The Indian government misused a US company’s technology amid warnings that Americans are contributing to a spyware industry already under fire for being out of control, Forbes reported. Earlier this year, researchers at the Russian cybersecurity firm Kaspersky discovered a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and ended in April 2021.
Researchers were intrigued by the hacking software used by the digital spies, whom Kaspersky had dubbed ‘Bitter APT’, a pseudonym for an unidentified government agency. Several elements of the code looked similar to what Moscow antivirus providers had seen before and attributed to a company given the cryptonym ‘Moses’, the report said. In some cases, American companies are not the victims, but the ones fueling costly digital espionage. According to two sources with knowledge of the Kaspersky research, Moses is actually a company based in Austin, Texas, called Exodus Intelligence. Bitter APT, Moses’ customer in India, added one source.
Though little known outside the cybersecurity and intelligence worlds, Exodus has made a name for itself with a Time magazine cover story over the last ten years. When requested by Five Eyes countries (a group of countries that share intelligence) or their allies, Exodus will provide both information on a zero-day vulnerability and the software required to exploit it.
For up to $250,000 a year, it offers software vulnerabilities, but without exploits like a media feed on Facebook. As a defender’s tool, Exodus zero-days usually cover the most popular operating systems, such as Windows, Google Android, and Apple iOS. That feed is what India probably acquired and weaponized, according to Exodus CEO and co-founder Logan Brown. Forbes reported that after an investigation, he believes that India selected one of the Windows vulnerabilities from the feed to gain access to Microsoft’s operating system, and Indian government personnel or a contractor adapted the vulnerability for malicious purposes.
After India was cut off from buying new zero-day research from Brown’s company in April, the company worked with Microsoft to patch the vulnerabilities. Exodus does not limit what customers do with its research, but Brown said using it offensively would be inappropriate. He added, ‘I don’t want any part of it, (the Indian embassy in London didn’t respond to a request for comment),’ Forbes reported.
Furthermore, the company investigated another vulnerability Kaspersky attributed to Moses, another flaw that allowed a hacker to gain higher privileges on a Windows computer. Although the vulnerability was not connected to any particular espionage campaign, Brown confirmed it was one of his company’s, adding that it would be ‘logical’ that either India or one of its contractors weaponized that vulnerability as well, the report said. In addition, Brown is investigating whether its code has been leaked or abused by others. According to Kaspersky, in addition to the two zero-days already exploited, ‘at least six vulnerabilities’ created by Moses have been exploited in the past two years.
Moreover, according to Kaspersky, another hacking group called DarkHotel, believed by some cybersecurity researchers to be sponsored by South Korea, has also used Moses’ zero days. Exodus does not serve South Korea. According to Brown, some of India’s research was leaking. India was cut off by Brown, so we assume the assumption was correct. Brown’s company could have chosen not to sell to India, which has been accused of abusing spyware in recent revelations about software made by Israel’s $1 billion-valued NSO Group, the report stated.