a PGP public key has been provided to facilitate the use of encryption in these communications.
Whilst many have speculated that this may be the work of a Russian-nexus threat actor, others have suggested that the timing, following a recent US law enforcement statement , may simply be an attempt to take advantage of interest in this incident, either for fraudulent financial gain or to imply further responsibility on a foreign nation-state.
As such, Cyberint Research will continue to monitor the situation to determine if the content is indeed valid and what, if any, threat it poses to the victim organizations and others.
Indicators of Compromise
Whilst not strictly indicators of compromise (IOC), the following network and file artefacts relate to this bulletin.
Website message signature
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- ProtonMail Public Key for 'firstname.lastname@example.org'
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Appendix A: Website Content
The following text is as it appeared on the 'leak' website as of 12 January 2020:
-----BEGIN PGP SIGNED MESSAGE-----
Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)
We are putting data found during our recent adventure for sale.
[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
[More to come in the next weeks]
ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)
Data is encrypted with strong key.
Serious buyers only: email@example.com
Q: Is this really happening? Can you provide proof?
A: Yes and yes.
Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.
Q: I'm [vendor] and want my data back?
A: Talk to us.
Q: Why not leak it for free?
A: Nothing comes free in this world.
Q: How to buy?
A: Contact us for more information.