Orpheus data shows downward trend in zero-day use in nation-state operations

Data from our repository of intelligence reports (IntReps) has highlighted the extent to which advanced nation-state threat actors are reducing their reliance on zero-day exploits. A zero-day is an exploit which targets a previously unknown vulnerability, meaning that the victim has zero days to react and patch the flaw. Typically, extensive resources and specialist technical understanding are needed to discover these unknown vulnerabilities. This normally means that only nation-state actors and some sophisticated cybercriminal groups are able to use them in their operations.

Our data shows a decreasing use of zero-days by known nation-state threat actors between November 2013 and June 2018. Of a total of 41 IntReps covering the use of zero-days (some IntReps cover multiple zero-days) in this period, 32 of these occurred between November 2013 and 2016, with only 9 between 2017 and June 2018. This decrease can be largely attributed to the decline in zero-day exploitation by Chinese state groups. There is a marked decrease in reports of Chinese affiliated nation-state groups using zero days after 2015, completely disappearing at the beginning of 2016.

Orpheus’ IntRep data shows a decrease in zero-day use by nation-state APT groups

We attribute the decline in nation-state exploitation of zero-day vulnerabilities to several factors. The exploitation of zero-days can be used to potentially identify the perpetrator of an incident, which is increasingly relevant in the current political climate that surrounds malicious cyber activity. Factors such as the 2015 Sino-US agreement to stop cyber espionage for commercial purposes have increased the pressure on China to cease commercial espionage, as has Beijing’s desire to be seen as a responsible and dependable global power – especially since President Trump’s election and the advent of a more erratic style of US diplomacy. Similarly, since the Snowden leaks contributed to the attribution of operations such as the Equation Group to the US and revealed the NSA’s capabilities, the US appears to have redoubled its efforts to avoid having its operations detected. This has been illustrated by the extensive obfuscation measures used in Slingshot and Project Sauron. This increased emphasis on hindering forensic analysis may have also, in some cases, obscured the exploitation of zero-day vulnerabilities.

Furthermore, the increasing cost associated with discovering and exploiting zero-day vulnerabilities renders it a less attractive option. Zerodium, a company that buys and sells zero-day research now offers up to USD 1.5 million for submission, while its increasing monthly payouts reflect the market rate for this research. The emergence of companies such as Zerodium and the increasing uptake of bug bounty programmes mean that more vulnerabilities are detected by groups other than nation-states, such as security researchers looking to make a living by disclosing vulnerabilities. Improvements in software security standards are also reducing the pool of vulnerabilities which can be reported in the first place.

Finally, nation-state units are increasingly adept at reacting to known vulnerabilities as they are announced and exploiting them before targets have had the opportunity to implement patches – often called one-day exploits. Campaigns such as DarkHotel have reacted rapidly to include exploits from other groups, whereas CNNVD, China’s National Vulnerability Database, has also appeared to delay the announcement of vulnerabilities to allow temporary exploitation by state units.

Despite this overall decline in zero-day exploitation, the continued availability of known but unpatched vulnerabilities on target networks continues to allow nation-state actors to compromise their targets. The increasing use of open source tools and frameworks, such as Metasploit, Mimikatz and Cobalt Strike is also accounting for this decreasing dependence on exploiting unknown vulnerabilities. Statements issued by the NSA demonstrate this, particularly the claim that it has not responded to the exploitation of a zero-day vulnerability in the past two years. North Korea is the exception to this general decline in the exploitation of zero-days. However, this increase is largely attributed to the expanding capability, scale and scope of North Korea’s operations as opposed to any tactical shift in favour of exploiting zero-days. Some of these zero-days have also been in software specific to South Korea (such as the Hangul Word Processor), which has been less susceptible to the shifts discussed above.

This shift reaffirms the need for companies to focus on patching known vulnerabilities. Because of the sheer volume of these that are typically present on an online estate, adopting a threat-led approach and looking at vulnerabilities from a threat actors’ perspective is critical in understanding which patches to prioritise.