There are global underground markets where anyone can buy and sell all the malicious code for an attack like the one North Korea is accused of unleashing on Sony Pictures.
These underground markets not only make it more difficult to trace who is responsible for any given hack — they also make launching a sophisticated attack against a global company much easier.
Marc Rogers, a principle researcher at the computer security company, CloudFlare, has been tracking the attack on Sony for weeks and analyzing the code the hackers used.
"This is Windows malware. It's fairly sophisticated, it's very complex, and it's modular," Rogers says. "It's made up of lots of different bits."
The attackers took one piece of code from one place, one piece of code from another and snapped it together like a Lego set. Some of this code is malicious, and some is legitimate.
Now the FBI believes that the attack was carried out by North Korea because some of those bits of nasty code have been used by North Korean hackers in the past. But Rogers isn't completely convinced.
"The malware world is really incestuous," Rogers says. "You have got people who share source code, who borrow things like hacking tools, or even commercial pieces of software."
The Exploit Market
There is a global market for hacking tools. Hackers who trade here can build their own unique attacks by snapping together parts that other groups developed. Rogers says he knows Russians who will sell a complete attack right off the shelf.
"They will sell it to you with a subscription," he says. "When the malware is identified successfully by antivirus, they'll update it for you."
It's software as a service, but for thieves. And it's not just criminals who are buying and selling computer attacks on these gray markets.
"Typically the U.S. government pays out higher than anyone else," says Chace Shultz, a computer researcher.
Researchers like Shultz spend their days searching for ways to make computers do things they were not designed to do. They're looking for ways to pick the digital locks that are intended to keep all of our machines safe. When they find a key for a lock, they can sell it.
"If they were to sell that to another government or that type of thing, they could potentially sell that for hundreds or tens of thousands of dollars," Shultz says.
But he and others say most researchers and hackers don't sell directly to government agencies. Instead they usually sell their attacks to a small global network of global brokers.
In a sense, these brokers are the arms dealers of the digital age. They act as go-betweens — connecting researchers and hackers with buyers, governments and organizations searching for back doors into computer networks.
"You can take an exploit to one of these people, and they will go forth on your behalf," Shultz says.
An exploit is like the key to a digital lock and selling these things can be a lucrative business. But Shultz says it is also ethically dicey.
"The other thing I have to wonder too with some of these brokers is — are they double selling?" he asks.
And Shultz says after you sell a computer vulnerability on the gray market, you can never be sure exactly how it will be used or where it will end up.