When it comes to hacking attacks with criminal or state-sponsored espionage intent, there are two holy grails for threat actors: messenger apps and zero-day exploits. Put them together, and you have a recipe for disaster on a massive international scale. This is why an offer by a Russian zero-day broker, which only sells exploits to Russian private and government organizations, to pay a staggering $4 million for a zero-day exploit attack against the Telegram app is of so much concern. Here’s what you need to know.
The Telegram Zero-Day Attack Bounty Business
Thinking of a zero-day vulnerability in terms of the Holy Grail of cyberattack tools isn’t too wide of the mark. A zero-day vulnerability refers to any previously undiscovered bug that could enable an attacker to do something they really shouldn’t be able to. The important thing is that this could allow unauthorized, remote, and even no-click access to a system, a user, or data. When a threat actor discovers this and uses it in an ongoing attack before security researchers or the vendor, so there is no opportunity to roll out a fix before the tracks begin, it is known as a zero-day exploit. There are, quite literally, zero days to fix the vulnerability and stop the attacks. OK, so now you understand the urgency of the method, you should also understand the urgency of the concern that a broker is offering such a high price for anyone who can supply it with a full-chain zero-day attack against the Telegram messenger app. Especially when the only people that border will see to are private and government organizations in Russia itself “for offensive and defensive operations in cyberspace.”
Operation Zero Puts Up $6 Million To Buy Telegram Zero-Days
A March 20 posting to the X social media platform was the unlikely place that rewards totaling $6 million were offered to hackers who could find zero-days in the Telegram messenger service.
The Operation Zero brokerage said that it would pay the rewards for remote code execution zero-days targeting Android, iOS and Windows as follows:
Telegram 1-click RCE — Up to $500,000
Telegram 0-click RCE — Up to $1,500,000
Telegram full chain — Up to $4,000,000
I have reached out to both Telegram and Operation Zero for a statement and will update this article if any are forthcoming.
