Caleb Boma | January 14th, 2021

The threat actors behind the SolarWinds breach may have launched a website to sell the data taken from the cyberattack. It may not be up for much longer, but is live with an intense message – “people with knowledge will know.”

The site depicts a FireEye “red team tool” for sale by threat actors at $50,000. The red team tools would come in addition to “source code, binaries and documentation”.

Just four weeks after the initial SolarWinds breach was discovered, a leak site claims to have data and information from some of the biggest organizations in the breach. Other organizations involved in the supposed data leakage include Microsoft, Cisco, and FireEye.

Here is data which may have been leaked to the site:

Microsoft – 2.6GB of “source code and various Microsoft repositories” at $600,000

Cisco – 1.7GB of “Multiple products’ source code and internal bugtracker dump” at $500,000

SolarWinds – 612MB of source code for all products, including Orion, and “customer portal dump” at $250,000

For a whopping $1 Million, they offer all of the data on the leak site. As an extortion technique, the site operators claim they will release the data in batches and explain more will be released periodically.

It’s important to note this is an ongoing situation. The site and data have not yet been confirmed, but the FBI, CISA, and the NSA say the initial SolarWinds attack was committed by a Russian-state sponsored threat group. The site was registered with Njalla which is a registrar seen used by Russian APTs like Fancy Bear and Cozy Bear (APT29), which could point to the operators trying to fool buyers by acting as a legitimate leak site.

Evidence showing this may be illegitimate is how Cisco expressed their stance on the site and exfiltrated data in a statement, “Cisco is aware of this website and has no evidence at this time of any theft of intellectual property related to recent events.” It will be interesting to see if any real information arises from this supposed leak site.

SpearTip experts have kept tabs on the SolarWinds situation from the beginning. Our developers created a free tool, Sunscreen SPF 10, to check if the Sunburst Malware has been in your network by monitoring for malicious activity and rooting out compromised versions of SolarWinds. We’ve also developed an EDR tool, ShadowSpear®, to monitor your environment and allow full transparency on your risk profile.

The cybersecurity professionals in our Security Operations Center are on call 24/7 and will assist with any issues or concerns regarding the SolarWinds breach. If you have questions, call the Security Operations Center (SOC) at 833.997.7327.