Nokia is investigating a third-party security breach after prolific threat actor IntelBroker listed the company’s allegedly stolen source code for sale on the dark web forum BreachForums.
The threat actor claims the data was pulled from a third-party developer’s server who helped Nokia develop internal tools.
“Today, I am selling a large collection of Nokia source code, which we got from a 3rd party contractor that directly worked with Nokia to help aid their development of some internal tools,” the hacker said.
Nokia says it takes the allegations seriously but insists that its internal systems were not compromised during the incident.
Nokia security breach leaked source code, credentials, keys, and more
The threat actor claims the stolen data includes SSH keys, source code files, RSA keys, BitBucket logins, SMTP accounts, webhooks, and hardcoded credentials. The compromised repository also contained Python source code as well as JavaScript, JSON, and PHP files.
Besides exposing the company’s internal secrets and product security vulnerabilities, threat actors could abuse exposed credentials to carry out more cyber attacks. Compromised credentials are among the top causes of potent cyber attacks, including ransomware.
“The reported security breach potentially involving Nokia’s source code and credential information represents a bit of a head-scratcher given that it appears to be another case of third-party credentials for access to the software supply chain were compromised,” said Jim Routh, Chief Trust Officer at Saviynt.
“The head-scratching comes from why a third party has access to Nokia source code? Perhaps the third party was a software engineer contributing to the software build process,” Ruoth suggested. “In any event, credential management for access to the software build process appears to be what was exploited by the threat actor. Enterprises that improve their identity management maturity for those cloud accounts with access to the software supply chain will be better positioned to avoid these types of incidents.”
Compromised via third-party software development partner
The threat actor claims the security breach affected the developer’s SonarCube server with default credentials. However, the identity of the compromised third-party software development partner remains a mystery.
Nonetheless, IntelBroker clarified that the Nokia security breach was not related to the Cisco hack that the threat actor also claimed. Nokia has also asserted that the third-party security breach did not affect its internal systems.
“To date, our investigation has found no evidence that any of our systems or data being impacted. We continue to closely monitor the situation,” the company said in a statement.
IntelBroker also confirms that customer data was not involved in the Nokia hack, although supply chain attacks impacting customers and business partners were possible outcomes.
Similarly, companies cannot detangle themselves from third-party data breaches because they are obligated to vet business partners. Particularly, the partner’s alleged use of default credentials on a development server does not paint Nokia in a good light.
Meanwhile, the attacker says the exposed Nokia source code was not for public auction but reserved for the most reputable individuals on the underground hacking forum, underscoring the severity of the security breach. IntelBroker demands $20,000 in exchange for the exposed Nokia data.
The Nokia security breach is among over 80 data leaks that the reportedly Serbian hacker has claimed since October 2022.
In October 2024, IntelBroker claimed the Cisco security breach that leaked GitHub, GitLab, and SonarQube projects, source code, and hardcoded credentials. Others include AMD, Apple, Europol, and HPE data leaks.
Source code remains a valuable treasure for threat actors interested in probing companies’ products for security vulnerabilities for future compromise including supply chain attacks.
Source code could also attract a handsome price from the victims’ business rivals and nation-state actors, given that Nokia is a government contractor for various strategic projects, including defense.
Threat actors could also demand a good extortion amount to avoid leaking such sensitive information online.
Nokia has not confirmed receiving any ransom demands from the threat actor. However, with the threat actor making the alleged security breach public and selling the stolen data, it is evident that ransom payment was off the table.