Symantec confirms hacker extortion

Symantec has today confirmed that email correspondence between the company and a hacker, in which the company attempted to confirm the theft of its source code and offer US$50,000 to stop it from appearing online, did actually occur.
Written by Luke Hopewell, Contributor

Symantec has today confirmed that email correspondence between the company and a hacker, in which the company attempted to confirm the theft of its source code and offer US$50,000 to stop it from appearing online, did actually occur.


Symantec was reportedly held to ransom for its PCAnywhere source code.
(Credit: Gunpoint image by Jason Ralston, CC2.0)

Symantec told ZDNet Australia that the extortion attempts came from a hacker who claimed to be a member of the infamous Anonymous hacktivist collective.

"In January, an individual claiming to be part of the 'Anonymous' group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident, and also contacted law enforcement, given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law-enforcement investigation.

"Given that the investigation is still ongoing, we are not going to disclose the law-enforcement agencies involved, and have no additional information to provide," Symantec said in a statement this afternoon.

The correspondence was posted to Pastebin by the hacker. It shows Sam Thomas, an apparent Symantec representative, asking for more time to confirm the legitimacy of the information held by the hacker named yamatough .

"Management needs assurances," Thomas said in the correspondence. He asked in a separate email for five files, and the paths at which they were discovered on the breached Symantec servers, as a method of proving that the threat against the company was real.

What followed was a back-and-forth conversation over the next five days, where Symantec appeared to try to stall yamatough. By the fifth day, yamatough became impatient, and levelled the first serious threat at the company.

"If we don't hear from you in 30 m[inutes], we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code.

"Don't f*** with us," he wrote.

The email trail showed Thomas and Symantec pleading for three more days to negotiate what Thomas described as a complex process on his end. Yamatough replied that releasing the code without giving Symantec a chance to get it back was a breach of his one golden rule.

"We have a rule — and we always follow it: if you are the owner — you have the right to be the first one asked. That is why we kept silent at the time of negotiating with you.

"We stick to the word given, and nothing is going to happen to the code if we complete the deal. Were we not that way, we would have already sold your code to that willing many," yamatough wrote, before making an open-ended ransom demand on Symantec's source code.

"How much do you consider enough to pay us in order to work all the issues out?

"Name the price. Clock's tikin [sic]," the hacker added.

Financial negotiations boiled down to a plan by Symantec to pay the hackers $50,000 over three months, to ensure that the code was not released after the payments, which were going to be paid into an offshore account, had cleared.

"We will pay you $50,000.00 USD total.

"However, we need assurances that you are not going to release the code after payment. We will pay you $2500 a month for the first three months. Payments start next week. After the first three months, you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.

"You know how the corporate environment works, and we have to treat this like a business transaction," Thomas wrote.

Part of the deal would involve yamatough releasing a public statement saying that the hacker had lied about the Symantec breach.

"You will make a public statement on behalf of your group that you lied about the hack (as you previously stated). Once that's done, we will pay the rest of the $50,000 to your account, and you can take it all out at once. That should solve your problem," Thomas wrote.

The hacker wouldn't accept the staged payment deal, which he claimed on Twitter would have been donated to The Smile Foundation, an Indian charity, and decided to release the correspondence, as well as put the code up for auction.

Yamatough posted on Twitter today that the source code for PCAnywhere, System Works, Internet Security and Norton GoBack is now on sale for purchase.

Symantec fell victim to hackers on New Year's Day. The hackers purportedly stole the source code for PCAnywhere from Indian military servers. The security provider issued a hotfix for the issue in mid January, before declaring the software safe to use.

Editorial standards