American Malware Purveyor That Did Nothing To Limit Misuse Now Horrified To Find Gov't Of India Misused Its Products
from the who-could-possibly-have-seen-this-inevitable-outcome dept
Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government agency. Aspects of the code looked like some the Moscow antivirus provider had previously seen and attributed to a company it gave the cryptonym “Moses.”
More digging by Kaspersky and others discovered who was actually behind these deployments. And the source wasn’t some state-supported hackers or a malware purveyor with a malleable set of morals. No, the exploits — which were deployed to indiscriminately target people in Pakistan and China — were sold (in a way) to the government of India by an American firm, Exodus Intelligence.
Operating out of Austin, Texas, Exodus doesn’t craft many exploits of its own, but rather provides access to information about known exploits, including where to obtain them, and how they can be utilized and leveraged.
Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days—ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.
The government of India chose to leverage this knowledge to indiscriminately assault China and Pakistan entities in hopes of hitting targets of interest. That wasn’t what Exodus Intelligence’s info feed was designed to do. It’s only what it ended up being used for. And now the CEO of Exodus is acting like a parent disappointed a child has exceeded the boundaries he never bothered to set.
That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed—allowing deep access to Microsoft’s operating system—and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don’t want any part of that.”
While it’s great the CEO doesn’t want any part of that, not placing limits on end users is always going to result in things like this. And while it’s unlikely writing up a new ToS is going to deter customers from “shotgun blasting” people with the weaponry you’ve provided, it at least allows you to terminate contracts and access without having to engage in a bunch of costly litigation or fruitless negotiations.
And, if you’re going to be in the business of selling exploits (or indirect access to exploits), you need to be way more proactive on the security front.
Brown is also now exploring whether or not its code has been leaked or abused by others. Beyond the two zero days already abused, according to Kaspersky, “at least six vulnerabilities” made by Moses have made it out “into the wild” in the last two years.
Whoops. That doesn’t look good. But, in all fairness, even the NSA and CIA have seen their tech tools and exploits leaked, resulting in the infliction of misery worldwide by people a shade more malicious than the entities belatedly bemoaning the unplanned distribution of their digital secrets.
Speaking of belated, here’s some regret from the cofounder of Exodus Intelligence, Aaron Portnoy.
[T]oday, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It’s almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm.
Sure, but not so concerning Portnoy didn’t leap from Exodus to defense contract Raytheon, and from there to startup Boldend, which partnered with Raytheon to (and I’m directly quoting here) “accelerate cyber operations with greater force.”
While it’s great that Exodus has revoked the Indian government’s access to its exploit feed, the larger problem remains. American companies are aiding and abetting mass surveillance, targeting of dissidents and activists, and other human rights abuses by not being more selective of who they sell to or placing limits on how their products are used. This puts them in the same shady neighborhood as overseas malware merchants like NSO Group and Hacking Team. Sooner or later, it’s going to put them on the wrong end of UN sanctions or DOJ investigations. Until then, it appears it will be risky business as usual, making the United States home to plenty of proxy human rights violators.