Mysterious hacker has been selling Windows 0-days to APT groups for three years

Hacker has sold Windows zero-days to the likes of Fancy Bear, FIN groups, and cyber-crime gangs.
Written by Catalin Cimpanu, Contributor

For the past three years, a mysterious hacker has been selling Windows zero-days to at least three cyber-espionage groups, as well as cyber-crime gangs, researchers from Kaspersky Lab have told ZDNet.

The hacker's activity reinforces recent assessments that some government-backed cyber-espionage groups --also known as APTs (advanced persistent threats)-- will regularly buy zero-day exploits from third-party entities, besides developing their own in-house tools.

APT groups believed to be operating out of Russia and the Middle East have often been spotted using zero-days developed by real-world companies that act as sellers of surveillance software and exploit brokers for government agencies.

However, Kaspersky's recent revelations show that APT groups won't shy away from dipping their toes in the underground hacking scene to acquire exploits initially developed by lone hackers for cyber-crime groups, if ever necessary.

What happened to BuggiCorp?

The hacker that Kaspersky Lab experts say has been one of the most prolific vendor of zero-days is known as Volodya, but some of our readers will recognize him from a previous nickname the threat actor used circa 2016.

Back then, using the nickname BuggiCorp, the hacker made headlines across tech news sites after putting up for sale a Windows zero-day on the infamous Exploit.in cyber-crime forum.

At the time, the ad was a shocker because you'd rarely see a hacker advertise Windows zero-days on such a public forum, with most of these transactions happening in private.

Image: Trustwave

While BuggiCorp had to drop his initial asking price several times, from $95,000 to $85,000, he eventually sold the zero-day to a cyber-crime group, and the ad helped the developer establish a reputation.

BuggiCorp used this reputation to set up a dedicated clientele and continue to sell other zero-days in private, some with prices going as far as $200,000, according to Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, the company's elite APT tracking unit.

Since then, Kaspersky's GReAT team has been tracking the hacker under the codename of "Volodya," a nickname the hacker sometimes left behind in their exploit code.

Hacker sold zero-days to at least three APTs

"Volodya is a prolific exploit developer and zero-day seller that we have been tracking since 2015," Raiu told ZDNet in an email conversation last week.

"Volodya is short for 'Volodimir,' which is the nickname that appears in some of his work," Raiu said. "Our observations indicate Volodya is fluent in Russian, although likely of Ukrainian origin. Volodimir is also not a Russian name, but Ukrainian."

"Volodya appears to be the author of the exploit for CVE-2019-0859, that we reported to Microsoft in March 2019," the Kaspersky researcher added.

This zero-day, now patched, was abused by a cybercrime group focused on financially-focused thefts -aka a FIN group.

But CVE-2019-0859 is just the latest zero-day that Kaspersky has pinned on Volodya. Another one is CVE-2016-7255, also a Windows vulnerability, which both Raiu and Trend Micro researchers linked to the activities of the the infamous Fancy Bear Russian APT (also known as APT28, Pawn Storm, Sednit, Sofacy, or Strontium), primarily known for being one of the two Russian hacking groups that perpetrated the 2016 DNC hack.

Raiu tells ZDNet that CVE-2016-7255 is just one of the several other zero-days that Volodya has sold over the years to APT groups, but that the hacker has also continued to work with low-end cybercrime groups, which have, too, been buying and using some of these zero-days as well.

Volodya linked to one-day exploits as well

Furthermore, Raiu said that "in addition to zero days, Volodya is also developing exploits for patched vulnerabilities, such as one-days, or exploits for older vulnerabilities, that are considered stable and reliable and could still work for unpatched machines."

For all intents and purposes, Volodya appears to have made from zero-day and exploit development a career choice and has attached quite the portfolio to his name already.

Furthermore, with a price tag of $200,000 for a Windows local privilege escalation zero-day and an established list of clients ranging from government intelligence agencies and cyber-crime gangs, Volodya could very well be in charge of his very own team of developers or exploit-brokering company, a theory that cannot be dismissed at this point, in the lack of more palpable details.

An earlier version of this story cited a Kaspersky webinar and claimed that Volodya was also behind a zero-day used by the FruityArmor and SandCat APTs. This is incorrect, as the zero-day discussed in the webinar, and shared by these two APTs, came from another, different zero-day vendor.

Windows 10 May 2019 Update: The new features that matter most

Related malware and cybercrime coverage:

Editorial standards