VMWare Source Code Leak Follows Alleged Hack of Chinese Defense Contractor

Photo: Jason Allen

Source code belonging to VMWare has leaked to the internet after apparently being stolen by a hacker who claims to have obtained it from a Chinese firm’s network.

The source code belongs to VMWare’s ESX virtual machine software product, a popular tool for creating and operating virtual computing environments. The code was posted to the Patebin website, a repository for coders that has become a favorite for hackers to publish purloined wares.

VMWare acknowledged the leak in a note posted to the company’s website.

On Monday, VMWare “became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future,” wrote Iain Mulholland, director of the company’s Security Response Center, in the note.

Mulholland said the code dates from the 2003-2004 timeframe and noted that the company regularly shares its source code with other industries, suggesting that the software might indeed have been stolen from a third-party network, rather than VMWare’s own network.

But Mulholland, naturally, downplayed the seriousness of the leak.

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” he wrote.

Others disagree with this assessment.

“The real pain for the industry in this case is … the intimate knowledge attackers may now possess of possible vulnerabilities in a critical virtualization tool that is the foundation for many enterprise data centers, clouds, and applications,” said Mark Bower, a vice president at Voltage Security, in a statement.

A hacker who goes by the name “Hardcore Charlie” claimed responsibility for the leak and asserted that he possessed about 300 Megabytes of VMWare source code, more of which would be released. He said the data was part of a cache taken from a previously reported breach of a network belonging to the Beijing-based China Electronics Import & Export Corporation, which works with the Chinese military.

The hacker told Reuters earlier this month that he had targeted CEIEC in an effort to uncover documents about the U.S. government’s involvement in Afghanistan. He said he worked with another hacker who goes by the name YamaTough.

Hardcore Charlie told security firm Kaspersky that they got to CEIEC and other firms after first targeting Sina.com, an e-mail hosting firm. After stealing the credentials of hundreds of thousands of accounts, the hacker said they cracked the cryptographic hashes on credentials for interesting accounts, such as ones belonging to workers connected to CEIEC and other firms, and then purloined more than a terabyte of data from those company networks.

Earlier this month, he posted documents from those breaches, some of which purport to be U.S. military reports and shipping documents related to Afghanistan.

Although VMWare has confirmed the authenticity of its leaked source code, the authenticity of the U.S. military documents published by the hackers, or the story about how the breaches were accomplished, have not been verified.

The VMWare leak matches some details around a similar source code leak earlier this year involving Symantec products. Hardware Charlie’s alleged partner in crime, YamaTough, claimed responsibility for that leak.

In February, YamaTough posted files belonging to six-year-old versions of Symantec’s source code, including its 2006 Endpoint Protection 11.0 and its discontinued Symantec Antivirus 10.2. The hacker posted the code after an alleged attempt to extort $50,000 from Symantec.

YamaTough apparently obtained the code from a hacker group calling itself the Lords of Dharmaraja. That group claimed it uncovered the source code on servers belonging to India’s military intelligence agency. But a document the group initially published with their claim, purporting to show cooperation between Symantec and the spy agency, proved to be false.

Symantec later said it believed the files might have been taken during a previously undisclosed breach of its own network in 2006.