Russian 0day thirst traps
Last month a Russian exploit company increased their price offer for Signal RCE exploits to three times the Zerodium rate. What, if anything, does this mean? Read on to find out.
Attempts to read the tea leaves of public 0day pricing are mostly speculation. That said, I hope I can provide some informed speculation. The change in pricing is an indicator of something, but what?
A wild 0day company appears!
OpZero is a Russian company that buys exploits. Their history is unclear. Google only indexed their website in October 2022, although their social media presence dates back to July 2021. There isn’t much of anything interesting publicly available about the company and its early incarnations.
The Ukrainian military and government use Signal on their phones as a communications channel. This is a huge exposure if there is a way to compromise either Android phones or the Signal app. There is attack surface on the Signal app, which exposes WebRTC, which means there could be exploitable vulnerabilities. (My understanding is that WebRTC is only exposed after you have established a link, e.g. chat or call, with a contact.)
Why Android + Signal
The Ukrainian military, and much of the government and civilian population, communicate using Signal on Android phones.
Mobile Operating System Market Share in Ukraine - October 2022
Android 77.42%
iOS 22.19%
Android market share is a little under 80%, and iOS is slightly over 20%. A handful of legacy and other devices make up the remainder with less than 0.5%
Signal use has exploded since the invasion began.1 In March, there were 2 million installs, and that number has likely increased significantly since then. In February, growth for Signal downloads was almost 2000% making it the number one most downloaded app in Ukraine.
So What?
This presents a problem. Android phones with Signal are robust security platforms. They’re not military equipment, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation state level threat actors.
Russia appears to be lacking an Android or Signal capability. Either one would be sufficient to gain access to Signal communications. Needing both may indicate, or at least suggest, that Russia doesn’t have capabilities for these platforms.
Counterintelligence from novel data
OpZero is offering $1,500,000 USD for a Signal RCE exploit, whereas Zerodium only offers "up to" $500,000
Why is this a signal? because it diverges so drastically from the price list published by Zerodium. There is no reason to offer significantly more money than your competitors for a capability unless you truly need to attract exploit developers. An example of a fairly normal attempt at a price premium would be when, in September 2021, the OpZero Twitter account quote tweeted Zerodium with a 20% price premium for Chrome RCE + SBX.
What does it signal? Here is the assessment: Russia is desperate for Android and Signal exploits. For good reason: (1) Android has an almost 80% market share in Ukraine, and (2) Signal has over 2 million daily active users.
A risk premium?
For a Western exploit developer, selling exploits to Russia is a significant risk. There will be a premium for that risk, so if the payment is to attract a Western developer (a nearly impossible task), it has to be significantly higher than the alternatives.
But that isn’t the case here. Firstly, this increase—triple pay, a million dollars extra—is too high to be a risk premium. Secondly, only Signal has this price discrepancy. Therefore, even if this is intended as a Russian Risk Premium, it still indicates that Signal exploits are exceptional.
The Signal Signal
What does the signal mean? I believe that this shows Russia is unable to access Signal and they are so desperate for such a capability that they are willing to announce their limitations.
The Russians are signalling that they badly need this capability. I suspect that eight months into the war they have been trying–but failing–to get such a capability from their existing supply chain (internal R&D plus external vendors).
Perhaps recent setbacks on the battlefield have increased the urgency, and now the necessity of acquiring the capability is more important than revealing they don't have one.
…assuming they have thought about this.
Why now?
Some plausible hypotheses:
The Ukrainian defence has gotten significantly better now that it is all in the cloud and Microsoft is managing the security.
This means there are fewer vectors available for cyberespionage collection. Phishing, credential stuffing, and RCE against pirated software are all effectively blocked due to Microsoft and Ukrainian defences.
One of the few options left as a vector for accessing Ukrainian intelligence is exploits. The most important target is, as it has been for years, the mobile phone.
Conclusion: There are few options, and exploitation is one of the more important ones.
Recent Ukrainian battlefield success has increased the pressure on the intelligence services to provide insight into Ukrainian government and military communications.
The majority of the planning is done over Signal on Android. There is little to no value in collecting traffic on the wire. "Traffic analysis reveals that the generals are talking to their staff… Great work Dmitri, an extra 200 grams bread today!”
The demand for collection on high-value targets, who are almost exclusively Signal and/or Android, is extremely high.
Conclusion: HVT are critical for the war effort. HVT are on Signal + Android (not Windows + email)
Existing supply chains have failed to deliver a working capability for Android and/or Signal.
What’s the short version?
I assess with low - medium confidence that an interaction of the above factors is at play. The need for the capability is increased due to a reduced range of options, combined with a greater urgency to collect military intelligence, and the end of a multi-month period without any luck sourcing the capability through existing channels.
These combine and force taking a desperate measure: announcing a huge payment for these critical capabilities.
Note:
This is speculation. Even if true, the circumstances could change at any time. It is not safe to assume that the opposition does not have a capability. For your safety, operate as if they do have capabilities.
Trust neither fate, luck, nor the competence of others.
At a time when encrypted messengers are more important than ever, there are extremely worrying signs from the West about breaking end-to-end encryption on mobile phones. Ukraine has made and continues to make extensive use of Signal as a secure communications channel for the military and government. It is also relied on by Ukrainian citizens. These are extreme examples of why secure messengers are critical.
Parthian thoughts
Any proposal to create a client-side scanning framework for mobile devices will put lives at risk. If Russia could use a client scanning framework to collect intelligence on mobile phones, they wouldn’t be desperately trying to spend millions buying exploits.
Protecting mobile phones against hostile states is not a fanciful hypothetical. It isn't even a rare occurrence. Mobiles are one of the most secure computing devices available, period. We must secure mobile phones against hostile state intelligence agencies and other threat actors by making them more expensive and difficult to access, not cheaper and easier.