Hackers Release Symantec Source Code After Failed $50K Extortion Attempt

Photo: Mooganic/Flickr

Hackers with the Anonymous collective have released source code for Symantec’s pcAnywhere product after failing to secure $50,000 from the company in an extortion attempt.

A hacker going by the online name YamaTough published 1.27 GB of the source code on Pirate Bay Monday night after negotiations to extort money from someone he believed was a Symantec employee fell through. In reality, the Symantec “employee” was an undercover law enforcement agent who was using a fake Symantec email address to communicate with the hacker.

The hacker, apparently believing he was communicating with a real Symantec employee, published the email exchange on Monday at Pastebin. The posted emails began on Jan. 18 and ended late Monday night.

Symantec acknowledged the email exchange was authentic.

“In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession,” Symantec spokesman Cris Paden revealed in an uncharacteristically frank statement. “Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.”

It’s unclear from the exchange who broached the topic of money first, though the Symantec statement seems to imply that the hacker introduced the discussion of payment. The published correspondence begins in the midst of the negotiations with an email titled “up to you” from “Symantec,” saying “Have to check with Finance people. We will contact you tomorrow.” The initial emails have not been made public.

The published email exchange, and Symantec’s frank admission of the undercover operation, shed light on an often under-reported phenomenon whereby hackers steal intellectual property or breach a network, then attempt to extort payment in exchange for not selling or publishing stolen data. Vague details about such incidents have been discussed at conferences in the past, but this appears to be the first time that the actual negotiations were made public.

The undercover agent posed as an employee named Sam Thomas (who doesn’t exist) and initially used a Symantec email address for the communication with the hacker. But the agent quickly asked the hacker to move the discussion to a Gmail account, under the same name of the fabricated Symantec employee.

“Because our email system strips large attachments, send sample files to this address where we can get attachments: [email protected],” the agent wrote. But the Gmail account apparently also rejected the large files the hacker sent.

“Your google acc rejects attachments so we sent it to sym addie,” the hacker responded.

The undercover agent then informed the hacker that Symantec was trying to set up an FTP server to receive the sample files. But the hacker, suspecting a trick, replied:

If you are trying to trace with the ftp trick it’s just worthless.
If we detect any malevolent tracing action we cancel the deal.
Is that clear?
You’ve got the doc files and pathes to the files what’s the problem ?

As the negotiation continued, the hacker appeared to place the ball in Symantec’s court to determine a fair price to pay to keep him from selling its source code. “How much do you consider ENOUGH to pay us in order to work all the issues out? Name the price, Clock’s tikin,” he wrote on Jan. 25. Negotiations over the amount and the method of payment continued until this week, when the hacker announced Monday evening:

Since no code yet being released and our email communication wasn’t also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we’ve made mirrors so it will be hard for you to get rid of it.

Shortly thereafter, the code and emails were published.

Symantec acknowledged in late January that source code for its pcAnywhere program had been stolen by hackers in a previously undisclosed breach that occurred in 2006.

The pcAnywhere software is a popular remote-access program that lets administrators get into computers to troubleshoot and also allows mobile users on the road to access content on their office desktop. It’s also installed on point-of-sale terminals in stores and restaurants to allow administrators to update software that processes credit and debit cards as they’re scanned at a register check-out.

Symantec’s Cris Paden told Threat Level last month that the company did not know its source code had been stolen at the time of the breach.

“We knew there was an incident in 2006,” he told Threat Level. “But it was inconclusive at the time as to whether or not actual code was taken or that someone had actual code in their hands.”

Following the public claim by hackers in early January that they had source code for pcAnywhere, Norton Utilities and other products, Symantec said it had gone back through its logs and records and “put 2 and 2 together that there was a source code theft.”

The release of source code would allow hackers to study the program to find security vulnerabilities that would allow them to potentially breach companies using the programs. But Symantec told customers in January to disable their pcAnywhere programs until the company could patch the systems, which it has subsequently done.