Comodo hacker demanded a chat with victim

I've managed to obtain emails sent by the Comodo hacker, aka Sun Ich to Comodo Italy, starting on March 22 -- one week after its account was used without authorization to generate certificates for companies such as Google, Yahoo and Skype.

Some have suggested that to me that these e-mails may indicate another motive -- extortion -- was behind the hack, but so far there's no evidence that this is the case. Sun Ich has told that he never asked for Money, and Comodo confirmed this.

The emails to introduce at least one more piece of the puzzle that is this story: Sharonsoft.com. Sun Ich demonstrated to me today that he has control of this domain (I submitted a Web query asking for comment that went to info@sharonsoft.com) without telling Sun Ich and he later emailed my request back to me.

So either this is a shell company set up by Sun Ich or yet another security consultancy that's been thoroughly hacked. As far as I can tell, Sharonsoft.com didn't exist before March 12, and none of my Israeli infosec contacts have ever heard of it. Have you?

I redacted Comodo Italy VP Massimo Penco's email address from these mails.

> From: Klein Julius <klein@sharonsoft.com> <klein@sharonsoft.com>

> To: M Penco

> Sent: Tue, March 22, 2011 6:23:28 PM

> Subject: InstantSSL Stuff

>

> Hi

>

> Does these words means something to you?

>

> loohibitony

>

> gtadmin -> globaltrust

>

> globalsuper

>

> etc.

>

> Do you want more?

>

> Reply back to me for talk

>

> Bye

------------------------------

> ----- Original Message ----

> From: Klein Julius <klein@sharonsoft.com> <klein@sharonsoft.com>

> To: M Penco

> Sent: Tue, March 22, 2011 9:59:58 PM

> Subject: Re: InstantSSL Stuff

>

> I can't see your reply

>

>

>

> ----- Original Message ----

> Re: InstantSSL Stuff

> "Klein Julius" <klein@sharonsoft.com> <klein@sharonsoft.com>

> Data:

> Wed, 23 Mar 2011 09:19:09 +0100

> M Penco

>

> Because I didn't saw your reply, for now, just for now, I wiped your LG

> Drive

> and F:\ drive and all log files.

>

> 1) Do not try to recover files, they are wiped securely using SDelete, not

> simple delete.

>

> 2) Do not try to find me, it's simply impossible.

>

> So now, contact me before I do something so dangerous. Simply personally

> contact

> me, do not try to find me, do not try to remove me, do not try anything...

> You'll just fail, simply contact me for more information.

>

> I'm awaiting... I could cause so hard impossible to recover damages, simply

> contact me, that's all for now

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies