The business of selling zero-day exploits, a market increasingly exposed to US sanctions as Singapore’s Coseinc found out with its blacklisting by Washington on 3 November, is nevertheless still a prosperous one. It is also becoming increasingly nationalised. Russian researcher Sergey Zelenyuk, who became known when he publically disclosed a zero-day vulnerability in the virtualisation software of US group Oracle’s VirtualBox after the firm failed to respond to his warnings, is now selling his exploit-finding skills via his new company Operation Zero, based in Saint Petersburg.
Zelenyuk is not the first Russian to turn to the zero-day market. A data leak at Italian e-learning company Hacking Team (now Memento Labs) in 2015 had exposed the supply chain of flaws in the firm. One of its suppliers was Russian researcher Vitaliy Toropov.
Selling zero-day exploits may be a niche market, it still vitally important to the world’s leading technology groups. Some, like Google, along with numerous governments, would like to secure greater control of the sector.
The market is shared by a few operators, the likes of French entrepreneur Chaouki Bekrar’s Zerodium, based in Fort Meade just around the corner from the NSA headquarters, Exodus Intelligence, which has received several US state funding rounds, and Israeli-German firm Incredity Technologies Fellow Israeli penetration test (pentest) specialist Zero Defense Labs is also at work in the game and offers to buy zero-day vulnerabilities and related exploit codes from security researchers. There is also an operator based in the UAE, Crowdfense .
All of them promise bounties for computer flaws, the amount of which vary on what IT issues the companies or cyber-intelligence clients are dealing with at the time: Apple’s iOS, Google’s Chrome, or others. More recently, all eyes have been on flaws in Huawei’s operating system.
Competition between the US and China in cyberspace also adds another element to the highly specialised market. The Singaporean operator sanctioned by the US treasury in November, Coseinc, has been nurturing ties with Chinese cyber entities