At the 37th Chaos Communication Congress (37C3) held in December 2023, a team of researchers unveiled Operation Triangulation – a new Pegasus-styled iPhone attack that exploits over thirty previously unknown vulnerabilities affecting all devices not upgraded to the latest iOS 17 version. From using Galileo RCS for government interception to attacking power plants, digital arms producers are now considered mainstream defence contractors in 2024. Cyber products, such as Cobalt Strike, used by threat actors to generate malicious payloads, are regulated by US export control regulations and require licenses for export to more than 40 countries. Hacking is no longer an endeavour involving a single individual or team; instead, it has evolved into a complex supply chain with different suppliers specialising in their niches.
There are primarily three types of covert cyber weapons used in high-precision surgical attacks: malware (implants), listening posts, and C2 (command & control) systems. Additionally, there are DoS (denial of service), DDoS (Distributed DoS), and botnets that use a network of computers to flood a public service. However, all types of weapons have an integrated supply chain.
Similar to the C3 conference that exposed vulnerabilities in the public domain, the cyber supply chain begins with a fully-fledged market for discovering vulnerabilities in commonly used software on PCs and mobiles. While some cybersecurity companies, such as runZero, Inc., publish vulnerabilities and exploits for public awareness, there exists a vast grey market for zero-days or undisclosed exploits. Companies like Zerodium (formerly Vupen) sell unpublished exploits to government agencies and offer substantial bounties to individuals reporting exclusive exploits related to web browsers, iOS, and Android. Some companies act as retailers of zero-days, while many have extensive research staff and are original producers of new exploits. It is noteworthy that the US government doesn’t crack down on zero-day grey markets, given that agencies like the National Security Agency (NSA) stockpile zero-day vulnerabilities and payloads for exploitation.
Read: ‘Cybersecurity requires global cooperation’
Two types of markets then emerge from these zero-day vulnerabilities: one for security products such as firewalls, IDS, NDR, EDR, and antiviruses that incorporate defences against newly known exploits, often leading to the release of patches from respective vendors. Many antivirus companies retrain their AI-based behavioural models on payloads based on newly known exploits, with the expectation of countering other variants of such attacks.
Similarly, there is a market for cyber weapons benefiting from both the white and grey markets of zero-days, although the time window to weaponise already published exploits in the public domain is relatively small. Corporations like Memento Labs offer tools for monitoring communication mediums and targeted surveillance of political figures on behalf of government agencies. Simultaneously, corporations like Cambridge Analytica and YouGov have exploited social media for managing public opinion in line with hybrid warfare.
Then, there is a black market for code generators that use current exploits to auto-generate trojans, viruses, and other “weaponised” malware. North Korean and Russian hackers weaponise these exploits to attack large organisations, stealing and encrypting data with demands for payments in crypto as a ransom. In 2023, the average ransom payment is now touching the $1.5 million mark and has become a menace for administrators of government, educational, and commercial establishments. For example, the Moscow-based Medusa group (with proxy servers in the Netherlands) hit numerous universities last year and released sensitive data related to student psychological, financial, and other assessment reports on the dark web.
Unfortunately, unlike nuclear and missile programmes, cyber weapons pose a serious proliferation risk as they are challenging to regulate and retain, and even employees who developed them can easily exfiltrate copies of software without leaving any trace. Government hackers who acquire such weapons often sell their services in black markets, as they are willing to pay millions for weapons based on undisclosed zero-days. In a nutshell, gone are the days when hacking was a sport for some rogue teenager or tech geek – it has now evolved into a complete ecosystem and, particularly, a lethal one.
THE WRITER IS A CAMBRIDGE GRADUATE AND IS WORKING AS A STRATEGY CONSULTANT
Published in The Express Tribune, February 5th, 2024.
Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.
COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ