Cyber Incident Victim: Red Hat
Date:
Sep 2015
Location:
United States of America
Summary
An intrusion occurred on external sites hosting the Ceph community project and Inktank downloads, resulting in unauthorized access to signed code packages using specific signing keys. The company confirmed no compromised code was currently available for download but acknowledged the possibility of past exposure. While no customer data was stored on the breached servers, usernames and hashed fixed passwords used for download authentication were potentially accessed. In response, the company re-signed affected software releases with its standard key, issued a new signing key for community downloads, and notified customers to obtain the rebuilt packages. The investigation remains ongoing with no evidence of malicious activity beyond the initial access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2015, Red Hat disclosed an intrusion affecting the websites of the Ceph community project (ceph.com) and Inktank (download.inktank.com), both hosted externally from Red Hat’s infrastructure. Unauthorized parties gained access to these systems, compromising signed code packages used for software distribution. The Inktank site hosted Red Hat Ceph product releases for Ubuntu and CentOS, signed with the Inktank signing key (ID 5438C7019DCEEEAD), while ceph.com contained upstream Ceph community packages signed with a separate Ceph key (ID 7EBFDD5D17ED316D). Red Hat confirmed the intruders accessed these signed artifacts but found no evidence that compromised code was actively available for download at the time of discovery. The company acknowledged it could not definitively rule out the possibility that malicious code might have been temporarily available in the past. Additionally, the compromised servers stored usernames and hashed passwords that Red Hat had supplied to customers for download authentication, though no customer data or sensitive operational information resided on the systems.
Red Hat responded by re-signing all affected Ceph versions from Inktank using its standard release key and issued a new signing key (ID E84AC2C0460F3994) for ceph.com downloads to replace the compromised credential. The company proactively contacted known customers to advise downloading the re-signed packages as a precautionary measure. While emphasizing no active code compromise had been identified, Red Hat urged vigilance and confirmed its investigation remained ongoing to assess the full scope and timeline of the intrusion. The incident highlighted risks associated with externally hosted infrastructure supporting critical software distribution channels, particularly the exposure of code-signing mechanisms. Red Hat maintained transparency regarding the breach’s limitations, including the absence of customer data exposure and the lack of observed malicious activity stemming from the accessed materials at the time of disclosure.