The Complex

Black Market for Malware and Cyber Weapons is Thriving

The world of computer hackers who sell stolen credit card numbers, spyware, and cyber weapons is often likened to an "underground," a word that implies the existence of a place cut off from most Internet users and existing in a corner of the Web that most people never see. But a new report concludes that the markets actually function more like thriving bazaars subject to the same economic forces as legitimate stores. And just like those legitimate stores, the bazaars aren't that hard to find.

A simple YouTube search can unearth dozens of videos describing how to use hacker kits to break into Web sites or steal bank account login credentials. Google "buy stolen credit cards" and you'll eventually get directions to dozens of storefronts that offer up pilfered account data. The cyber black market "has emerged as a playground of financially driven, highly organized and sophisticated groups," conclude the authors of a new report from the Rand Corp., the independent research group that often provides analysis to the Defense Department and U.S. intelligence agencies.

"Almost any computer-literate person" can get access to the cyber black markets, which have been "growing in size and complexity" for nearly a decade, the report found. From the late 1990s to around the mid-2000s, the market largely consisted of "ad hoc networks of individuals initially motivated by little more than ego and notoriety." Today, it is a decentralized but highly organized world with its own procedures for vetting buyers and rooting out unreliable or fraudulent sellers using a system of community-based ratings that the authors likened to Amazon reviews.

"It isn't a bunch of kids anymore. These are people who do this for a living," Martin Libicki, the Rand project leader, said in an interview. (The report was sponsored by Juniper Networks, a Sunnyvale, Calif.,-based company that manufactures computer networking equipment.)

The black market stores are run by hackers living around the world, inlcuding the United States and Asian and European countries. Among the items for sale are a wide range of hacker toolkits and cyber weapons, including so-called zero day exploits, which target vulnerabilities in software that haven't been discovered by their manufacturers. Government intelligence agencies often use those same virtual holes to gain clandestine access into foreign computer systems in order to implant eavesdropping equipment and potentially take control of the systems themselves.

Many computer security experts believe that the National Security Agency is one of the largest purchasers of zero days on a "gray market" that is not precisely illegal, but doesn't operate in the open, either. In this market, large defense contractors as well as smaller computer security firms often act as brokers between the NSA and independent security researchers, or hackers who discover the zero days and then sell them. The NSA hangs onto the zero days and incorporates them into new cyber weapons and espionage tools.

To buy a zero day, a purchaser has to know one of those researchers or work with a broker who can make an introduction to them, the Rand report found. The exploits can only be used once and are hard to come by, which is one reason they're so expensive. The price for zero days varies in the extreme, from a few thousand dollars to as much as $300,000, the Rand authors found. Rare instances of zero days selling for as much as $1 million have been reported.

Some computer security companies and software vendors will pay researchers a "bug bounty" for zero days, so that they can be taken off the market and not used for attacks. But hackers can fetch 10 to 100 times more on the gray markets, where government and agencies and corporations are the big buyers, as well as on the black market where criminals are the likely purchasers, the Rand study found.

Zero days feature prominently in cyber weapons like the Stuxnet worm that the United States and Israel used to disable centrifuges in an Iranian nuclear plant between 2007 and 2010. Stuxnet used at least four zero days, which allowed the worm to penetrate software inside the plant and ultimately take control of equipment that regulated how fast the centrifuges were spinning.

A panel of experts appointed by President Obama to review the NSA's operations in the wake of leaks by former contractor Edward Snowden called on the agency to halt its acquisition of zero days and said the government should be in the business of informing companies about the weaknesses in their products, not hoarding information that could be used to exploit them. A separate group of advisers is reviewing that recommendation, but the White House hasn't announced their results.

The Rand report doesn't address the NSA's purchases of zero days. But it suggests that the agency's efforts to thwart privacy-protecting technologies such as encryption could help fuel the market for illicit hacking. If more people use encryption and other tools to shield their communications from the government's prying eyes, that in turn will give hackers a reason to develop and sell new tools to try and break those communications.

Although the cyber black market deals in illicit goods and services, the sellers are subject to the same laws of supply and demand as their licit counterparts. For instance, after hackers stole upwards of 70 million people's credit card and personal information from the retail chain Target last year, credit card numbers flooded the cyber black market. As customers became aware their accounts may have been compromised, they started canceling their cards, and the prices for purloined numbers fell. Demand for the numbers was limited by how long they could still be used to make unauthorized purchases, the Rand authors found.

Just as with commercial retailers, "Goods and services tend to be reliable (though not always), and implementation and transactions are quick and efficient," the report said. Experts whom the Rand researchers interviewed were cautious to speculate about how much money the cyber black market generates, but one asserted that it accounts for billions of dollars in annual revenues, at least. Some individual sellers can reach between 70,000 and 80,000 people and bring in hundreds of millions of dollars, the authors found.

"In certain respects, the black market can be more profitable than the illegal drug trade; the links to end-users are more direct, and because worldwide distribution is accomplished electronically, the requirements [for setting up shop] are negligible," the report said.

In addition to credit cards, popular items for sale include toolkits for stealing login and password credentials for social media sites; spearfishing services designed to trick users into opening viruses masquerading in legitimate-looking emails; and networks of hijacked computers, or botnets, that can be used to overwhelm Web sites and cause them to crash.

Efforts by law enforcement agencies to shut down online black markets -- the takedown of the Silk Road site, where hackers did business alongside drug dealers and arms merchants is one example -- are just making criminals tighten up their own security, the report found. Some markets are vetting customers and sellers and are moving their business to private networks that only allow trusted customers. They're also using anonymizing and encrypting communications to shield people's identities and protect their transactions. The report predicts that these techniques, which help buyers and sellers evade detection by law enforcement, will increase, as will the use of digital currencies, such as Bitcoin, to pay for hacker tools and services.

What's more, the black market is highly resistant to outside disruptions -- like suppliers suddenly going out of business -- another way it's like a traditional marketplace, the report found. As soon as one merchant closes shop or is taken down by authorities, another rushes in to take its place.

The market is also diverse. Some sellers specialize in one product or service -- renting access to a botnet, for instance -- whereas other hackers have set up variety stores that offer many different items.

The authors predict an increased demand for tools and services that target social networks and mobile devices, and that more brokers will enter the market to act as go-betweens for hackers and their prospective clients. That will put more people at risk for their data being stolen and their communications being spied upon. As for how to stop those harmful outcomes, the report offers few suggestions and concludes that the deck is essentially stacked against the victims.

"The ability to attack will likely outpace the ability to defend," Rand concluded. "Attackers can be hedgehogs (they only need to know one attack method, but do it well) while defenders must be foxes," knowledgeable in every tool and technique their adversaries might use against them.

Daniel Mihailescu / AFP

The Complex

U.S. Readies New Syria Aid

The State Department is about to begin delivering tens of millions of dollars worth of new assistance into Syria, including ambulances, communications gear and Toyota pickup trucks for the country's beleaguered rebels. But the relatively small size of the new aid package is a vivid reminder that the Obama administration is continuing to take a largely hands-off approach to a country in the fourth year of a civil war in which nearly 150,000 people have died.

Although the United States is the top provider of humanitarian assistance inside the country, its aid to bolster moderate rebel forces -- now fighting a two-front war against both al Qaeda fighters and pro-Assad forces -- has been considered vastly inadequate since a peaceful uprising turned violent in 2011.

The so-called non-lethal assistance effort for rebels has included buses and pickup trucks, blankets, 550,000 packaged military meals and, just last month, about 1,000 medical kits. All told, the U.S. has delivered roughly $26 million worth of equipment and supplies since 2012. The U.S. had already committed to delivering tens of millions of dollars in additional assistance to rebel forces, but the security situation and other factors did not allow it until now. A separate, covert effort headed by the CIA is vetting moderate rebels and then training those forces and equipping them with small arms and ammunition.

The assistance has been far too modest to stem a series of battlefield gains by Syrian President Bashar al-Assad, whose forces have stepped up their bruising battle against opposition forces in the rebel-force-held city of Aleppo as well as in other areas, like along the Syrian-Lebanese border, in recent weeks. What little momentum rebel forces have had in some areas has been halted and largely reversed, with the regime retaking and holding terrain. The former U.S. ambassador to Syria, Robert Ford, told an audience in Washington last week that Assad is now capable of holding onto all of the territory between Aleppo and Damascus and predicted that Assad's strength would keep him in power for the "medium term."

"He will control that area -- geographically, it is maybe a fourth of the country," Ford said at the Woodrow Wilson International Center for Scholars.

But despite the violence and fighting across large swaths of the country, State Department officials say that opposition forces have managed to open the supply route into Aleppo from the Syrian-Turkish border that will allow Washington to send in more aid. In January, rebel forces began a more concerted campaign against al Qaeda militias that managed to push the extremists out of strategically important areas. Now, even as the city of Aleppo itself remains under siege by the Assad regime, the route into the city is for the first time in many weeks free of militants. As a result, U.S. assistance for rebel forces and the Free Syrian Army can get into Aleppo once again, American officials said.

The State Department is expected to begin shipping large amounts of equipment and supplies to the FSA as early as this week. Trucks carrying the first batch of assistance are currently lined up waiting to get into the country. But they are competing with other shipments of humanitarian assistance, relief supplies and equipment, all trying to get into the country at once, and the queue along the Syrian border stretches for miles, an official said. In a heartening change for U.S. officials, though, the holdup doesn't have as much to do with the security situation as it does with the logistics of squeezing so much traffic through the small number of border entry points controlled by moderate anti-Assad rebels, not Islamic extremists.

"This will be one of the largest shipments we've ever put across," Mark Ward, the State Department's senior advisor for non-lethal assistance in the region, told FP.

The shipments are part of an $80 million non-lethal assistance package to the FSA, underway since 2012, that has largely come to a halt in recent months because of the country's poor security situation. About one-third of that total aid package has already been delivered to rebel forces; that leaves the remainder of the existing U.S. commitment, more than $53 million of equipment and supplies, that is expected to begin to flow into the country in coming days, weeks, and months, according to a State Department official. The majority of assistance flows into Syria from Turkey, Jordan and other neighboring countries.

In December, members of the Syrian opposition let warehouses holding valuable assistance fall into the hands of Islamic extremists. That led to an immediate freeze of all U.S. and European assistance to the rebels and led many rebel leaders to pointedly ask why so much equipment was being stored in stockpiles when it was badly needed by front-line battalions.

But leadership and organizational changes within the rebel forces' umbrella group, the Supreme Military Council, has led Washington to reopen the aid spigot.

At the same time, Ward and his team have tried to prevent a recurrence of last year's problems by putting assistance directly in the hands of commanders instead of handing it off to "middlemen" who stash it in such warehouses, where it can fall into the wrong hands. In January, the U.S. resumed shipments of aid starting with medical kits to the FSA.

"We're now very optimistic we can do a lot more," Ward said.

Steven Heydemann, a vice president at the U.S. Institute of Peace in Washington, said the rebels' ability to create new supply routes has paved the way for the United States to begin sending in more non-lethal assistance.

"The reality is that there have been some significant improvements on the ground, that's real," Heydemann said. "Some of the issues that had led the U.S. and the Brits to cut off the supplies of non-lethal aid are now believed to have changed in ways that would permit the resumption" of assistance.

Ward is well aware of the perception that the Obama administration has been slow to provide aid to rebel forces and has given them far too little to make a difference. The twin challenges he has long faced, Ward said, is security and logistics. But for now, he said, it's just logistics.

"It's important for people to understand that you can have all the money and all the equipment in the world, but you have to get it into the country," he said. "Either it's the security or the queue. Right now, thankfully, it's just the queue."

The danger now, however, will hinge on whether the supply route into Aleppo will be taken over, not by extremists operating in the region, but by the Assad regime, which has been focused elsewhere in the country.

"If the regime is to succeed in terms of cutting off logistical conditions in the north, that could be a big blow to rebel forces," said Isabel Nassief, a Syria analyst with the Institute for the Study of War in Washington. "That would make the command and control structure they've been trying to establish even more difficult."

Some of the shipments now in trucks in the queue along the Syrian border include ambulances, forklifts, trucks, communications gear, mattresses and blankets for the Free Syrian Army. It also includes a few of the Toyota Hilux pickups that Oubai Shahbandar, a senior adviser to the Syrian Opposition Coalition in Washington, described as one of the most critical types of equipment the rebels could have.

"We need them in the hundreds, not in the onesies and twosies," he said.

Critics of the Obama administration argue that U.S. aid hasn't changed the dynamics on the ground in favor of the rebels. Sen. John McCain (R-Ariz.) a fierce critic of administration policy on Syria, said Friday that Syrian government attacks along the Lebanese-Syrian border is hurting the opposition. "As the Syrian government continues to hamper efforts to deliver aid and cuts off access to opposition supply lines, it is imperative that the United States and international community adopt stronger measures in guaranteeing access to humanitarian aid," McCain said in a statement. "It is time for the administration to force a price for Assad's behavior and show to the world that the use of starvation tactics and war crimes will not be tolerated."

And one congressional staffer believes that Americans are in the dark about the true nature of the Syrian rebels, many of whom are moderates that the administration knows and quietly trusts. "[The administration] doesn't want people to know that because if the public finds out, they may say, why aren't you doing more to help them? And there is no good answer to that question," the staffer said.

AFP/Getty Images