Russians Offer Real Money
Russian firm, Operation Zero, has caused a significant stir in the tech community with a $20 million dollar promise. This bounty is their call for top-notch developers and researchers to join forces in developing mobile hacking tools for the express purpose of exploiting advanced smartphones: iPhones and Androids alike. Revealed on the platform formerly known as Twitter this past Tuesday, the offer showcases Operation Zero’s ambitious intent to reward those who can crack Remote Code Execution, Local Privilege Escalation, and Sandbox Escape exploits.
Kern Smith, from mobile security from Zimperium, articulates the gravity of the situation: “Mobile devices are woven into both our personal and professional narratives. With their central role, they invariably become the bulls-eye for both nation-state and non-state threat actors. The magnitude of attacks on these devices has soared year after year, often involving elusive zero-day exploits.”
Smith further elucidates that while zero-day exploits continue to be prized tools in the arsenals of threat actors, the attack strategies are evolving. Now, mobile devices—regardless of their operating systems—are facing a greater threat from malware and phishing campaigns.
Attacks on Phones Payoff for Russians
Hello Comrade, I am sit on pile of cash. Many rubles.
Giving further weight to the issue is the fact that mobile devices are both priceless and vulnerable targets. For a malicious attacker, they offer high returns on investment and curiously low risk. Smith states, “This grey market is expressing great awareness by prioritizing accordingly.”
Stoking further controversy is Russia‘s peculiar clause that the target of these exploits must be a user in a non-NATO country. This simple, yet powerful geopolitical condition balloons the multifaceted nature of the implications—amplifying concerns about how the produced hacking tools may be misused.
Payoff May Come with Risks
Casey Ellis, the founder and CTO of Bugcrowd, argues this move by the Russian firm is fraught with risk. “Collaboration with Operation Zero could result in violation of both technology and financial transfer sanctions, given the OFAC sanctions against Russia. Apart from that, the range of the reward, from $200k to an astronomic $20m, is undeniably broad. Twenty million seems an excessively high payment for even a full mobile chain in the current model.”
The announcement comes shortly after OpenAI launched its bug bounty program on April 11th, 2023, which offers rewards of $20,000 to white hat hackers who understand Mobile Hacking and can unearth security loopholes—an initiative that stands in stark contrast to Operation Zero’s mission. As both opportunities play out, one thing is clear: the cybersecurity landscape is shifting rapidly, and the stakes are higher than ever.