Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Sony Hack Highlights The Global Underground Market For Malware

There are global underground markets where anyone can buy and sell all the malicious code for an attack like the one North Korea is accused of unleashing on Sony Pictures.

These underground markets not only make it more difficult to trace who is responsible for any given hack — they also make launching a sophisticated attack against a global company much easier.

Marc Rogers, a principle researcher at the computer security company, CloudFlare, has been tracking the attack on Sony for weeks and analyzing the code the hackers used.

"The malware world is really incestuous. You have got people who share source code, who borrow things like hacking tools, or even commercial pieces of software."

"This is Windows malware. It's fairly sophisticated, it's very complex, and it's modular," Rogers says. "It's made up of lots of different bits."

The attackers took one piece of code from one place, one piece of code from another and snapped it together like a Lego set. Some of this code is malicious, and some is legitimate.

Now the FBI believes that the attack was carried out by North Korea because some of those bits of nasty code have been used by North Korean hackers in the past. But Rogers isn't completely convinced.

"The malware world is really incestuous," Rogers says. "You have got people who share source code, who borrow things like hacking tools, or even commercial pieces of software."

The Exploit Market

There is a global market for hacking tools. Hackers who trade here can build their own unique attacks by snapping together parts that other groups developed. Rogers says he knows Russians who will sell a complete attack right off the shelf.

"They will sell it to you with a subscription," he says. "When the malware is identified successfully by antivirus, they'll update it for you."

It's software as a service, but for thieves. And it's not just criminals who are buying and selling computer attacks on these gray markets.

"Typically the U.S. government pays out higher than anyone else," says Chace Shultz, a computer researcher.

Researchers like Shultz spend their days searching for ways to make computers do things they were not designed to do. They're looking for ways to pick the digital locks that are intended to keep all of our machines safe. When they find a key for a lock, they can sell it.

"If they were to sell that to another government or that type of thing, they could potentially sell that for hundreds or tens of thousands of dollars," Shultz says.

But he and others say most researchers and hackers don't sell directly to government agencies. Instead they usually sell their attacks to a small global network of global brokers.

In a sense, these brokers are the arms dealers of the digital age. They act as go-betweens — connecting researchers and hackers with buyers, governments and organizations searching for back doors into computer networks.

"You can take an exploit to one of these people, and they will go forth on your behalf," Shultz says.

An exploit is like the key to a digital lock and selling these things can be a lucrative business. But Shultz says it is also ethically dicey.

"The other thing I have to wonder too with some of these brokers is — are they double selling?" he asks.

And Shultz says after you sell a computer vulnerability on the gray market, you can never be sure exactly how it will be used or where it will end up.

Copyright 2021 NPR. To see more, visit

Steve Henn is NPR's technology correspondent based in Menlo Park, California, who is currently on assignment with Planet Money. An award winning journalist, he now covers the intersection of technology and modern life - exploring how digital innovations are changing the way we interact with people we love, the institutions we depend on and the world around us. In 2012 he came frighteningly close to crashing one of the first Tesla sedans ever made. He has taken a ride in a self-driving car, and flown a drone around Stanford's campus with a legal expert on privacy and robotics.