Hackers from the U.S., Russia and Ukraine hawk computer exploits for as much as $300,000 on an underground market fueled by digital currencies like Bitcoin, a report by RAND Corp. and Juniper Networks Inc. shows.
The thriving trade in software, data or commands that takes advantage of computer bugs and glitches generates billions of dollars using digital storefronts that connect sellers with buyers or where mercenaries can be hired to do the job, according to the report released today.
“Anyone with an Internet connection can get involved,” Lillian Ablon, an information systems analyst at RAND and the study’s lead author, said in a phone interview. “If you can’t do something, you can find someone else to do it for you.”
One of the first comprehensive efforts to map out how criminal hackers operate using anonymous networks, encrypted communications and digital currencies, the 83-page report comes amid warnings by U.S. government and industry officials that digital attacks are becoming more sophisticated and dangerous.
Exploits, the tools for conducting computer attacks, can be used for a range of illegal actions, from stealing data off a user’s mobile device to breaching corporate databases, according to the report. In the past year, the networks of retailers Target Corp. and Neiman Marcus Group Ltd. were breached, while JPMorgan Chase & Co. and other U.S. banks have defended against attacks aimed at shutting down their computers.
“You have to conclude from this that the rise of these markets is giving cyber criminals more power,” said Martin Libicki, a senior scientist at RAND, a Santa Monica, California-based nonprofit that does research for governments and companies.
The findings were based on interviews with more than two dozen cybersecurity experts, including researchers and law enforcement officials. The report was sponsored by Sunnyvale, California-based Juniper Networks, which sells network security products and services.
Hackers are increasingly using Bitcoin and other virtual currencies to hide their identities, according to the report. This is in response to traditional banks cooperating with law enforcement agencies on investigations that could end in their arrests, Libicki said.
Bitcoin is a legitimate currency with lawful uses, said Jim Harper, global policy counsel for the Bitcoin Foundation, the trade group that promotes the currency. Criminals will use it, just like they use cash, Harper said in an e-mail.
“Bitcoin is far from the magic cloak for criminality that early news reports portrayed it to be,” he said.
Prices for the tools to attack software vulnerabilities that aren’t yet known or fixed by manufacturers -- commonly called zero-day exploits -- are the highest. One targeting Apple Inc.’s iOS operating system in 2012 sold for as much as $250,000, according to the report.
Governments, which weren’t identified, “are increasingly showing up as buyers” for zero-day exploits, the report said.
Simple malicious programs, such as a do-it-yourself kit called WebAttacker that uses spam to lure victims to fake websites, sold for as little as $15 in 2006.
Stolen data, such as credit card numbers and technology designs, are bought and sold through illicit forums with as many as 80,000 members that only can be accessed through virtual private networks, according to the report. Experienced hackers vet participants and restrict those who consistently fail to deliver goods and services.
Credit-card data acquired in the recent breach of Target’s payment processing system initially fetched anywhere from $20 to $135, according to the report.
The underground economy, however, operates in many of the same ways as traditional markets. Supply and demand affect prices and large-scale data thefts like the Target attack occur about once every three years, according to the report.
The U.S. has become fertile ground for homegrown hackers, the report found. “In 2013, almost a fifth of the market was U.S.-based, ranked third behind Ukraine and Romania,” the researchers said. “The United States has more home-grown hackers than Russia.”
One reason for the rise in U.S. hackers is that perpetrators are learning about hacking and financial crimes in prison “so people are getting released on streets and that becomes their new set of tactics,” the report found. “Violent crimes go down, but financial crimes more than make up the difference.”
Despite efforts by law enforcement in the U.S., and other countries to crack down on financing or some of the popular marketplaces, “the hacker economy has proved to be quite resilient,” the researchers said. “The market bounces back after a takedown or arrest.”
In addition to using virtual currencies, hackers increasingly use so-called darknets, or private forums that mask their identities, according to the report.
U.S. lawmakers, intelligence officials and industry representatives have said one of their biggest concerns is that terrorists will use sophisticated exploits to disrupt banks, utilities and other critical services.
Terrorists weren’t seen operating in the illicit forums described in the report, Libicki said. “The tools that are good for cyber crime aren’t necessarily good for taking down physical systems,” he said.
Better cooperation between law enforcement organizations and intelligence agencies in the U.S. and other countries is needed to disrupt the underground market, Robert Dix, vice president of government affairs for Juniper Networks, said in an interview. More education to close cybersecurity gaps also is needed, he said.
“Most of the perpetrators don’t fear being caught,” Dix said. “We need to be thinking about how to disrupt the economic model that favors the bad guys.”