You need just $8,000 to exploit a zero-day in a critical infrastructure

How much cost a zero-day for an industrial control system? Where is to possible to buy them and who are the main buyers of these commodities?

We have discussed several times about the importance of zero-day in cyber attacks against computer systems, the exploitation of previously unknown vulnerabilities is a prerogative of well-funded hacking groups such as state-sponsored crews.

Governments consider the use of cyber weapons as a coadiuvant to conventional weapons, the zero-day flaws are the most important component for the design of an efficient cyber weapon, governments have recently created dedicated cyber units to the discovery and exploitation of unknown vulnerabilities,

How much would a government be willing to pay for hacking tools that could be hit a critical infrastructure?

Thomas Fox-Brewster from Forbes published an interesting article investigating on the issue.

Flaws in certain industrial control systems (SCADA and ICS)  that are used in vital infrastructure such as nuclear power plants have theoretically no price for a persistent attacker like a government.

Is it possible to search for this specific kind of exploits in the underground? During the last months, Forbes investigated the issue with the support of Yuriy Gurkin, CEO of the Russian company Gleg to search for sellers of SCADA zero-days.

Gleg offers “exploit packs” for Canvas, which is an automated exploitation system and a reliable exploit development framework to penetration testers.

One of the “exploit packs” offered by the company, the SCADA+, includes all publicly availableSCADA vulnerabilities and zero-days of the company. The packs are continuously updated by the company, Gurkin explained that one and two exclusive zero-days are added every month.

We can consider this packages a powerful arsenal in the hand of the attacks, and you buy them for $8,100 per year, meanwhile a Canvas license, costs over $3,000 for up to 10 users.

The SCADA+ pack includes exploits for industrial control systems from major manufacturers such as Siemens, Panasonic and D-link.

Who are the buyers?

Nation-state hackers are the most important actors in the zero-day market, but Gurkin revealed that it sells its pack mainly to private companies, for testing purposes.

Gurkin explained that he wants simply to “illustrate” vulnerabilities and their risk. “We do not conduct any research aiming to control SCADA systems, we just write exploits for vulnerabilities for the Canvas framework.”

When have introduced the topic of this post I said that the cost of a zero-day is theoretically unlimited, I said this because governments in clandestine fashion search and acquire zero-day flaws to include in their arsenal. The price for a zero-day depends on a number of factors, including the offensive capability of the cyber weapon that trigger the flaw.

Imagine a software that could shoot down a grid, a threat actor can cause billion of dollars of damages to a country and paralyze its operations, this means that a zero-day could cost millions of dollars to the government agency.

“Far bigger companies than Gleg do SCADA exploitation, but in more clandestine fashion. Speaking with various former employees at US government contractors and digital warfare experts, the likes of Snowden’s old employer Booz Allen Hamilton, Northrup Grumman, Raytheon, Lockheed Martin and BAE have SCADA exploitation capabilities. Unsurprisingly, they keep schtum about what exactly they can do and whom they provide to.” states Forbes.

The cyber security expert Drew Porter with a deep experience in critical infrastructure protection confirmed in the past he used to “work at a place that would develop tools and exploits then sell what was weaponized to selective US government clients. We never talked about the tools when we were making them to anyone besides our clients.”

“Many Department of Defense contracting companies do this. Some are just better at it than others,” explained Porter.

The number of companies that work in the industry and that search for zero-day flaws in industrial systems is growing, a circumstance that leads to believe that also the request for such kind of service is increasing.

Forbes mentions several companies that currently work in the research of zero-days for SCADA systems, including ReVuln, the Exodus Intelligence and Hacking Team.

Despite companies like Gleg offer low cost of SCADA exploits this doesn’t mean that this precious commodity is cheap. This way to sell zero-day has no sense for the zero-day market. Offering such knowledge in the wild for low prices could allow vendors to promptly patch the vulnerabilities making them obsolete and efficient only against not patched systems.

“But if you are selling an exploit pack to the public, a vendor is going to buy it and patch all their systems after they reversed your zero-day.” explained Porter. 

“I could be wrong, and maybe they are selling SCADA zero days for $8,000 to the public. Then again it could have been marketing who added that ‘zero-days for SCADA’ … because they knew it would bring more attention to it.”

Gurkin explained low prices respect bugs in most popular software like Microsoft Internet Explorer or Windows because in these latter cases, attackers have more opportunities to monetize the exploit for example creating a botnet involved in fraudulent hacking campaigns.

The expert also added that find SCADA flaws are too easy due to the lack of security by design of such systems.

“Finding SCADA vulnerabilities is a joke as many of these products were built without any software security in mind – that is why we do not do that.”

Unfortunately, this is true, locate a target is very easy with tools such as the Shodan search engine for internet-connected devices. Shodan runs an ICS Radar that scan the Internet for “protocols that provide raw, direct access to industrial control systems”.

SCADA security is a pillar for the protection of critical infrastructure systems, it is important to change the approach to cyber security for so critical components to avoid catastrophic incidents.

Pierluigi Paganini

(Security Affairs – SCADA , zero-day)