Sony Hack Highlights The Global Underground Market For Malware

Dec 26, 2014
Originally published on December 26, 2014 1:12 pm

There are global underground markets where anyone can buy and sell all the malicious code for an attack like the one North Korea is accused of unleashing on Sony Pictures.

These underground markets not only make it more difficult to trace who is responsible for any given hack — they also make launching a sophisticated attack against a global company much easier.

Marc Rogers, a principle researcher at the computer security company, CloudFlare, has been tracking the attack on Sony for weeks and analyzing the code the hackers used.

"This is Windows malware. It's fairly sophisticated, it's very complex, and it's modular," Rogers says. "It's made up of lots of different bits."

The attackers took one piece of code from one place, one piece of code from another and snapped it together like a Lego set. Some of this code is malicious, and some is legitimate.

Now the FBI believes that the attack was carried out by North Korea because some of those bits of nasty code have been used by North Korean hackers in the past. But Rogers isn't completely convinced.

"The malware world is really incestuous," Rogers says. "You have got people who share source code, who borrow things like hacking tools, or even commercial pieces of software."

The Exploit Market

There is a global market for hacking tools. Hackers who trade here can build their own unique attacks by snapping together parts that other groups developed. Rogers says he knows Russians who will sell a complete attack right off the shelf.

"They will sell it to you with a subscription," he says. "When the malware is identified successfully by antivirus, they'll update it for you."

It's software as a service, but for thieves. And it's not just criminals who are buying and selling computer attacks on these gray markets.

"Typically the U.S. government pays out higher than anyone else," says Chace Shultz, a computer researcher.

Researchers like Shultz spend their days searching for ways to make computers do things they were not designed to do. They're looking for ways to pick the digital locks that are intended to keep all of our machines safe. When they find a key for a lock, they can sell it.

"If they were to sell that to another government or that type of thing, they could potentially sell that for hundreds or tens of thousands of dollars," Shultz says.

But he and others say most researchers and hackers don't sell directly to government agencies. Instead they usually sell their attacks to a small global network of global brokers.

In a sense, these brokers are the arms dealers of the digital age. They act as go-betweens — connecting researchers and hackers with buyers, governments and organizations searching for back doors into computer networks.

"You can take an exploit to one of these people, and they will go forth on your behalf," Shultz says.

An exploit is like the key to a digital lock and selling these things can be a lucrative business. But Shultz says it is also ethically dicey.

"The other thing I have to wonder too with some of these brokers is — are they double selling?" he asks.

And Shultz says after you sell a computer vulnerability on the gray market, you can never be sure exactly how it will be used or where it will end up.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

What a story it has been to follow - first, Sony made a movie in which the fictionalized leader of North Korea is assassinated. Then Sony gets hacked and North Korea is blamed. Theaters are alarmed and Sony pulls the film from its Christmas release, then they change course and the movie, "The Interview," came out in independent theaters yesterday. This whole saga brought cybersecurity to the forefront of national security conversations.

Turns out there is a global underground market where people trade in malicious code and where you can find the tools needed for an attack like the one unleashed against Sony. These markets make it relatively easy to attack a global company and make it hard to trace the perpetrators. Here's Steve Henn from NPR's Planet Money team.

STEVE HENN, BYLINE: Mark Rogers is a principle researcher at the computer security company CloudFlare. He's been tracking the attack on Sony for weeks, analyzing the code the hackers used.

MARK ROGERS: This is Windows malware. It's fairly sophisticated. It's very complex and it's modular. It's made up of lots of different bits.

HENN: Rogers says the attackers took one piece of code from one place, one piece of code from another and snapped it together, kind of like a Lego set. Some of this code is malicious, some is legit. But the FBI believes this attack was carried out by North Korea because some of these bits of nasty code have been used by North Korean hackers in the past, but Rogers isn't completely convinced.

ROGERS: The malware world is really incestuous. You've got people who share source code, who borrow things like hacking tools or even commercial pieces of software.

HENN: And these bits and pieces of malware are bought and sold in a global underground market. Hackers who trade here can build their own unique attacks by snapping together parts that other groups have developed. Rogers says he knows Russians who will sell a complete malware attack right off the shelf.

ROGERS: They'll sell it to you with a subscription. When the malware is identified successfully by antivirus, they'll update it for you so the antivirus can no longer detect it.

HENN: It's kind of like software as a service, but for thieves. And it's not just criminals who are buying and selling computer attacks on these gray markets.

CHACE SHULTZ: Typically, the U.S. government pays out higher than anyone else.

HENN: Chace Shultz is a computer researcher. Researchers like Shultz spend their days searching for ways to pick the digital locks which are intended to keep all of our machines safe. When they find a key for a lock like that, they can sell it.

SHULTZ: If they were to sell that to another government or that type of thing, they, you know, could potentially sell that for, you know, hundreds or tens of thousands of dollars.

HENN: But Shultz says most researchers and hackers don't sell directly to government agencies. Instead, people like this usually sell their attacks to a small global network of brokers. In a sense, these brokers are the arms dealers of the digital age. They act as go-betweens - connecting researchers or hackers with buyers, like governments and organizations, who are searching for backdoors into computer networks.

SHULTZ: You can take an exploit to one of these people and they will go forth on your behalf.

HENN: An exploit is like a key to a digital lock and selling these things can be a lucrative business, but Schultz says it's also ethically dicey.

SHULTZ: The other thing I have to wonder too with some of these brokers and vulnerability markets is - are they double selling?

HENN: Researchers like Shultz say after you sell a computer vulnerability on this gray market, you can never be sure exactly how it will be used or where it will end up. Steve Henn, NPR News. Transcript provided by NPR, Copyright NPR.