The new Intelligence
Legally, zero-day market is completely legal, and the best - or should we say the most hidden - vulnerabilities which can be used well, are most highly paid by government organizations, because they can be used to steal important data from the opponents’ computers.
Article from magazine NIN
Pierre works for a small digital security company. They sell their consulting services to larger companies, and assist them in protecting their networks and servers, and thereby their data. They perform deep analysis of new computer viruses and create protection from them. If they happen to be the first to make a protection from a new threat, they can sell their solution to either the manufacturer of the attacked program (most commonly Microsoft), or to anti-virus software manufacturers, which is a profitable endeavor. But last night, Pierre struck gold and discovered Zero-day. Zero-day implies an unknown vulnerability in an operating system which enables access to all the important data therein, such as passwords and user data. Notably excited, he called his partner Kurt to check and verify if zero-day is a worthwhile discovery.
A few days later, armed with three levels of explanations, they began contacting the most renowned buyers on the zero-day market. Only twelve hours later, they observed two purchase offers from two ends of the world. They could only assume that one offer came from a hacker group known as The Equation, which is allegedly connected with the National Security Agency of the US, and the other from the opposing hacker group called The Shadow Brokers, rumored to be a Russian hacker group working for the Russian government, or possibly just a whistleblower within The Equation itself, who simply exposes their work. The name Shadow Brokers comes from Mass Effect, a popular computer game and graphic novel, in which a character by this name sells information to the highest bidder, but always takes into consideration the balance of power. Therefore, he never sells all the information only to one side, so as not to disturb the balance and potentially lose clients.
Pierre knew very well that in their last action in April, The Shadow Brokers have published a tool developed by The Equation and so discovered 23 unknown vulnerabilities, zero-days included. Even though Microsoft and anti-virus programs immediately issued patches to shut down these vulnerabilities for all users, the WannaCry ransomware virus and worm managed to infect many computers and collected a couple hundred thousand Euros in ransom. This virus/worm used one of the zero-days published by The Equation.
Kurt held the opinion that they can sell the newly discovered vulnerability to anyone because the difference between the offers was minimal.
Legally, zero-day market is completely legal, and the best - or should we say the most hidden - vulnerabilities which can be used well, are most highly paid by government organizations, because they can be used to steal important data from the opponents’ computers. Let’s recount the usage of a few zero-days to deploy the first digital weapon in history. It is considered a weapon not only because it steals data, but because it also destroys physical goods. Thus, the Stuxnet virus was manufactured and developed through several versions for the purpose of stopping the nuclear program of Iran. It was deployed through a USB stick into the computer of a consulting firm which was working on implementing centrifuge management programs in Iranian uranium enrichment facilities. The industrial systems targeted by Stuxnet were controlling the speed of the centrifuges. Stuxnet has caused uncontrolled centrifuge operation, either too fast or too slow. Everything seemed normal on the control panels, so the virus was noticed very late, when approximately more than a thousand centrifuges were damaged, which slowed down the Iranian nuclear program for at least two years.
Pierre and Kurt received their six-figure fee and submitted the documentation for zero-day. The money was deposited into the account, and they didn’t concern themselves with the purpose and the consequences of this purchase. Even the governments of the world’s most powerful countries hire mercenary hackers.
Recently we were talking with Kim Zetter, a famous author in the area of cybernetic and national security, and we asked:
BV: The development of Stuxnet demanded tremendous resources, available only to large and wealthy countries. This puts them at an advantage, because small countries such as Serbia do not have enough resources to defend themselves. What is your opinion on this matter?
KZ: This is true, if we are talking about defense. An interesting fact is that the usage of digital weapons has expanded the battlefield for those countries who don’t have enough resources for an army. This way you don’t need the full gear, nor the soldiers to wield this digital weapon. Even if your army is lacking the skills, you can buy them from mercenary hackers. This is what we believe is happening in Russia. Many hacks happening outside of Russia are not the deed of their government per se, but of the hackers the government has hired to do their work. This opens up new possibilities for smaller countries to even out the field with the larger ones.
It remains to be seen whether the development of digital security in Serbia will follow the government’s new digitalization program.
*Kim Zetter authored a book, Countdown to Zero Day, which investigates and explains the appearance of Stuxnet as a digital weapon.
Branislav VujovicPresident New Frontier Group
Strive to become better
Branislav Vujovic is founder and also president of New Frontier Group and has overall responsibility for the New Frontier Group, with special focus on Innovation, M&A strategy, group strategy and investor relationship.