We have been consistently checking the SolarWinds hack incident since it erupted. Part of our monitoring includes consistent scans to known and infamous dark web forums that currently exist on the web. Through different media, researchers and our search, we also found and confirmed a website calling itself ‘SolarLeaks’.
In December 2020, SolarWinds disclosed that they were receiving a sophisticated cyberattack, resulting in a supply chain attack affecting 18,000 customers.
5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion
The suspects
Law enforcement organizations such as the FBI, CISA, and NASA already stated their factual suspicion that the operations were conducted by a Russian state-sponsored group of adversaries, aiming to illegally get a copy of the cloud data such as email files from their targets.
The solarleaks site that is up claims that they are the seller of the stolen data from the following victims:
- Microsoft
- Cisco
- FireEye
- Solarwinds itself
The Microsoft source code and repositories cost $600,000, Cisco for about $500,000, Solarwinds products sourcecode for $250,000, and FireEye private red-team tools, source code, binaries and documentation for $50,000.
As proof here is a screenshot from their onion site:
If anyone has $1,000,000 to spare, then this Solarleaks site group will sell all of them in as a bundle with bonuses. As of the moment, there is no alternative source of the leak, no alternative sellers and definitely not for free. The sellers say that “Nothing comes free in this world.”
We tried to contact the seller a few weeks ago; however, their proton mail email address was not working. Apparently, their email address has been suspended by Protonmail itself. The Protonmail is a popular mail service used by numerous Dark Web Threat actors, based on our observation. Surprisingly, the threat actor’s choice may not be foolproof because Protonmail respects what is deemed lawful and straight-up illegal based on their terms and conditions. Their protonmail email address used to be [email protected]. Check out the proof that Protonmail swiftly acted to suspend the seller’s email address:
It appears the MalwareHunterTeam is on Solarleaks trail too. However, the blackhat seller group is not giving up without a fight. Here is a quoted procedure from their onion site on how to purchase and communicate with them for the data:
“As we are considering serious partners only, this is how we will be dealing with inquiries:
Send exactly 100 XMR to the address below, add a payment id with your email address so we can contact you back. You should encode your email address as 32 bytes data in the payment id.”
XMR address: 486FSvAbzo9X3PPvoP5xoBb1iVewDqhJ44MCRuUW8BCsJ8TuiSyiaW4ZwLGLJJ1UTgRDUSi6X9cwwJjMF594Dd31P97Sx4o
The bottom line is the hackers want to receive 100 XMR to their listed Monero address for the sample data. This is a gamble because a $16,000 worth of cash for a legitimacy test is a steep price. But not as steep as getting sued for failing to protect the private details and intellectual property of the customers involved in this breach, right?
