DAVID GREENE, HOST:
What a story it has been to follow - first, Sony made a movie in which the fictionalized leader of North Korea is assassinated. Then Sony gets hacked and North Korea is blamed. Theaters are alarmed and Sony pulls the film from its Christmas release, then they change course and the movie, "The Interview," came out in independent theaters yesterday. This whole saga brought cybersecurity to the forefront of national security conversations.
Turns out there is a global underground market where people trade in malicious code and where you can find the tools needed for an attack like the one unleashed against Sony. These markets make it relatively easy to attack a global company and make it hard to trace the perpetrators. Here's Steve Henn from NPR's Planet Money team.
STEVE HENN, BYLINE: Mark Rogers is a principle researcher at the computer security company CloudFlare. He's been tracking the attack on Sony for weeks, analyzing the code the hackers used.
MARK ROGERS: This is Windows malware. It's fairly sophisticated. It's very complex and it's modular. It's made up of lots of different bits.
HENN: Rogers says the attackers took one piece of code from one place, one piece of code from another and snapped it together, kind of like a Lego set. Some of this code is malicious, some is legit. But the FBI believes this attack was carried out by North Korea because some of these bits of nasty code have been used by North Korean hackers in the past, but Rogers isn't completely convinced.
ROGERS: The malware world is really incestuous. You've got people who share source code, who borrow things like hacking tools or even commercial pieces of software.
HENN: And these bits and pieces of malware are bought and sold in a global underground market. Hackers who trade here can build their own unique attacks by snapping together parts that other groups have developed. Rogers says he knows Russians who will sell a complete malware attack right off the shelf.
ROGERS: They'll sell it to you with a subscription. When the malware is identified successfully by antivirus, they'll update it for you so the antivirus can no longer detect it.
HENN: It's kind of like software as a service, but for thieves. And it's not just criminals who are buying and selling computer attacks on these gray markets.
CHACE SHULTZ: Typically, the U.S. government pays out higher than anyone else.
HENN: Chace Shultz is a computer researcher. Researchers like Shultz spend their days searching for ways to pick the digital locks which are intended to keep all of our machines safe. When they find a key for a lock like that, they can sell it.
SHULTZ: If they were to sell that to another government or that type of thing, they, you know, could potentially sell that for, you know, hundreds or tens of thousands of dollars.
HENN: But Shultz says most researchers and hackers don't sell directly to government agencies. Instead, people like this usually sell their attacks to a small global network of brokers. In a sense, these brokers are the arms dealers of the digital age. They act as go-betweens - connecting researchers or hackers with buyers, like governments and organizations, who are searching for backdoors into computer networks.
SHULTZ: You can take an exploit to one of these people and they will go forth on your behalf.
HENN: An exploit is like a key to a digital lock and selling these things can be a lucrative business, but Schultz says it's also ethically dicey.
SHULTZ: The other thing I have to wonder too with some of these brokers and vulnerability markets is - are they double selling?
HENN: Researchers like Shultz say after you sell a computer vulnerability on this gray market, you can never be sure exactly how it will be used or where it will end up. Steve Henn, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.