Information Warfare: The Mercenary Marketplace

Archives

September 11, 2013: While it’s getting more and more expensive to be a player in the Cyber War arena, it has also become a lot easier for anyone to purchase illegal Internet weapons for business or pleasure. Go to Forum.zloy.bz and look around. Proceed at your own risk, as this is a marketplace for technically legal software designed for committing illegal acts. There are illegal items available here as well, like stolen credit card data and other “stolen credential” type stuff (if you are into identity theft and the like). Looking to rent a botnet to shut down a web site with DDOS (a flood of bogus data)? Here is where you’ll find it. Want to hire a mercenary black hat (evil hacker) for some custom misbehavior? You have reached your destination.

How can such a den of iniquity exist? Because these hacker market places are based in Russia and the most interesting pages on these sites use Russian, not English. That’s because most of the sellers, and many of the buyers, are from Russia or the 14 new nations that were created from portions of the old Soviet Union. The Russian government tolerates these hacker markets because the market operators, and most of the customers, observe an unwritten agreement wherein they do not misbehave in Russia and are available to the Russian government for special operations that require a high degree of hacking skill. That last bit is very unofficial but very real. So is the certainty of quick and severe punishment if you break the rules and are still in Russia when that happens. There are English language areas where you can go shopping, but the best stuff is available to those who speak (or at least read and write) Russian.

These sites also provide access to tools required to wage Cyber War. Some of the more useful Cyber War items are sold at auction. That’s because Internet security organizations, as well as Cyber War operations, are spending more and more to buy information that can protect networks. Cyber War (attacks on computer networks, usually via the Internet) works best using knowledge of current weaknesses in Internet software. This sort of thing is known as "Zero Day Exploits" (ZDEs). These are freshly discovered and exploitable defects in software that runs on the Internet. These flaws enable a hacker to get into other people's networks and PCs. In the right hands these flaws enable criminals to pull off a large online heist or simply maintain secret control over someone's computer for future gain or further mischief.

The problem with ZDEs is that there is far more demand than supply and most of them are soon eliminated as publishers discover the problem and fix their software. Criminals, Internet security companies, government Cyber War organizations, and major corporations (especially software developers) all bid on ZDEs. As more money is offered for ZDEs more people are getting into the ZDE finding business. Not only is there a lot more money offered for ZDES but there are now so many more ways to get paid. A lot of this is now above ground (legal). The most obvious aspect of this is seen by independent ZDE sleuths operating via an agent, who will get the best price and take a 15 percent commission. The criminals have to be the most imaginative because most of the legal bidders want to fix the ZDE so that it is no longer a threat. The criminals, and Cyber War outfits, want to use ZDEs to get into other people’s system. These groups do not let the software manufacturer know about the flaw in their products. The criminals are looking to make money, the Cyber War groups are doing their damage for less venal and more destructive reasons. Both need more ZDEs, and this has led to criminal gangs and Cyber War operations developing their own teams of ZDE sleuths and paying them well to only deliver their finds to one customer. The gangsters and Cyber Warriors both ensure loyalty via threats. The gangsters will kill ZDE searchers who sell to someone else, while the Cyber War groups can prosecute for treason.

There are other players as well. Many ZDEs are specific to a particular website. That's because each website has some unique characteristics that creates ZDEs that are rare or only show up on that particular site. This is particularly true of heavily defended sites, like those of financial institutions or mega sites like Facebook. An increasing number of large sites, like Facebook, are offering rewards for ZDEs that enable hackers to harm Facebook and its users. Since a lot of Internet experts and hackers are Facebook users, there are a lot of qualified ZDE finders out there with multiple incentives to find and report Facebook vulnerabilities. But even Facebook security people realize that ZDEs are valuable commodities and you have to pay the going rate if you want to be a competitive buyer and protect your site. Thus, the "auction of doom" angle. If the potential payday is big enough, even the biggest Facebook fan will be tempted to sell a very valuable ZDE that could do great damage to Facebook.

ZDEs are no longer found just on the hacker black market, which is the main reason the price has skyrocketed. The price of ZDEs varies a lot. That's because not all vulnerabilities are equal. Some are much more valuable than others because they are more effective or allow attacks on a larger number of targets. Commercial Internet security firms offer rewards to people (usually software engineers who spend too much time on the Internet) who first discover a "zero day vulnerability," as do governments and many other firms with a big interest in Internet security. The rewards for really good ZDEs can sometimes exceed a million dollars and come with bonuses (monthly payments for each month the ZDE is not fixed and still usable). The software publishers and commercial security firms, which provide services for corporate and government clients, offer the rewards openly. There is a more lucrative underground market, financed by criminals and some governments that offer even larger, although riskier, rewards. It’s a booming, lucrative, and occasionally dangerous business and there are still public auctions for some types of ZDEs on the black market hacker sites.

The Internet users, especially large companies, get after the software publishers to find and fix the bugs (ZDEs) quickly. This often does not happen, and fixing these known vulnerabilities often takes several months and sometimes as long as a year or more. This is largely because fixing these bugs is expensive and publishers don't want to risk creating new ones. The publishers know that every time they open their source code to repair something there is a high risk of creating more bugs. It's expensive to fix the bug, test the patched software, and then distribute it to their customers. Thus, unless the bug is highly likely to be exploited, it is not attended to right away. The problem with this approach is that the software publisher may not be aware of just how exploitable the bug is. Criminals and Cyber Warriors have an interest in finding ways to exploit bugs that appear relatively harmless. That turns the bug into ammunition, for the Cyber War, and a way to make money, for the criminals. Those protecting large or critical (banks, intelligence agencies) websites will usually fix problems very quickly. It's the software companies that don't have a similar incentive to move quickly.

For over a decade now Cyber War and criminal hackers have secretly placed programs ("malware") in computers belonging to corporations or government agencies. These programs ("Trojan horses") turn the infected PCs into "zombies" (or "bots") which are under the control of the people who plant them (the "botmasters"). Such control allows the botmaster to steal, modify, or destroy data or shut down the computer systems the zombies are on. You infect new PCs and turn them into zombies by using ZDEs, which is why these flaws have become a billion dollar a year business. A lot of those ZDEs go towards supporting the business of delivering spam. But mixed in with all the garden variety criminality is a lot of corporate and military espionage. There’s also a growing market for ZDEs that exploit the servers, routers, and other specialized computers that run the Internet and many other aspects of modern life (cars, factories, and infrastructure facilities are now dependent on specialized computers that can be hacked).

Cyber War commanders are resigned to the fact that they will have to use mercenaries if they want to survive any future Internet based conflict. Much use is being made of mercenaries right now in the race to build up stockpiles of munitions (ZDEs). In Cyber War the ammo is information. That is, knowledge of vulnerabilities in software connected to the Internet or major networks not connected to the Internet. It's feared that China actually has a lead in this area, a lead they will not discuss but that the victims know exists. Meanwhile, crimes committed via the Internet have become a huge business, bringing perpetrators more than $10 billion a year. At least a third of that goes to black hats operating out of Russia.