The three-whistle drill was used by our football coaches at Notre Dame High School in Riverside, Calif., in the 1970s during practices in the blazing sun of the desert in August. When you heard three short whistles you had to hit the closest person with your head/helmet at a running start and had to be prepared to be hit by the closest person or suffer the very real consequence of being knocked to the ground in a painful way until the next three whistles sounded and the drill ended.
Similarly, a zero-day, zero-click software bug arrives with no warning and knocks an organization or person to the ground in a painful way, or in the case of journalist Jamal Kashoggi, leads to his murder. But hackers also bring justice—as when a hacker gave the FBI a zero-day/zero-click exploit in 2016 to access the San Bernardino mass gunman’s iPhone.
The New York Times cybersecurity reporter Nicole Perlroth published the untold story of the secret world-government-backed cyberweapons market for a terrifying, new kind of global warfare in 2021 in her book, This Is How They Tell Me the World Ends: The Cyber Weapons Arms Race. It’s about staying “left of boom,” the timeline before an explosion or incident on the massive U.S. attack surface that requires real-time discovery, tracking, and threat elimination using supercomputers and intrusion into global systems.
Here, I share some of the key points of this seminal work that draws threads into a future affecting billions of people and billions of dollars, and that rewards the coders both creating the future and destroying it.
ZERO-DAY/ZERO-CLICK ATTACKS DEFINED
A zero-day/zero-click attack utilizes a software bug that allows a hacker to break into a person’s or organization’s devices and move around undetected. A coveted tool in a spy’s arsenal, it has the power to silently spy on your iPhone, dismantle the safety controls at a chemical plant, alter an election, or shut down an electric or water distribution system.
Since late last century, under cover of classification levels and nondisclosure agreements, the United States government became the world’s dominant hoarder of zero-days/zero-click exploits.
U.S. government agents paid thousands and eventually millions of dollars to hackers willing to sell the code vulnerabilities they discovered—and buy their silence to try to keep those zero-day/zero-click exploits out of the hands of hostile nations and mercenaries who don’t care whether our votes go missing, our clean water is contaminated, or our nuclear plants melt down.
My previous pieces for CSQ, included “What Makes Atlas Shrug?” about the dark side of cyberterrorism, which is netting billions through ransomware for threat actors including North Korea, China, Russia, and Iran. It addresses the wild west of submarine cable taps, the biggest companies in the world paying to reveal their own vulnerabilities and the evil of our enemies attempting to destroy us and prevent their own people from access to the truth and their governments’ evil intent. Republished on numerous international sites, including Dark Web Today, and in Poland’s Kosmetyki Samochodowe, the subject struck a global nerve.
Another previous piece for CSQ, “Beyond the Terabyte: The Computational and Political Power of Data Centers,” explores the massive computational and data storage capacities equating to hundreds of millions of laptops in places like Hohhot, China, and Bluffdale, Utah, and was also syndicated in The Street and internationally. It details how the U.S., the world’s leader in protecting human rights and threat-actor harm prevention, has again committed to cyber protection tenets as evidenced by the National Security Agency (NSA) contracting with Perlroth to consult on winning the cyberwar.
ZERO-DAY/ZERO CLICK EXPLOIT HISTORY
Andy Greenberg first chronicled a broker’s zero-day/zero-click business in his 2012 Forbes story, “Meet the Hackers Who Sell Spies the Tools to Crack Your PC (and Get Paid Six-Figure Fees),” at the same time zero-day exploits were used in Hewlett-Packard print spooler code, the software that tells the printer what to print. More than 125 printer vulnerabilities have been discovered since that time.
On December 29, 2013, a 50-page NSA document was leaked to Spiegel International that reads like a mail-order catalog, one from which other NSA employees can order technologies for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000. The NSA’s Tailored Access Operations has another level of hacking and data-skimming called ANT, thought to stand for Access Network Technology. These NSA agents, who specialize in secret backdoors, keep an eye on everything from computing centers to individual computers, and from laptops to mobile phones. For nearly every device, ANT seems to have an answer.
For example, the name of the particular zero-day/zero-click exploit was “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive across reboots and software upgrades. U.S. government spies can then secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH has been deployed on many target platforms. The NSA calls these tools “implants” and they have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the internet.
The Russian NotPetya zero-day/zero-click attacks wiped 75% of Ukraine’s computers clean a few years ago. We are now witnessing new weapons of war, and Ukraine was just the testing ground. The scary question is how are these weapons going to be used in the future? Interestingly, what saved Ukraine is what makes the United States a more vulnerable nation: Ukraine was not fully automated.
Meanwhile, the NSA was back-channeling with international agencies that set cryptographic standards, advocating for a flawed formula for generating the random numbers in encryption schemes that NSA computers could easily crack, paying off companies, infiltrating factories at leading encryption chip makers to insert backdoors, hacking into companies’ internal servers, and more.
WHO ARE THESE PEOPLE?
Perlroth was able to talk to Adriel Desautels, the self-described father of zero-day/zero-click global brokering; Grugq, a South African who allowed Forbes to photograph him with large duffels of cash in Thailand; MJM, a German broker; and Luigi and Donato in Malta, who advertised industrial-control systems zero-day/zero-click exploits.
Pricing is based on the software exploited. An exploit that took over routers or USB sticks was the cheapest, netting low five figures. Next were exploits that could remotely infect Adobe PDF software, Safari and Firefox browsers, or applications such as Word and Excel. Next were exploits that could remotely access Microsoft Exchange email accounts and other Windows software that cost between $100,000 and $250,000. When the need was immediate, hacking a terrorist’s phone or an Iranian scientist’s computer or Russia’s embassy in Kyiv, Desautels’ buyers would pay a premium of $500,000 to $1 million or more. His commission varied from 3% to 60% if he had to source, vet, and test an exploit for a client.
In time, American intelligence agencies were siphoning data from hundreds of strategically placed implants worldwide, and so were other countries. The NSA had a program code-named Genie that was eventually implanted in nearly every major make and model of internet router, switch, firewall, encryption device, and computer on the market. As American officials accused China of embedding trapdoors in Huawei’s products, the NSA had pried its way into Huawei’s headquarters. As one official said, “In the race to exploit everything and anything we could, we painted ourselves into a dead end where there is no way out. It will be a disaster for the rest of the country. Somebody just used a new weapon, and this weapon will not be put back in the box.” Another scary point made was the number of NSA hackers that left the agency for various reasons. Some moved overseas to the Gulf, the story being to help American allies. The reality was grimmer and more sordid.
Some companies in the business, such as Hacking Team, sold exploits to various government agencies around the globe, “some with human rights records that were not just questionable but grotesque,” according to Perlroth. In an operation dubbed Aurora, Chinese hackers got into high-tech companies, defense contractors, and others. They were able to attack source-code repositories. “With that access, they could surreptitiously change the code that made its way into commercial products and attack any customers who used the software.”
THE CYBERWAR IS ALREADY HERE
We must de-escalate the global cyber arms race, and we can start by not being sloppy with our secrets. Ironically, between a third and half of zero-day/zero-click exploits are the result of coding mistakes, such as an S instead of a 5, that a careful coder/hacker discovered. When the U.S. and the rest of the free world puts checks and balances in place for code accuracy, we will reduce the targets these evildoers exploit. We used to have NO BUS code, “nobody but us,” but moving through the aughts, the teens, and the roaring 20s of this century, we’ve gone from NOBUS to anyone that can afford it by the very tools we developed at the NSA, the Defense Advanced Research Projects Agency, and facilities like Sandia Labs and the Bluffdale, Utah, super data center I wrote about for CSQ in “Beyond the Terabyte.”
In a recent interview, Elon Musk defined free speech as when people you don’t like say things you don’t like and you let them. He further explains that freedom of speech is not freedom of reach. If it’s lawful but awful, it won’t be promoted by Twitter. Using an algorithm that recreates the possibility of a Tweet being recommended, citizen journalists can have an effect beyond what the big media companies want you to hear while maintaining a standard of truth and the safety of all citizens, globally.
Are hackers similar to the citizen journalists Musk describes? Perlroth explains that hackers aren’t typically in it for the money, at least initially.
“They are in it for the rush, the one that comes with accessing information never meant to be seen. Some do it for power, knowledge, free speech, anarchy, human rights, ‘the lulz,’ privacy, piracy, the puzzle, belonging, connection or chemistry, but most do it out of pure curiosity. The common thread is they can’t help themselves. At their core, hackers are natural tinkerers. They can’t see a system and not want to break it down to its very last bit and build it back up for some alternative use.”
Hackers have been around for over 150 years. In the 1870s, several teenagers were caught tampering with the U.S.’s primitive telephone system. The label hacker has a spotted history—one alternately celebrated and condemned—but history’s most revered entrepreneurs, scientists, chefs, musicians, and political leaders were all hackers in their own right. As much as hackers are now front and center in the cyberwars, citizen journalists are front and center in the fight for freedom from attack and cyberwar so we can all stay “left of boom.”
Organizations like CSQ and TheStreet.com are moving us through their stories from the coming cyber wars to fighting them actively— because they are already here.
Throughout his career, Keith Gunther has held management positions at VERITAS/Symantec software as well as 3M, Fujifilm, Xerox and ARC. His consulting work in support of data storage, document scanning and imaging, applications, networking and cloud computing services projects spans commercial, government, medical and educational organizations over 35 years.
