FBI: Cyber Threat Actors Stole Source Code From US Government Agencies And Private Companies

insecure SonarQube instances

The FBI (Federal Bureau of Investigation) has sent out a security warning on October 14, 2020, regarding insecure SonarQube instances. It says that threat actors are misusing them to steal source code from US government agencies and private companies.


The FBI started noticing source code leaks relating to insecure SonarQube instances back in April 2020. Surprisingly, the threat actors didn’t restrict the leaks to US government agencies, but they also targeted private businesses. The targeted private firms, which ended up losing their source code, were from retail, finance, technology, eCommerce, and manufacturing sectors.

The Risks Associated With SonarQube Applications Trace Back to 2018

As far back as May 2018, security researchers repeatedly warned about the risks of neglecting SonarQube applications exposed with default credentials. At the time, Bob Diachenko, a data breach hunter, notified about it in his tweet on May 16, 2018. He said that about 30%-40% of all the 3,000 SonarQube instances available online were set without authentication mechanisms and passwords.


LIFARS’s Cyber Threat Hunting is an essential exercise to improve cyber defenses.


Fast Forward to August 2020

Unidentified threat actors leaked indigenous data from two organizations via a public lifecycle repository tool in August 2020. No wonder the stolen data was obtained from insecure SonarQube instances.

The instances sourced from SonarQube used admin credentials and default port settings running on the affected networks of such organizations.

Tillie Kottmann, a developer and reverse engineer, obtained and published the leaked code of more than 50 companies, including Adobe, Microsoft, Motorola, and Nintendo.

The given activity is notably analogous to the earlier data leak in July 2020. In a July leak, a known cyber actor accessed the insecure SonarQube instances and exfiltrated proprietary source code. Later, he published the obtained source code on a self-hosted public repository.

What is SonarQube?

SonarQube is an open-source platform. It is an automatic code review tool that discovers bugs and security vulnerabilities in source code on 27 programming languages.

It integrates with Visual Studio, Eclipse, and IntelliJ IDEA development environments via the SonarLint plug-ins. Also, it integrates with external tools, such as Active Directory, LDAP, GitHub, and others. With the use of plug-ins, SonarQube is expandable.

How Do Threat Actors Conduct the Attack?

First of all, the attackers scan the web to come across insecure SonarQube instances available to the open Internet. Such instances literally use publicly accessible IP addresses and the default port (9000).

Later, they attempt to access SonarQube instances using default administrator credentials (password: admin, username, admin).

Mitigation Measures

The FBI alert mentions a series of steps that companies can adopt to protect their SonarQube servers.

  • It urges to change the SonarQube default settings, including default administrator password, username, and port (9000).
  • It asks to take a login screen at the front of SonarQube instances. After that, check if unauthorized users can enter the instance.
  • If possible, suspend the connectivity of any application programming interface keys or other exposed credentials in a SonarQube instance.
  • Take action to bring SonarQube instances under a firewall and other perimeter defenses of your organization to block unauthenticated access.

Takeaway Lesson

“SonarQube instances” incident is another buzz-causing cyber incident from a series of incidents taking the limelight. Dismally, cyberattacks are on the rise as more businesses are shifting to the Internet. The only way forward is to adopt a proactive security approach as far as cybersecurity is concerned.


FBI alleges invasions on inadequately configured SonarQube source code management tools.

Dozens of companies lost their source code.

FBI alert on October 14, 2020.