Note

The message from the solarleaks.net owner(s) has been updated, check the bottom of this post.

Encrypted files purportedly containing source code of Microsoft Windows, Cisco, FireEye and SolarWinds products were published on a new site today. I’ll keep updating this post as more information is uncovered.

The site

The message was posted on the solarleaks.net website with a mirror on the Tor network, use the Tor Browser for it.

  • website: solarleaks[.]net
  • tor onion: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd[.]onion

What we know so far

The message has been signed with the RSA key with the fingerprint 24516C2E1CC7890832771178E2C73BC53B9118A0. Keep in mind that this is the fingerprint of the key the message claims to have been signed with, but there is no actual verification happening. There is currently no key on any keyserver with that fingerprint.

$ gpg --verify solarleaks.net.asc
gpg: Signature made Tue Jan 12 16:02:51 2021 GMT
gpg:                using RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0
gpg: Can't check signature: No public key

The domain was registered with njal.la , a service started by Peter Sunde, founder of The Pirate Bay.

Domain Name: SOLARLEAKS.NET
Updated Date: 2021-01-11T20:44:27Z
Creation Date: 2021-01-11T20:44:26Z
Registry Expiry Date: 2022-01-11T20:44:26Z

The IP serving the site is 185.193.126.236 and we can check whois.radb.net to see what AS number that IP belongs to.

$ whois -h whois.radb.net '185.193.126.236'
route:          185.193.126.0/23
origin:         AS39287

That AS number belongs to abstract.fi in Finland and they have a few IPs assigned to them.

$ whois -h whois.radb.net '!gAS39287'
A144
197.231.220.0/22 195.14.20.0/24 45.158.116.0/22 80.78.16.0/20 95.215.16.0/22 185.193.125.0/24 185.193.126.0/23 45.142.140.0/22 198.167.192.0/19
C

The ProtonMail address solarleaks@protonmail.com has the following public key :

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: ProtonMail

xsBNBF/8svcBCADDHEB5KheF4UAJjbnTYyXRPC6C9Ozg8ToM0v3VgyDMrE/w
F1Ifce0vyeC3OPIJsxfAoUzTZeBtFs5+DgbwqokG74il64wiMdlZdGFb2O2j
T1OP+u/dxlWovZ7WxW/qXRC9eIyoR7g4a4DkJdS7H4g7Ik/dw/AgpIoJo5PS
psizo1jVQrZMiO3kUQ2ARe4z1rB9TmL1LTrnEuWTPSBUMge7Xs579e51zciq
iUZGGH5mJ7bgI42TYN8YCBk14lAgbSGrBc72NJ/GVjyLm+VwRUsXNEwnXW+p
1pXFXpLbQ0x1OOer2xKQmg2LF61QZ5idBfyKc7nDffAsRXvAXMmz05+VABEB
AAHNNXNvbGFybGVha3NAcHJvdG9ubWFpbC5jb20gPHNvbGFybGVha3NAcHJv
dG9ubWFpbC5jb20+wsCNBBABCAAgBQJf/LL3BgsJBwgDAgQVCAoCBBYCAQAC
GQECGwMCHgEAIQkQI3hckdtLCoUWIQQQtBK9rWvlMkxyYL4jeFyR20sKhUxu
B/4zd094KDSU76pIxuM3WBob/CV1j3lyxWGDuy1PzJMx6PUC4GUH24CUMzqX
gZy9e2bvGHPDmX4JEeHlsqXRIBZvMPfTydcEuJ6x0UmLBVQzFInGRX6m3RP6
RoPMyAEEqul6+iwf/AedSxDceYVac01jFPv1I7c1EN6sWFoQeuY1VrjD++wT
dwsJot3s2FYQniihXGCPND1tP6XkdHf3TdVASUV6Ymb3l42366LEq1vgEv0A
qRgA6rREAA1jdyN6p23udiys7DvAgnaeqSowPQGvXFa+acDGzFLAmlMRQovR
srh1h3yQr5UyFVjHkP87LQCksCIBsJ4i6bAe9u3V0i+1zsBNBF/8svcBCAC0
+CBi4ddBmQSQALF1g29p14OJZyNCOEJdznU6DNuevLu6AR4zAX/uF93gIs2T
AbH5Y7vhDG3mr89x1d6jzsS1HKV7mPMjv2mohbg2nrKhrSLLZD87+bhfp81Y
KrzJxWm1Lip1XOWfr7tY3NboK3uSu13DrDhBgbHSy4QRYjQhy80UX7Jg2osk
y3yvnfzW38+SED26H4Hlt80XZB5Ju1qVRpDpdEvAApjtszH1jOVi7O1pkwX9
seHy7W1uc+fsJt9IS3HdIMMlErAhuQ6SVt6hJHGcBppNxppaaVH8UP0/V3RS
k/NL1xh5LR92wW2pjBXZZfHVGOP7bhVU8ylGgRvVABEBAAHCwHYEGAEIAAkF
Al/8svcCGwwAIQkQI3hckdtLCoUWIQQQtBK9rWvlMkxyYL4jeFyR20sKhUWv
B/wL3NJhznm7tQG+50AyLGc9b2fVQoMFba9j+6X4rpomlFTGnaI8nMR3cYr4
qW62mQ0s7S2Ah8TjKJIJTzhRz5DTMbyQo3deSfSk2Airazdt+0WcsFzTZBUu
5UVtVLDXA+t5NztYM/EK9+Gny90pmcVIcJ0+uCtxDUMrwOZ/reuSU+44C0FN
NVl/QMpx3Qlh67NTz2kurL+MdQdZam14B9M96LQT+zICK8oM4CdI5ENOkqoC
MDKjX0/pKDgGzFDRnn3WvqXCw6QPY6pbO8nrghUXX5WH3k01v8oRFBWPZFMY
UHRLYILrz9o/l3SkNQfY1gkaaCsTpCk0j26u2kZN33dK
=SXk0
-----END PGP PUBLIC KEY BLOCK-----

The files

Mega.nz seems to have removed the files for now so here is a mirror of the feye.tgz.enc (39M) file from the initial site - SHA256 of the file fee8afa1081fffe6543cf0e82de05fdc4eca4e148aac98d074bc4aa1532d47bf.

The SHA256 checksums of the other files are:

  • 4289a4e60b97cfba370838e68a06b7faabc45bc8960c990b8af63606f7c419df
  • fbfce5fd66dde0aa94d39ba5f271e0b52b618edc63328b0cfcbf6709caf185db
  • 9aa822193900d67fcf240e6af8a8b7c296ef006c0386766aebd7de4d72f243cf

The message

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)

We are putting data found during our recent adventure for sale.

[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0

[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o

[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM

[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0

[More to come in the next weeks]

ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)

Data is encrypted with strong key.
Serious buyers only: solarleaks@protonmail.com

- -
Q: Is this really happening? Can you provide proof?
A: Yes and yes.

Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back?
A: Talk to us.

Q: Why not leak it for free?
A: Nothing comes free in this world.

Q: How to buy?
A: Contact us for more information.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/9yCsACgkQ4sc7xTuR
GKC/NwgAk/KZ9id9++Fi68M10rzd9uiC2DKTEX+qgJ9kEIASIvB/vh1uaS/mRZnj
GHf7I8D69zyI6FYlbndDN3DH6VUA21gD2dYxj7q79RpERQwV4PAO0iYRFBp0e3ho
nezYmVMMxB1GSsd+6AcdybLRJ1dmeIDB/mWnNa4S0jf45IkIw8/6j5965QxKlXBb
QlUShGTNom60BgpUOq7ud1ocH8c+HXbQdZpJ2LCq+CrQ+KuktMCsKUc1uydvTfDH
9zyjUtb3H9TC+zVugN3ANhtjDq0cIdOJQQ4vaGhnvLnXIDMvNQ1B4wxK+Ij50M8u
HD6LF0GUszJaNBdKylQaPV78sGqu3Q==
=HjXU
-----END PGP SIGNATURE-----

Update

The message was updated later with this contents:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)

We are putting data found during our recent adventure for sale.

[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0

[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o

[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM

[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0

[More to come in the next weeks]

ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)

Data is encrypted with strong key.

- -
Q: Is this really happening? Can you provide proof?
A: Yes and yes.

Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back?
A: Talk to us.

Q: Why not leak it for free?
A: Nothing comes free in this world.

Q: How to buy?
A: Contact us for more information.
- -

UPDATE: We received too many messages at the moment and can't reply to everyone in a timely fashion.
Also, we are being censored as we speak and must act quickly. Our main and backup email addresses has been shut down.

We understand you want more information but we can't give away data for free. That would be an insult to our trusted buyers.
However we can provide sample data (for all leaks + bonus) as proof of ownership.

As we are considering serious partners only, this is how we will be dealing with inquiries:
Send exactly 100 XMR to the address below, add a payment id with your email address so we can contact you back. You should encode your email address as 32 bytes data in the payment id.

486FSvAbzo9X3PPvoP5xoBb1iVewDqhJ44MCRuUW8BCsJ8TuiSyiaW4ZwLGLJJ1UTgRDUSi6X9cwwJjMF594Dd31P97Sx4o

The payment id part is very important because this is our only way to contact you back (protonmail decided to shut us down). Only a matter of time before this website goes down too.
We will then discuss with another private email address (we will use the same gpg key 24516C2E1CC7890832771178E2C73BC53B9118A0).

This payment will be considered a small down payment, which will be substracted to your final purchase. We won't refund if you're not interested in the data after seeing the archive content.

What will you get? Sample data contains all of the archives metadata (content listing) + SolarWinds customer portal SQL dump as a gift.

NO NEGOTIATION. Don't waste our time. We will be in touch after your first confirmed payment.

Some hints on how we got our data: 
25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e

People with knowledge will know.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/+6kkACgkQ4sc7xTuR
GKBtBgf/YdTgNcacc+akoNQjW7thmAcjaTWNo5RhAn+7YblwBhiF4mlgjuyilHCH
bhL8S5oL8keoa1WNQ1DSZZHtbYO6iF+iMpEcbfnUWSUeIED7/WN8ffD1hFE/soi8
LZ7gpyvuTD5zz9Maw/JKeHk9sCqo2O9IODV5YZrCzX+eBI5wvW8ub65NhwXdUfX1
nNLz5v23vShovf9bbV/tPcuVf7fIns5Lq9I3ndKiqV68u39qXvChDh1PwNikjdUp
TdkXG293BMry3lJVAzL3YRWQrXzr0YL9nBzf5PTjflu4m4RBeeyDXDcMtMY/VS/n
DQag3iEcETK7RuMrqmSatj/Ti31RDg==
=aIb7
-----END PGP SIGNATURE-----

The new message was signed with the same key:

$ gpg --verify new-solarleaks.net.asc                                                                            
gpg: Signature made Wed Jan 13 12:40:41 2021 GMT
gpg:                using RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0
gpg: Can't check signature: No public key