Hacker News new | past | comments | ask | show | jobs | submit login
Solarwind, Fireeye, Microsoft and Cisco leaks are offered for sale (solarleaks.net)
288 points by autoro 9 days ago | hide | past | favorite | 124 comments

What evidence is there that this is actually the SolarWinds hackers and not someone who uploaded some random encrypted files and is hoping to trick people into sending them money?

There’s a PGP signature, but as far as I’ve head the attackers didn’t leave behind any other messages to prove it was signed with the same key.

And it does not seem a very serious attempt either. The only way to make this deal is through a single listed protonmail address that if this gets any traction will be closed in all likelihood. Not like an onion site with a contact page or something.

Not really.

The message is PGP signed. If the protonmail address is taken down, then another message will be put out with alternate means of contact that will have a correct PGP signature.

If you read the message there is indeed an onion address as backup in case things get taken down.

The PGP address is the important part. No matter what gets taken down, if they can get attention to another message with a valid PGP signature, then they can carry on easily.

EDIT: This is actually how Cicada3301 of all people operated. The PGP key allowed them to post a message even on Pastebin or /x/ and they would still be contactable and effectively uncensorable, because their identity was persistent and their messages were replicated.

As a side note, with so much attention on replacing PGP, I've long though the turning point would be when a group like this uses something else. It's just a highly visible thing and it's a group that a lot of people assume know what they are doing.

> with so much attention on replacing PGP

There actually isn't much attention on replacing PGP with anything specific.

What other completely decentralized alternatives exist with no single point of failure? libsodium? That's a good start but a long way from a complete alternative.

Plenty of quasi-centralized encrypted chat "apps" keep pretending they offer what PGP offers. The clueful ignore these gesticulations.

Indeed, for a side project I have, I have a problem I want to be able to solve of "encrypt a file with a passphrase in a way that's secure and can be decrypted with standard tools". PGP is the best option for this, but I'm resisting implementing it in the hope I can find something better.

You may wish to look at age: https://github.com/FiloSottile/age

I've looked at 10 different tools like this, but this doesn't fall well enough into the definition i'm using of "standard tools," by which I mean something installable from apt/yum/ports on a wide variety of systems.

The closest I've found is using openssl's aes modes, but that requires the IV to be stored out-of-band somehow which is a do-able but a hassle I was hoping to avoid.

For the context right here minisign would be perfectly capable. The post on this thread is not encrypted, there's no "decentralized" relevancy. Minisign has smaller keys and forces modern technology with a far simpler format.

I've always wondered how effective this sort of info security is. Could a state actor track down there sorts of operations, or can infosec be good enough to really leave no trace?

It's not that hard to do this kind of thing without leaving any solid trace at all.

A way to do it for example would be to use a stolen credit card to subscribe to a few VPN with hops on Tor in between and use that to set up a VPS that puts this up after a few weeks

The devil is in the details, but if you're careful you can leave absolutely no trace.

Although, the more they interact with the internet, the more clues they leave behind. Things like Tor can be deanonymized, and even Tor has a warning. Quote: "Generally it is impossible to have perfect anonymity, even with Tor."

Source: https://support.torproject.org/faq/staying-anonymous/

> Although, the more they interact with the internet, the more clues they leave behind

Interacting with a tor browser would be amateurish at this point. Just connect to tor (not on a browser, tor directly), use a script to upload to some random pastebin, disconnect from tor.

I didn't mention anything about a browser.

Note that, for example, your isp can see whenever you are using tor or a VPN. From there, they can inspect the packets to work out what pastebin you have visited. Eg. simply by measuring how many bytes you have uploaded and then finding the paste and comparing the length of the paste with the number of uploaded bytes. (Just a basic example, there are more advanced methods). See https://witestlab.poly.edu/blog/de-anonymizing-tor-traffic-w...


This is why you don't actually post anything on pastebin yourself.

Rather, you SSH into a VPS (via multiple VPNs and Tor/I2P), then program the VPS to post your message to pastebin in a week.

And of course, you're not doing this from your home, you're doing this from the parking lot of a Starbucks in a car with tinted windows and fake plates, using a device with a spoofed MAC address.

There are many ways of pulling this off so that no one will ever be able to pin you down. You just need to pay attention to detail.

You're of course using some sort of obfuscated bridge too, so that packet sizes become meaningless.

Allright, good point. I'll concede the argument - there's fairly decent anonymity for those who use a combination of tools and know how to operate them. It's still not 100% perfect, but good enough.

Some examples where it could go wrong: what if the VPS was a honeypot? What if the VPN logged everything? What if Tor or other piece of software they are using has a 0-day? The more complexity, the more chance for a bug or mistake... and so on...

Yes, it's absolutely true that you must be very careful, and of course it's not 100% but it's 99.9999...% perfect.

That said, a VPN logging everything, or Tor being compromised, or the VPS being a honeypot wouldn't be enough to compromise you, you'd need all of them to be true simultaneously.

Let's say you followed all of the leads down to connection points.

Randomized MAC connecting to a MacDonalds free WiFi, cameras capture a masked guy in a hoodie or black Cutlass with unreadable plates. Now what?

even better: throw away a raspberry pi that automatically connects to the McDonald's WiFi at night from the trash can. the evidence is disposed of, and surveillance captures many people throwing away trash. whose happy meal had the toy?

Or fashion an cantenna and connect all the way from KFC.

Plenty of ways to be untraceable unless there is a spook at every hotspot, instantly notified of undesirable activity.

I think we can't know for sure unless they will release some of it like the shadow brokers did. But the shadow brokers show that it is possible for hackers with high valuable leaks to post it for sale in the public Internet.

Usually for this kind of thing samples are provided. This attacks feels too sophisticated for a mere sale. At best, if this is legitimate, it's misdirection.

needs proof of life. none of the "vendors" will consider it without proof. in-fact they would likely verify if they were real dumps.

Strange that there is no public key provided...

You can't verify a signature without a public key.

You can extract the public key from the signature. This public key is E2C73BC53B9118A0.

If you want to have a go at it yourself, run gpg -vv and paste the entire message, it will give you the public key.

No, you cannot extract the public key from the signature. It is only telling you the fingerprint of the key the message claims to have been signed with, but there is no verification happening.

You can change part of the message or the encoded fingerprint (which is a bit longer than the portion you pasted), and it will still report it the same way.

However, you will not be able to mathematically verify that this message and another one was signed by the same key.

If you look carefully at what GPG is telling you, probably see a line like this, unless you have the key in keyring:

    gpg: Can't check signature: No public key

Yes, you're right, this is only the ID, you'd need to get the actual key off a keyserver.

Also, let us not forget the possibility that there may not even be a key to begin with. :)

Windows source is open to most people at Microsoft IIRC, so I’m not sure why you’d pay 500k for that...

Only 2.6G too, partial is understating it. That's like less than a percent of the monster IIRC. It likely doesn't even include any of the tooling to build it. It notoriously takes days to build.

This really isn't true. It's open to most people in engineering. On the support side, it's only open to those who support Windows, and I don't think it's open at all to services.

If that was true, I am pretty sure that the entire windows source would be all over the internet.

Disclaimer: Am Microsoft.

Windows source is open to most people at MS. MS is not joking when it says we practice an "inner source" policy, in that we do not rely on the security of our source code to secure our products.

My question then is why is windows not just open source entirely?

Be like Red Hat where the OS is open but you pay for support, I don't know why that model wouldn't work for MS.

One of the most challenging things Microsoft has faced when open-sourcing projects is the auditing stage. Windows is huge. Lots of code in Windows are not written by Microsoft or even by third-parties contracted by Microsoft. Some parts of Win32 code (that is backwards-compatible sensitive) are owned by third parties that are already long gone or absorbed by other third parties. This is the reason Microsoft cannot even release a binary version of Space Cadet Pinball even when they want to because it is now owned by EA (Surprise! Also see https://devblogs.microsoft.com/oldnewthing/20181221-00/?p=10...) and the same reason why they have removed the pre-2007 equation editor on their Office suite (https://support.microsoft.com/office/equation-editor-6eac7d7...). At one of its previous audits (for IE 7), they have to check if it was Spyglass code and replace the offending code which allows them to terminate their contract with (at the time) AOL.

Windows has many of these components, and they are even attributed when you know where to look. For example, the code for parts of the disk management utility, the spinning-disk defragmenter, and NTFS quota management were based from code provided by VERITAS Systems (which I am not even sure if the company still exists). The MP3 codec is provided by Fraunhofer (which still exists, but I'm sure that they will not agree to open-sourcing that codec). On the other hand, some of them are under permissive licenses or even the same code as other counterparts (while the BSD TCP/IP stack story ranges from code removed by Windows 2000 to simply an apocryphal tale) for example, the code by IJG for JPEG support is used extensively in Windows. The only built-in (L)GPL code used ever was the BRLTTY system (https://mielke.cc/brltty/index.html) and LibLouis (http://liblouis.org/), which was used for Braille accessibility (WSL2 used the Linux kernel, but they are arguably a different application with separate instances).

Edit: Microsoft's third-party disclosures: https://www.microsoft.com/en-us/legal/products/notices/win

Strong case against using proprietary software in your code base, isn't it. What a mess.

Using proprietary software in their code base, they made billions and dominated ther market, crushing all competitors. Right now they charge people for access to the code.

On the other hand, they can't freely release the code, something which is of little benefit to them anyway. How is that a "strong case" against?

Because the parent poster suggested they in fact wanted to open source more stuff but couldn't for these reasons. Therefore, it is a strong case against.

Maybe we're using different definitions of "strong case", I'm imagining it in a court of law, a case for going one way is "billions of dollars and market dominance" - that's a strong case. The case for changing direction is "in 30 years, giving your stuff away will be less legal trouble". That's true, but it's not a strong case for changing direction, it's a minor shrug. Strong meaning enough to overturn the competing arguments and push a different decision, not just "isn't wrong".

Sure, but at the time they were creating the mess they were actively opposed to open-source software.

only if you believe that future open sourcing of your code base would bring greater benefit than the proprietary software itself, which seems very unlikely.

I've gotten the impression Microsoft is taking a "open source new stuff" approach... After enough years and refactors and replacements, hopefully most of Windows will be open source. Things like the Windows Terminal project and Windows Calculator going open source seem to suggest this is the case.

But is there such third party owned code in the NT kernel? Open sourcing the kernel would bring the most benefit both for security and publicity.

OSSing a major decades old codebase is a huge undertaking and it's hard to see how it would drive additional Windows or even MSFT revenue at this point.

They do share source code if you're big enough that the revenue matters to them: https://www.microsoft.com/en-us/sharedsource/

You'd then have forks pretending to be "secure" wrt things like Protected-Video-Output-Path, widevine etc. Sort of like Magisk for Windows. Disney, Netflix and many others don't really like that.

And you'd have versions with configurable update servers. And LE probably really enjoys the fact, that they can ask "Hey, next time SubjectX downloads daily defender updates, please add-in the Remote-Adminstration-Toolkit" for any of a billion computers. I'm expecting MS to get a big list soon with maybe several dozen million new "people of interest" that need tracking.

Microsoft does do that already. They do both, so dropping the licensing revenue would strictly be a decrease in revenue.

Offering support contracts for open source code is an extremely difficult business model. It happens to be one of the few that actually can work, but the margins are just not great compared to the proprietary software industry. 90% of the kinds of customers who really "should" be paying you simply won't do so if they think they can scrape by without doing so.

Windows includes code from a lot of different companies and places. Sorting out all the licenses would be a major headache (especially as code is refactored/edited) let alone getting agreements from everyone for a new license.

Not taking sides here, but I don't get the comparison. RHEL is based on the oss Linux kernel, whereas microsoft is closed from the bottom up.

That being said Microsoft is slowly "getting" open source. We'll see how far their gut will let them take it.

Not OP (and not Microsoft), but I would say it's a complicated road to get there.

I do believe we will see open source Windows in... the next decade?

Anyone want to take a longbet with me? ;-)

Component by component, it would look like. And it makes sense to replace components with tried and tested open-source solutions to reduce internal maintenance burden for components with low visibility/profitability.

When was the last you heard somebody say: "I bought windows (server) because of the print subsystem"? I could see them adopting CUPS, for example. That way in 10 years they can stop maintaining theirs when current versions EOL.

But for "intimate areas" that may take time, or may never happen. Or they move into the hardware. So I remain skeptical wrt a 100% auditable (modern) tech-stack.

In the case of the browser-engine I wish though, that they had not picked webkit. What were the reasons against Gecko? Not "embedable" enough?

Windows' print subsystem was one of the ways it became so dominant, by having a standard hardware abstraction layer desktop software like word processors and spreadsheets could advertise "compatible with Windows printing" and buyers wouldn't have to shop around for software and printer models which were compatible with each other, and developers wouldn't have to . Jeffrey Snover talked about this as part of his design for PowerShell, to have a standardised management interface that admins could learn for scripting and automation, and third parties could present an interface to for managing their products and services.

The print subsystem is one of the backwards compatibility limits on redesigning parts of the classic control panel - I'm fairly sure Raymond Chen has written about it - because so many print drivers depend on the way it works to hack in pages and popup dialogs for specialist configurations for their printers.

It also integrates decently with Windows' granular permissions, file and printer sharing on networks, logging, has tons of specialist printers like label printers, receipt printers, etc and is used by a ton of 3rd party management and configuration tools. I would be hugely surprised if it's unsupported in 2031.

> "*"I bought windows (server) because of the print subsystem"?"

When was the last you heard somebody say: "I would buy Windows server, if it had CUPS printing support in it"?

Thank you for taking the time to write this!

When using CUPS in my previous posts as an example of "Standard OpenSource component that could be a drop-in replacement in a vast majority of deployments/installations", I was hoping, that somebody knowledgeable would reply with some details about the (speciality-use) features/use-cases of the Windows Print-System.

You mentioned a few points, that I'll try to itemize, and respond to:

* Specialty hardware setup, and UI's for that: In these times(for non-ancient devices/deployments), is that not easily solved by the [WEB-]UI of the printer?

* Speciality hardware runtime control for printjobs (staples, binds, folds, glue, mailing, ...): I thought, all of these are commonly abstracted into "verbs" in the PCL/PJL, and just need to be "included" in the PrintJob.

* Decent integration into enterprise setups. In what ways do you find CUPS lacking here? I find CUPS+AD-Auth_to_Samba4AD works great, and all the RSAT tools are functional from a domain member workstation

* Driver support: Is that really still a problem these days?

* Availability of paid support for Windows Printsystem for X amount of money in 2031: If commercial interest is there, I have no doubt, that MS will offer something like for WinXP and Win7 years after the normal EOL of Srv201{6,9}. I just thought, It was already visible now, that the "commercial interest" for this was going to be small, but then again I might be underestimating the (future) size of the "Seriously large-scale paper printing" market.

> "When was the last you heard somebody say: "I would buy Windows server, if it had CUPS printing support in it"? "

Admittedly, never, but I can probably count in years the paid time, that I have worked helping clients with their Windows Print problems, many times calming them down to get the screaming and crying under control. So maybe a replaced print-system (In WinServer) could (by some) be seen as net positive, while the average Windows Home user wont notice/care. ;)

In fact, I think most companies buy Windows Server in spite of the printing subsystem. I still wake up at night mumbling “net stop spooler; net start spooler”

I am willing to add to the pool, I am also betting core components of Windows will be open sourced soon.

I'm betting more on "replaced". E.g. When they switched to Webkit, they didn't opensource Trident. How many people would notice, if the next version of windows used CUPS running on the WSL2 backend with a nice small GUI in Windows-Land? The very informative comments from @zinekeller and @ChrisSD highlight the problems with opensourcing mixed-vendor heterogeneous code bases. Also open-sourcing code rarely means it becomes "maintenance-free".

Psst! They technically released the ECMAScript/JScript (definitely not JavaScript®)* interpreter, Chakra (https://github.com/chakra-core/ChakraCore).

* Trademark notice: JavaScript® is a registered trademark of Oracle America Inc.

I think you're right in that the road to MS open-sourcing Windows will be slowly starting to adopt other existing subsystems (and hopefully giving back) so that they are managing less and less proprietary code over time.

WebKit? Edge is using Blink, unless I’m misunderstanding?

Blink is the name they gave the fork of the webkit core.

The fork was years ago at this point. Blink and Webkit certainly share a lot of code, but I think it's inappropriate to completely lump them together.

It is true for most engineers here. Most of us don't want to go to prison though. Most tech companies are the same way.

Buddy said the same is true at Amazon. There are some locked down repos but a vast majority of everything is open for any engineer to see.

Leaks are possible, no doubt. But yeah, prison.

Different versions have in fact leaked, most recently of Windows XP/server 2003.

Oddly enough, all the Windows leaks I've heard of are various versions of the NT series --- I don't think I've ever heard of Win9x (and 3.x) leaks.

There's some very old DOS leaks too, but the "in between" seems to have somehow been avoided.

it is true

It is all over the internet lol. Windows source has always been frequently traded.

autoro- I have to ask, did you publish this yourself? It’s your only submission and your only comment

Yes, I did (off course this message can't prove it in any way). I am usually a silent reader in NH but I saw there was no submission to this topic so I submitted it.

The PGP key is E2C73BC53B9118A0.

I can't find it on any keyserver, yet.

That key isn't the one linked to the Protonmail account either. [0] (You'll get a payload of all linked public keys with that link).

[0] https://api.protonmail.ch/pks/lookup?op=get&search=solarleak...

This is a nice way to verify Protonmail addresses. Is this API publicly documented?

That particular part is detailed on the knowledge base [0], so... Yes? For just this bit.

But I don't think the full API is documented. There are some attempts to reverse engineer an API from the WebClient [1], but they tend to be... Brittle.

[0] https://protonmail.com/support/knowledge-base/download-publi...

[1] https://github.com/ProtonMail/WebClient

Bear in mind that the "results" of a notorious hack are often offered for sale as a diversionary technique, and in particular this offers up nothing beyond commercially sensetive information, if even legitimate at all.


I really don’t like doing this, but [citation needed]

"Serious buyers only: solarleaks@protonmail.com

- - Q: Is this really happening? Can you provide proof? A: Yes and yes.

Q: Why no more details? A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back? A: Talk to us.

Q: Why not leak it for free? A: Nothing comes free in this world.

Q: How to buy? A: Contact us for more information."

These don't sound like things that the Russian government or any nation state would be saying.

Makes the U.S. intelligence / media look stupid. And if it turns out that it is some individuals that happen to live in Russia, it still makes the U.S. look stupid.

Russia behaved exactly the same after the DNC hack. They made up a story about some Romanian hacker called Guccifer but their cover up was debunked by Vice: https://www.vice.com/en/article/wnxgwq/guccifer-20-is-likely...

> The main element pointing to Russia is the timeline of the events.

I didn't realize the bar for "debunking" had become so low.

The whole basis of Vice debunk is "Nobody heard of a Guccifer 2.0 persona before", which is not exactly strong evidence for anything.

Particularly considering Guccifer is a real person and referencing other hackers not that unheard of.

According to https://www.srcbeat.com/2021/01/solarleaks/ their email sent to solarleaks@protonmail.com bounced back with "Address does not exist" error.

I was about to check if I could register it, but then thought that might be a bad idea.

Lol. Proton mail has strong encryption and is hosted in one of the most strongest jurisdictions in the world as regards privacy laws. Nothing to worry about :)

Tutanota on the other hand lost a court battle in Germany and had to give up email data from one of their suspected-to-be-criminal clients [0]


> These don't sound like things that the Russian government or any nation state would be saying.

I mean this could just be an attempt to make it _seem_ like it's not a nation state.

One way to essentially guarntee that it _was_ a nation state is for the stolen data to never turn up for sale to the public/back to the owners as we would naturally assume whoever the actor was was happy just keeping everything to themselves, something only a nation state would ever really do. a non-nation state's only real motivation would be financial and so if no evidence of that ever came about, the only real alternative would be to assume it was a nation state.

Well, or the hack was by some greyhat/kid who realised they were in over their head and that keeping evidence of their crime around was a dumb move.

Maybe that’s the entire point

While that's possible, pushed far enough this line of reasoning is unfalsifiable and evidence is thin either way.

> These don't sound like things that the Russian government or any nation state would be saying.

This goes both ways: Or they would be exactly the kind of things a government would say to dispel any notion of it being a government.

> Makes the U.S. intelligence / media look stupid. And if it turns out that it is some individuals that happen to live in Russia, it still makes the U.S. look stupid.

I wonder whatever happened to that whole mantra of the early 2000s and 2010s when governments would regurgitate the difficulty in dealing with "cyber" due to the "asymmetric" nature of "cyber warfare"?

Somehow that was completely forgotten over the last decade in favor of blaming any and all InfoSec breaches instantly on some state actor.

One has to wonder how much of that is just deflecting from bad practices with "The enemy is a state, nothing we could do to defend against an attacker that powerful!" in favor over admitting "Yeah some autistic dude in his parents basement pwned all our stuff because our security is completely amateurish".

Are the US intelligence community / media saying that the attack was by the Russians?

Washington Post attributed the attack to Russian actor APT29/Cozy Bear on Dec 14th [1], quoting unnamed sources.

FireEye [2] Dec 13th & Volexity [3] Dec 14th were more cautious, citing an unknown actor that they dubbed UNC2452, and Dark Halo, respectively.

Recorded Future made a fair but ultimately inconclusive case for Chinese attribution [4], Dec 30th.

US gov/CISA continues to claim "Russian linked" [5], Jan 5th.

Kaspersky reported a link to the Kazuar malware used by Russian actor Turla [6], Jan 11th.

CrowdStrike's report on the malware injector [7], Jan 11th says "does not attribute the SUNSPOT implant, SUNBURST backdoor or TEARDROP post-exploitation tool to any known adversary".

[1] https://www.washingtonpost.com/national-security/russian-gov...

[2] https://www.fireeye.com/blog/threat-research/2020/12/evasive...

[3] https://www.volexity.com/blog/2020/12/14/dark-halo-leverages...

[4] https://www.recordedfuture.com/solarwinds-attribution/

[5] https://www.cisa.gov/news/2021/01/05/joint-statement-federal...

[6] https://securelist.com/sunburst-backdoor-kazuar/99981/

[7] https://www.crowdstrike.com/blog/sunspot-malware-technical-a...

That's an impressively detailed response. Did you happen to track all these kinds of quotes routinely for your own research, or are you that good at finding this info that quickly.

Ahh interesting, thanks for the response. Surprisingly enough, Kaspersky also attributed it to a Russian APT, so I'm still not sure about the parent post's claim that it makes the US look stupid, if it's the global intelligence community saying so.

No evidence has every been shown. It is easy to site a lot of people parroting the idea that it came from Russia, but aside from some vague connections, there is 0 hard evidence. If you were an Israeli, Iranian, Chinese, etc... hacker, you would obviously tunnel through servers in foreign countries that were easy scapegoats. So even if there was actual evidence (which there isn't) it still wouldn't mean anything unless it could be tracked back to an originating IP and connected to an individual with a motive and without an alibi.

The benefits of blaming things on Russia for certain political parties are obvious, but those politicians and media members continue to make claims while never presenting any evidence, so you really have to ask yourself what is more likely to be true; A bunch of vapid politicians self benefitting claims without evidence, or the far more obvious possibility that a group of techie people from some random country hacked an easy target for money.

Occam's razor say it is the later.

So, attribution doesn't work that way.

During an active incident, attribution details are not published. This incident still has people responding to it, and potentially further impacted victims. Indicators of compromise are published to allow for entities to hunt for malware or evidence of breach within their environments, but details that directly attribute a particular strain of malware to a threat actor are generally not shared (at least with the general public). Publishing those details could cause the threat actor to change those details and therefore evade detection and persist in impacted environments.

Let's take the Google breach of 2009, known as Operation Aurora as an example (https://en.wikipedia.org/wiki/Operation_Aurora). China was claimed to be the culprit at the time, but it was not until three years later that Fireeye / Mandiant finally published the details that were used to track and identify the threat actor as part of their APT1 report (https://www.fireeye.com/blog/threat-research/2013/02/mandian...).

In this particular case, even though the known impacted entity count is around 250, around 18 thousand entities downloaded the backdoored version of SolarWinds and are at risk. Publishing attribution details now could negatively impact their response. When respected entities in the field make a claim on attribution, generally it is accepted as if those entities were lying, their service (and potentially some of their executives as they are publicly traded in some cases) would go to jail.

It's important to note that each responding team will have access to different data sources and be able to make different claims as a result. CrowdStrike declined to do attribution, whereas FireEye was more definitive with naming a group. This is likely as FireEye was impacted first hand and was able to capture indicators that are not public. (One of the steps of IR is containment, where you observe a threat actors activity to figure out where they are in your environment, so you literally get to watch them some.)

The people in charge of the various government agencies are politicians without experience in this area true, but they are briefed and educated by the experts that do have experience in that space. Likewise, Washington Post is known for vetting stories in this space carefully. At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).

Anyways, if you're interested in this space, go find your local incident response (DFIR) meetup and ask how they track malware families. IP addresses are probably not one of their best signals for who made malware or executed an attack.

>At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).

Great post overall, but I disagree here. It's indeed very likely Russian intelligence did the compromise, but it's still unclear if this particular "leaks for sale" offer is legitimate or just a random unrelated troll trying to make quick money before they get outed as fake. It does sound similar to the Shadow Brokers offer, but that could easily be emulated (and probably would be emulated if a scammer was trying to sound like Russia).

It could be legitimate, but I would be highly skeptical unless/until they release some samples of what they have. The Shadow Brokers started out not providing anything but later started leaking things to prove they weren't lying.

So I'd say this is worth keeping an eye on, but shouldn't be taken very seriously until they post at least some shred of evidence supporting their claims.

>when Russian associated actors leaked the NSA toolset

Has anyone actually attributed TSB to Russian actors? I don’t think so.

The US government certainly hasn’t made such claim, to my knowledge the mainstream press hasn’t made such a claim and neither have any of the companies you’d usually trust to make such assessments.

> if it's the global intelligence community saying so

Tho it's really not, the only "official" attributions are WaPos unnamed government source and US agencies saying "Russian linked".

But there is no real evidence for that except those Kaspersky heuristics about the malware having been used before, which is really not that much of a "smoking gun".

There's also the fact that for pretty much everybody involved it would be much more convenient to have this framed as a "state actor attack": The amount of companies breached and their nature just makes this horribly embarrassing for most people responsible and involved.

Even letting on the possibility that some kind of non-state actor is responsible for this would add even more insult to the already existing injury.

Kaspersky actually didn't attribute it to a Russian ATP. They say they found one thing in common, but are actually explicitly saying that they don't know whether they are the same group.

> TLDR; just tell us who’s behind the SolarWinds supply chain attack?

> Honestly, we don’t know.

> To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.

Ah, thanks for the source / context.

US digital infrastructure is the ultimate soft target. I assume for every SolarWinds we hear about, there are others that the government squashes due to sheer embarrassment or national security concerns.

> These don't sound like things that the Russian government or any nation state would be saying.

Why not? Sharing stolen source costs them nothing, and nation state hackers have budgets just like the rest of us.

They probably wouldn’t even get in big trouble for selling this stuff and using the money to buy themselves lambos, a nice bonus on top of the government hacker salary.

>a nice bonus on top of the government hacker salary.

The current narrative is that they aren't on payroll or under orders, but instead individuals or groups within the collective (cozy bear) act on their own initiative to win putin's favor.

>The current narrative

According to whom?

> Q: Why not leak it for free? A: Nothing comes free in this world.

They didn't pay to get that data they're now charging money for. "Nothing is free when we're offering it" they should say.

We pay for things with money and time. They absolutely "paid" for the money if you consider the amount of time they probably put into it.

Wonder if mega.nz will not block this download.

It appears they have. " The file you are trying to download is no longer available. This link is unavailable as the user’s account has been closed for gross violation of MEGA’s Terms of Service. "

Why isn't mega.nz removing these?

I think they have a pretty strong anti-censorship stance, and due to the way the data is en/decrypted on the client side, they have no visibility what the data consists of.

On top of that, the data here (which is posted with the mega.co.nz decryption keys standard as part of the URL) has an additional layer of encryption by the uploader, so for all anyone can prove it's pictures of cats, and not anything illegal.

On the other hand, they know exactly what the uploader claims the files are. If they don't take the files down and these turn out to be real, they could be held responsible.

It looks like mega.nz has now removed them.

So what sort of return would someone buying this expect?

Is it just me or does that not sound as if it's a "state sponsored attack"? Or maybe a tactic to distract from one?

IIRC the Russian NotPetya attack on Ukraine was disguised as ransomware requesting Bitcoin, so there is some precedent for a state sponsored attack pretending to be criminals trying to make money.

Seems expensive and you'd have to trust that admitted data thieves would give you the data after you paid them.

I guess I'm curious to understand who has the money and motivation but not risk to spend $1M on stolen data?

I'm actually interested to know what the (+ Bonus) is

Buying a .net domain with a cryptocurrency I presume? Anyone know what service they'd use for this?

Looks like they used Njalla (https://njal.la) a provider that seems to focus on "privacy aware" domains and virtual private servers hosted in Sweden.

According to their FAQ, when you register a domain name through them, they own the domain but they respect the agreement between them and the customer to let the customer have "full usage rights".

They seem to provide rather fun named name servers. Reads "you can get no info".

    dig +short ns solarleaks.net | sort
They accept a bunch* of cryptocurrencies and then PayPal.

[*]: "Bitcoin, Litecoin, Monero, ZCash, DASH, Bitcoin Cash, Ethereum"

Interesting tidbit: This "dns by proxy" service was founded by The Pirate Bay founder, Peter Sunde.

Dns is with https://njal.la/

...So they want 16k USD non-refundable just to talk, before they even show any proof?


So, this was not a nation state hack?

Or this is a distraction to make it look like not a nation state hack.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact