A surveillance contractor was advertising a series of unknown vulnerabilities, or zero-days, as part of a wide-ranging—and shady—catalog of hacking services offered to governments around the world.
Aglaya, a small and little-known Indian contractor, was selling zero-days for Windows operating systems, Microsoft Word, Android, WiFi exploits, and even for supervisory control and data acquisition (SCADA) networks, the technology that controls crucial critical infrastructure such as power grids or nuclear power plants.
The company advertised vulnerabilities for Windows XP, 7, 8, 2000, 2012, as well as the non-existent Windows 9, and 2014, for $1.5 million, according to a leaked brochure dated 2014. A flaw that would give hackers the ability to control an Android cellphone—or "remote code execution" as it's known in hacker lingo—cost $500,000, exploits to hack WiFi networks were priced at $1.5 million, and SCADA bugs for "all Siemens hardware" were the most expensive, going for $2 million.
Selling unknown vulnerabilities has become a lucrative business in the last few years. Last year, a well-known seller of zero-day exploits launched a new company that pays security researchers to buy their bugs and exploits and then resell them to governments for "premium" payments. The company, called Zerodium, made a big splash when it challenged researchers to develop a chain of zero-days that would allow an attacker to remotely jailbreak an iPhone, promising a reward of $1 million. A few weeks later, unknown developers claimed the remunerative prize, according to Zerodium.
It's a competitive market. As tech companies offer bounties of their own, trying to encourage and reward researchers to report them directly to them so they can get fixed, companies like Zerodium or Exodus Intelligence will offer higher payments to purchase the vulnerabilities themselves, with the hopes of reselling them for even more money. When Apple finally launched its own bug bounty program a few weeks ago, Exodus Intelligence responded with its own program to acquire iOS bugs, which promises payments that double those of Apple.
The Aglaya catalog is dated 2014, and it's unclear if the company still sells zero-days. Aglaya's CEO and founder Ankur Srivastava told Motherboard the company doesn't sell hacking products anymore, and instead pitched a defensive security product.
"There is no legitimate reason for selling exploits for ICS. Definitely not lawful intercept."
Earlier this month, Motherboard revealed that Aglaya was advertising other, much shadier, services such as "Weaponized Information" services with the goal to "pollute" internet search results and social networks like Facebook and Twitter "to manipulate current events." In response to that story, Srivastava said that the company is out of that business, and that it was all some sort of misunderstanding.
"I would go the distance to aim to convince you that we are not a part of this market and unintentionally underwent a marketing event at the wrong trade-show," Srivastava said.
Robert Lee, the founder of security firm Dragos and an expert in infrastructure hacking, said that Aglaya's Siemens alleged vulnerability for sale shows the company doesn't really understand critical infrastructure, since there rarely is a need for a SCADA zero-day.
"It's a gross attempt to seem technical and relevant in a field they obviously do not understand," Lee told Motherboard.
Ryan Duff, a security researcher and former member of US Cyber Command agreed, doubting the credibility of the company. Duff said that the biggest "red flag" is the fact that they claim to upload the zero-days to Virus Total, a public repository where researchers can test malware. That, Duff explained, would nullify the usefulness of the zero-days, risking exposing them.
"No company selling these types of products would ever do that," Duff told Motherboard. "Also, their pricing is ridiculous for what they are claiming to offer."
Lee, who also used to work in the intelligence community, criticized Aglaya.
"There is no legitimate reason for selling exploits for ICS. Definitely not lawful intercept," Lee said. "This company in many ways is automatically despicable in my opinion.
Regardless of whether this zero-day catalog is outdated, something is clear: companies all over the world are racing to provide governments with the means of hacking into computers and cellphones. And as more sophisticated encryption makes its way into everyone's communications devices, making traditional police investigations techniques such wiretapping obsolete, governments will need to hack more.
This story has been updated to include Duff's comments.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.