Proprietary Platforms and the Strategic Intelligence Gap
Third in a series on platform vendor accountability and security governance
There is a line of argument in enterprise security culture that runs something like this: defenders are disadvantaged because attackers only need to succeed once. This framing is not wrong, but it is incomplete in a way that matters. The more consequential asymmetry is not about frequency of success. It is about knowledge. The attacker understands the target at a level the defender is structurally prohibited from reaching. In the case of proprietary platforms — and Windows in particular — that prohibition is not incidental. It is written into the licensing agreement.
The first two articles in this series made the commercial and technical case for this argument. The first established that Microsoft's patch governance reflects a deliberate business posture, one shaped by the structural conflict of interest inherent in a company that simultaneously sells the platform and the security products designed to manage the platform's residual risk. The second argued that the proprietary model converts vendor remediation decisions into unilateral policy: when the vendor declines to patch, the customer has no recourse, because the customer has no access to the code.
This third piece follows the structural argument to its adversarial conclusion. If the proprietary model denies defenders access to the codebase, it simultaneously and symmetrically advantages any actor who invests in understanding that codebase from the outside. The closedness of the platform is not a neutral condition. It is an asymmetric advantage that accrues entirely to actors with the resources, patience, and legal impunity to reverse-engineer what Microsoft's customers are not permitted to audit. The result is a structural intelligence gap — a persistent, architectural advantage for sophisticated offensive actors — that no amount of endpoint detection, compensating control, or security awareness training can close, because it is not a product of insufficient tooling. It is a product of the licensing model.
I. The Reverse Engineering Economy
Nation-state intelligence services do not use Microsoft products the way their victims do. They do not read the documentation, apply the patches, and escalate to vendor support when something breaks. They read the binary. For the NSA's Tailored Access Operations unit, for GRU Unit 74455 — known publicly as Sandworm — for China's APT41, for Israel's Unit 8200, and for a small number of other organizations with comparable resources and mandates, the Windows codebase is not a vendor product to be trusted. It is a target to be mapped.
This is not a metaphor for good security practice. It is a specific industrial activity. Teams of skilled analysts, working with professional-grade reverse engineering tools and sustained institutional support, spend careers developing deep knowledge of Windows internals — the kernel, the memory management subsystem, the networking stack, the boot process — at a level of detail that neither Microsoft's enterprise customers nor most of its own engineers engage with operationally. The output of that work is a portfolio of vulnerabilities: conditions in the code that can be exploited to achieve code execution, privilege escalation, or persistence, in ways that the platform's designers did not intend and that the platform's customers cannot detect.
The economic logic of this investment is direct. A vulnerability in an open-source platform has a finite shelf life. The community can audit the code. A researcher can find the same flaw independently. The vendor can be pressured to act. The window between discovery and remediation narrows over time as tooling improves and the community grows. A vulnerability in Windows, by contrast, is a private asset with a lifespan calibrated by a single variable: whether the vendor eventually discovers and patches it. If the vendor does not know, and the customer cannot look, the vulnerability can remain operationally viable for years. This is not a theoretical property of the closed model. It is an empirically documented one.
The Vault 7 disclosures, published by WikiLeaks beginning in March 2017, offered an unusual window into the CIA's offensive cyber programme. The initial release — comprising 8,761 documents and files from an isolated network within the agency's Center for Cyber Intelligence — described a Windows exploitation toolkit of considerable breadth. Tools with names like AfterMidnight, Assassin, and Pandemic were not novel concepts. AfterMidnight was a persistent Windows service implant framework; Pandemic was designed to sit on a Windows file server and silently replace legitimate executables with trojaned versions as they were retrieved by network users — meaning that an infection on a single file server could propagate to any machine that accessed it, with the source remaining undetectable on disk. These tools existed because Windows is closed. The investment in their development was rational precisely because the platform's opacity gave that investment durable returns.
II. EternalBlue: The Paradigm Case
No event in the history of offensive cyber operations illustrates the dynamics of the closed-platform intelligence gap more precisely than the story of EternalBlue.
The vulnerability at the centre of that story is CVE-2017-0144 — a critical remote code execution flaw in Microsoft's implementation of the SMBv1 protocol. SMBv1, a network file-sharing protocol present on virtually every Windows installation, contained a buffer overflow condition that allowed an unauthenticated attacker to send a specially crafted packet to a listening Windows machine and achieve full control of that system. The NSA discovered this vulnerability and developed it into a weaponised exploit — EternalBlue — which became one of the most valuable tools in the agency's offensive cyber arsenal. According to multiple post-disclosure accounts, the NSA held this exploit for approximately five years before alerting Microsoft to its existence, using it during that period for intelligence collection operations. One former TAO operative described the tool as being like "fishing with dynamite."
The defenders — the hundreds of millions of organisations and individuals running Windows on networks exposed to port 445 — had no means of learning about this vulnerability. They could not audit the SMBv1 protocol implementation. They could not conduct independent binary analysis of the Windows networking stack. They were entirely dependent on the vendor both to discover the flaw and to decide when to patch it. The NSA's possession of EternalBlue during those five years was therefore not merely an intelligence advantage. It was made possible by the same proprietary opacity that made the exploit worth developing in the first place. The closed platform created the conditions for the secret to be worth keeping.
What happened next is well-documented. In early 2017, the NSA concluded that its tools had been compromised — almost certainly by the Shadow Brokers, a group whose identity and affiliation remain a matter of informed speculation but whose access to NSA tooling has been attributed by multiple intelligence assessments to Russian intelligence. The agency informed Microsoft of the SMBv1 vulnerability in February 2017. Microsoft patched it in Security Bulletin MS17-010, released on March 14, 2017. The Shadow Brokers published the NSA's exploit toolkit on April 14, 2017 — exactly one month after the patch was released, and before the majority of the world's Windows estate had applied it.
The timeline of what followed is a study in the economics of deferred remediation. On May 12, 2017, WannaCry — a ransomware worm attributed by US, UK, and Australian governments to North Korea's Lazarus Group — began propagating globally using EternalBlue as its primary lateral movement mechanism. It infected an estimated 200,000 to 300,000 systems across 150 countries within days. The UK's National Health Service was among the most visibly damaged victims, with hospitals forced to divert emergency patients and cancel appointments. The economic cost of WannaCry has been estimated at roughly $4 billion in losses.
Six weeks later, on June 27, 2017, NotPetya arrived. Unlike WannaCry, NotPetya was not ransomware in any meaningful functional sense — it was a destructive wiper disguised as ransomware, developed by GRU Sandworm and deployed against Ukrainian critical infrastructure via a poisoned update to M.E.Doc, a widely-used Ukrainian accounting software package. From that initial foothold in Ukrainian systems, NotPetya spread laterally using EternalBlue and a second Shadow Brokers-leaked exploit, EternalRomance, combined with Mimikatz-based credential harvesting and abuse of native Windows administration tools including WMIC and PsExec. Because it exploited these mechanisms to move within networks rather than just across the internet, patched systems on the same network as unpatched ones were still vulnerable to lateral movement via stolen credentials.
The collateral damage from NotPetya extended well beyond Ukraine. Shipping giant Maersk lost between $200 and $300 million and had to rebuild its entire IT infrastructure — 45,000 PCs, 4,000 servers, 2,500 applications — in ten days. Pharmaceutical company Merck sustained losses of approximately $870 million. FedEx's TNT Express subsidiary reported damages around $400 million. The White House's post-incident assessment put total global damages above $10 billion, making NotPetya the most economically destructive cyberattack ever recorded at that time.
The forensic question the series demands: what would Microsoft's customers have done differently if Windows had been open?
The honest answer is that some of them would have found CVE-2017-0144 before the NSA did. The SMBv1 buffer overflow was not an exotic flaw requiring nation-state resources to discover. It was a relatively straightforward memory corruption vulnerability in a network-facing protocol that had been present in Windows since the 1990s. An open codebase would have enabled independent security researchers, enterprise security teams, and academic institutions to audit the SMB implementation without depending on Microsoft's internal review cycles. Some would have found it. The vendor would have been under pressure to patch it. The five-year operational window the NSA enjoyed — the window that transformed a software defect into a $14 billion global catastrophe — would not have existed.
III. Below the Operating System
EternalBlue operates at the application protocol layer, which is to say at a level of the stack where defenders have at least some theoretical means of observation. The more epistemologically troubling frontier is lower: the firmware, the boot process, and the UEFI environment that the operating system depends on. At that depth, the asymmetry between attacker and defender reaches its maximum expression.
In February 2015, Kaspersky Lab's Global Research and Analysis Team published a report on a threat actor they designated the Equation Group — widely assessed by the security research community to be the NSA's TAO unit based on technical overlaps with tools described in Snowden-era NSA documents. The Equation Group's tooling, documented under names including EquationDrug and GrayFish, included a capability that was, at the time of its disclosure, considered by some to be the theoretical upper bound of offensive persistence: the ability to reprogram the firmware of hard disk drives.
The scope of this capability bears precise statement. The Equation Group's firmware modules could rewrite the operating code embedded in the storage hardware of drives manufactured by Seagate, Western Digital, Toshiba, Maxtor, IBM, and others — more than a dozen major brands in total. A firmware-level implant of this kind survives everything that a defender might conventionally do to remediate a compromise: it survives antivirus scanning, it survives full disk reformatting, it survives complete operating system reinstallation. Once the firmware is modified, the drive can resurrect the implant at boot. As Kaspersky's principal security researcher described it at the time: "For most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware." This was not a failure of the security industry's tooling. It was a structural consequence of how storage hardware is designed to function, exploited by an actor that had invested in understanding it at a depth unavailable to defenders.
The Equation Group's firmware capability required detailed knowledge of the internal architecture of each supported drive model — meaning that teams of engineers had spent significant time reverse-engineering proprietary hardware firmware to understand how it could be modified in ways the manufacturer had not provided for. The same logic that applies to the Windows codebase applies here: the opacity of the firmware creates a knowledge asymmetry, and that asymmetry, when weaponised at scale by a well-resourced actor, becomes a persistent strategic advantage.
The firmware frontier has not stood still. In the years since the Equation Group's capabilities were disclosed, a sequence of increasingly capable UEFI bootkits has moved from nation-state exclusive to a broader attacker population. UEFI — the Unified Extensible Firmware Interface that replaced legacy BIOS and controls the boot sequence before the operating system loads — occupies a position of trust that no software-layer security control can reliably verify. Malware that establishes itself in the UEFI firmware runs before Windows starts, before any Windows security agent initialises, and before any Windows trust chain can be applied.
LoJax, discovered by ESET in 2018 and attributed to Russia's APT28, was the first publicly confirmed UEFI rootkit found in active use against real targets. MosaicRegressor, documented by Kaspersky in 2020, was a modular UEFI framework attributed to a Chinese-speaking actor and used in operations against diplomatic and NGO targets with connections to North Korea between 2017 and 2019. CosmicStrand, also attributed by Kaspersky to a Chinese-speaking threat actor, was found to have been deployed in the wild since at least the end of 2016 — predating all other publicly documented UEFI implants — and survives for the entire operational life of affected hardware. As Kaspersky's researchers observed: "This discovery begs a final question: if this is what the attackers were using back then, what are they using today?"
BlackLotus, documented by ESET in March 2023, represented a qualitative escalation. It was the first publicly confirmed UEFI bootkit capable of bypassing Secure Boot — Microsoft's platform mechanism, implemented via a chain of cryptographic signatures, designed specifically to prevent the execution of unsigned code during the boot process. BlackLotus achieved this by exploiting CVE-2022-21894, a vulnerability in the Windows Boot Manager that had been patched by Microsoft in January 2022, but whose affected binaries had not yet been added to the UEFI revocation list. The gap between patching a vulnerability and revoking trust in vulnerable binaries — a gap that exists because the revocation process is managed by Microsoft, not by the customer — was precisely the window BlackLotus exploited. A fully patched Windows 11 system, with Secure Boot enabled, was still vulnerable.
The operational consequence of this class of capability is significant enough to state explicitly: an organisation running a UEFI-level implant on its systems may have no reliable means of knowing. The implant is active before Windows loads, operates below the visibility horizon of every Windows-based security control, and in some configurations survives measures that defenders conventionally regard as definitive remediation. The defender's foundational trust assumption — that the hardware boots cleanly, that the operating system is what the vendor signed, that the security agent observes a trustworthy environment — is the attack surface. That trust assumption is structurally enabled by the opacity of the platform. An organisation that could audit the boot process independently, that was not reliant on vendor-signed firmware as its root of trust, would be in a different epistemological position.
IV. The Training Asymmetry
There is a cultural dimension to this problem that security governance conversations tend to avoid, possibly because it is unflattering and does not resolve into a product category or a control framework. Enterprise security culture, in a proprietary platform environment, is structurally oriented toward trusting the vendor.
This is not irrationality on the part of defenders. It is the correct adaptation to the model. The customer cannot touch the code. The customer cannot conduct independent vulnerability research on the platform. The customer's best available remediation strategy, when a vulnerability is known, is to apply the vendor's patch. Patch Tuesday exists as a formal ritual of this dependency: once a month, Microsoft issues its security updates, and the global enterprise security operation — tens of thousands of organisations, millions of endpoints — orients its patching cadence around a vendor-determined schedule. Security certifications teach administrators to implement vendor-recommended configurations, apply vendor guidance, and escalate to vendor support when controls are insufficient. This is a reasonable posture given the constraints of the model. But it produces a workforce that is culturally and technically oriented away from the independent code analysis that would be necessary to challenge vendor decisions about what constitutes a patchable vulnerability.
The offensive actor operates under no equivalent constraint. The nation-state analyst developing exploit code for Windows is not waiting for vendor guidance. They are not consulting documentation. They are reading the binary, probing the network stack, fuzzing the kernel interfaces, and building mental models of the platform's internals that no defensive certification curriculum teaches. The career path that produces an NSA TAO analyst, or an APT41 operator, or a GRU Unit 74455 developer, is one of systematic and deep platform scepticism: trust nothing that the vendor says about the platform's behaviour; verify everything in the assembly.
The structural result is that the defensive community, across decades of proprietary platform dominance, has developed deep expertise in vendor-mediated security operations — applying patches, tuning detection rules, managing the vendor's recommended security stack — while the offensive community has developed deep expertise in the platform itself. One community understands what Microsoft tells them about Windows. The other understands what Windows actually does. These are not the same body of knowledge, and the gap between them is not closed by better threat intelligence, more sophisticated EDR, or additional compensating controls. It is maintained by the proprietary model that makes independent verification unavailable to the defender.
V. The Zero-Day Market as Economic Structure
The proprietary platform's opacity does not merely create an operational advantage for well-resourced state actors. It creates a market. The value of a vulnerability in a closed platform scales directly with the platform's closedness: a flaw that only the attacker knows about, in a codebase that the defender cannot inspect, is worth more — often dramatically more — than the same flaw in an open platform where independent researchers might find it before it can be exploited.
Zero-day brokers formalise this pricing. Zerodium, the Washington DC-based exploit acquisition company founded in 2015 and active until it ceased public operations in 2025, published acquisition price lists that were remarkable primarily for what they revealed about the market's theory of value. At peak, Zerodium offered up to $2 million for certain categories of remote code execution vulnerability. The price list's gradations reflected a clear economic logic: the more closed the platform, the more dependent the defender on the vendor, the more valuable the undisclosed vulnerability. Windows kernel exploits, iOS zero-click exploits, browser sandbox escapes — these commanded premium prices not because the underlying vulnerabilities were necessarily more technically complex than equivalent flaws in open platforms, but because the defender's inability to audit the codebase meant that undisclosed flaws could retain their operational value for extended periods.
Crowdfense, Zerodium's principal competitor in the commercial broker market, published a revised price list in 2024 that reflected continued upward pressure on premium exploit categories. Android and iOS zero-click full chain exploits were listed at up to $5 million to $7 million. The escalation in prices tracks closely with the hardening of platform security controls over time — as vendors invest in mitigations, the residual vulnerabilities become rarer and more valuable. But the underlying market structure remains the same: the vendor's decision to close the code is the foundational condition that creates the market. Open source does not eliminate vulnerability markets — it creates different ones, with different dynamics — but it fundamentally changes the market structure by making independent discovery available and by reducing the durable value of any single undisclosed flaw.
What is often underappreciated in discussions of zero-day policy is that the classified procurement programmes of multiple intelligence services operate as the dominant purchaser segment of this market. The commercial broker market — Zerodium, Crowdfense, and their analogues — represents only the visible fraction of a larger structure in which government agencies, directly or through contractors, are the principal buyers of Windows exploit capability. The political economy of this structure has a direct consequence for platform security: there are powerful institutional actors, some of them nominally allied to the interests of Western critical infrastructure, who have a financial and operational stake in the continued undisclosure of Windows vulnerabilities. The EternalBlue story is not an anomaly in this market. It is the market operating as designed, until a secondary breach made the cost of continued stockpiling exceed the cost of disclosure.
VI. The Geopolitical Concentration Risk
There is a reason that adversary operations documentation, across decades and across multiple strategic contexts, returns consistently to Windows infrastructure as the primary target environment. It is not that Windows is uniquely insecure relative to other platforms in some absolute technical sense. It is that Windows is the dominant endpoint and server platform across the critical infrastructure of Western democracies — in government agencies, in financial institutions, in energy networks, in transportation systems, in healthcare — and the closed nature of that dominant platform means that adversaries who invest in understanding it acquire a broadly transferable strategic asset.
The NotPetya operation is the clearest documented expression of this dynamic at the geopolitical scale. The operational logic of NotPetya was not ransomware. It was destruction, delivered against Ukrainian critical infrastructure through a vector — the M.E.Doc software update mechanism — that exploited the trusted software update relationship that Windows-based enterprises depend on. Once inside a network, NotPetya's lateral movement was almost entirely Windows-native: EternalBlue for unpatched SMBv1 machines, credential harvesting via Mimikatz against Windows memory processes, and propagation via WMIC and PsExec — legitimate Windows administration tools repurposed for worm movement. NotPetya's designers had studied Windows network environments in sufficient depth to know precisely which legitimate mechanisms could be turned against their operators. The collateral damage to multinational corporations operating in Ukraine — Maersk, Merck, FedEx, Mondelez — was not incidental. It was the consequence of operating a Windows estate in an environment where a sophisticated actor had invested years in understanding how Windows estates fail.
The SolarWinds supply chain compromise of 2019 to 2020 — attributed by the US government and allied intelligence services to Russia's SVR — illustrates a different expression of the same strategic logic. The SVR's initial access to SolarWinds' build environment, achieved in September 2019, led to the injection of malicious code into the Orion software update mechanism beginning in February 2020. Orion was a Windows-based IT management and monitoring platform used by more than 30,000 organisations — including, per the post-incident reporting, nine federal agencies and approximately 100 private-sector enterprises whose systems were subsequently compromised. The trojanised Orion updates, once installed, allowed the attacker to enumerate the target network, steal credentials, and pivot to cloud environments. The dormancy period built into the SUNBURST implant — it waited fourteen days after installation before initiating command-and-control communications, and during that period actively checked for indicators of security analysis that would cause it to abort — reflected a sophisticated understanding of how Windows-based security monitoring operates and how to evade it.
The pattern across both operations is consistent: the adversary's knowledge of Windows internals, of Windows network administration mechanisms, of Windows trust models and update processes, was the operational foundation of the attack. The attacker's knowledge of Windows was significantly deeper, and differently acquired, than the defender's knowledge of the same platform. The defender's knowledge came from Microsoft. The attacker's came from sustained independent analysis of what Microsoft had built.
CISA's February 2024 advisory on Volt Typhoon confirmed a pattern that had been emerging for several years: Chinese state-sponsored actors had maintained persistent access inside US critical infrastructure — including energy, water, communications, and transportation sectors — for at least five years, using living-off-the-land techniques that exploited legitimate Windows administrative tools to blend into normal network activity. Volt Typhoon's approach — using compromised credentials, built-in Windows utilities, and legitimate management protocols as cover for long-term pre-positioning — demonstrated the same principle in a lower-noise register: deep knowledge of how Windows environments are administered, and how that administration can be mimicked indefinitely without triggering conventional detection. The median APT dwell time across operations of this class is measured in months; specific campaigns have sustained undetected access for years.
The concentration of Western critical infrastructure on a single proprietary platform is, from an adversarial strategic planning perspective, an extraordinary gift. It means that investment in understanding one codebase — one kernel, one credential architecture, one network stack — translates into operational capability across the full breadth of the target environment. The adversary does not need to develop separate expertise for the power grid, the financial system, the federal IT estate, and the defence industrial base. They are all Windows.
VII. The Structure, Complete
The series has argued across three pieces that the proprietary platform model creates three distinct but interconnected problems. The first is a governance problem: the vendor's dual role as platform provider and security product vendor creates documented incentives to defer remediation in ways that serve commercial interests at the cost of customer security. The second is a technical problem: the closed model structurally excludes customers from the remediation process, converting the vendor's remediation decisions into unilateral policy that customers have no means to override. The third — the subject of this piece — is an adversarial problem: the same opacity that prevents defenders from auditing and remediating vulnerabilities simultaneously privileges actors who invest in understanding the platform from the outside.
These are not three separate problems. They are the same condition viewed from three angles. The commercial, the technical, and the adversarial are all downstream of the same architectural choice: concentration of platform authority in a single vendor. When the vendor controls the code, the vendor controls remediation. When the vendor controls remediation, customers are dependent. When customers are dependent, and the code is closed, sophisticated adversaries who break that dependency — who refuse to be customers in any sense, and analyse the platform as a target — gain a structural intelligence advantage that no defensive investment within the constraints of the proprietary model can fully close.
It is worth being precise about what this means for the organisations that operate within those constraints. It does not mean that endpoint detection is worthless. It does not mean that patching quickly, hardening configurations, and running competent security operations programmes are pointless activities. These things reduce attack surface, accelerate detection, and limit the blast radius of incidents that occur. But they operate on the visible layer of the threat. They do not address the structural condition that creates and maintains the intelligence gap. An organisation that patches every Patch Tuesday update within 24 hours, runs best-in-class EDR, and employs a skilled security operations team is still operating with a fundamental epistemological constraint: it cannot know what the vendor has not yet disclosed, it cannot verify what the vendor has signed, and it cannot detect what operates below the horizon of the vendor's security architecture. The Equation Group's firmware implants, the BlackLotus bootkit, the SUNBURST dormancy period — these capabilities work, and have worked at operational scale, precisely at the boundary of that constraint.
The question of what it would take to change this structure is not a small one. Meaningful reform would require a combination of things that are individually achievable but collectively resistant to the inertia of the current model: vendor liability frameworks that create genuine financial consequences for undisclosed vulnerabilities and deferred remediation, of the kind the EU Cyber Resilience Act is beginning — imperfectly and gradually — to establish; procurement policies in federal and critical infrastructure contexts that weight open-source alternatives seriously enough to shift market composition over time; and, over a longer horizon, a security culture that treats platform opacity as a first-order governance risk rather than a vendor relationship management problem.
None of these are likely to happen quickly, and the proprietary platform's network effects ensure that it will remain dominant for a generation even under substantial reform pressure. But the accumulated record of what the current structure has produced — EternalBlue's five-year shadow over the world's Windows estate, NotPetya's $10 billion in collateral damage, the Equation Group's firmware capabilities that survive reimaging, the UEFI bootkits that run before the operating system trusts itself, the Chinese and Russian pre-positioning operations that sit silently in critical infrastructure for years — constitutes an argument that is not primarily about open source ideology or vendor politics. It is about what the structural conditions of the proprietary model demonstrably produce when they interact with sophisticated adversaries who are not bound by those conditions.
The platform authority is concentrated in the vendor. Everything else follows.
Series Conclusion
This series began with a question about governance and ended with a question about epistemology. The first piece established that Microsoft's patch decisions are not simply engineering judgements — they are business decisions made by people who understand the commercial cost of remediation and who operate within a structure that rewards deferred investment in security. The second established that the proprietary model converts those business decisions into architectural constraints that customers cannot override: when the vendor decides not to patch, the customer's only legal recourse is to wait. The third has established that the same opacity that enforces that dependency is the condition under which sophisticated adversaries build their most durable and consequential offensive capabilities.
Taken together, the three pieces describe a system in which risk and authority are systematically misaligned. The vendor has the authority — over remediation timelines, over platform architecture, over what customers can see and verify — but bears attenuated risk for the consequences of how that authority is exercised. The customer bears the operational risk of every undisclosed vulnerability, every deferred patch, every boot-process compromise, every supply-chain poisoning — but has no authority over the platform that creates those risks. The adversary bears no formal risk at all, and exploits the gap between the vendor's authority and the customer's exposure as a matter of strategic routine.
Security governance, in this analysis, is not primarily a technical problem. It is a problem of accountability architecture. The technical solutions — open source, formal verification, supply chain integrity — matter enormously, but they require the accountability structures that would make them economically viable to implement at scale. That means liability. That means procurement standards. That means a regulatory environment willing to say, with the specificity that the EU Cyber Resilience Act is beginning to approach, that platform vendors bear a duty of care to the populations that depend on their products, and that the exercise of platform authority in ways that predictably generate foreseeable harm carries legal and financial consequences.
The record documented here is not a prediction of what might go wrong. It is an account of what has gone wrong, at scale, in documented operations, with named casualties and quantified costs. The structure that produced those outcomes remains substantially intact. The question is not whether it will produce more outcomes like them. The question is how many are required before the governance response is proportionate to the problem.
For Further Research
EternalBlue, Shadow Brokers, and the NSA's Vulnerability Stockpiling Programme
Avast Security Research. "What Is EternalBlue and Why Is the MS17-010 Exploit Still Relevant?" avast.com, 2025.
Perlroth, Nicole. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing, 2021. [Primary reference for the EternalBlue five-year timeline and NSA hold period.]
Pylos, "The Specter of MS17-010," pylos.co, 2019. Nuanced analysis of the patch disclosure cycle and attribution questions.
Virus Bulletin Research. "EternalBlue: A Prominent Threat Actor of 2017–2018." virusbulletin.com, 2018. Technical analysis of the exploit chain and Shadow Brokers release sequence.
WannaCry and NotPetya: Casualty Accounting
CBS News. "WannaCry Ransomware Attack Losses Could Reach $4 Billion." cbsnews.com, May 2017.
Hypr. "What Is NotPetya?" Security Encyclopedia. hypr.com, 2025. Including corporate casualty breakdown and the $10 billion US government estimate.
ESET WeLiveSecurity. "TeleBots Are Back: Supply-Chain Attacks Against Ukraine." welivesecurity.com, June 2017. Contemporaneous technical analysis of the M.E.Doc attack vector and NotPetya's propagation mechanics.
The Equation Group and Firmware Persistence
Kaspersky Lab Global Research and Analysis Team. "Equation Group: Questions and Answers." Securelist, February 2015. The primary public report on EquationDrug, GrayFish, and HDD firmware reprogramming capabilities.
Check Point Research. "Intelligence Report: Equation Group." blog.checkpoint.com, March 2015.
CSO Online. "Reformatting Won't Remove Invisible and Persistent Malware Infecting Hard Drive Firmware." csoonline.com, February 2015.
UEFI Bootkits and the Boot Process Attack Surface
ESET Research. "BlackLotus UEFI Bootkit: Myth Confirmed." welivesecurity.com, March 2023. Primary public disclosure report on the first confirmed Secure Boot bypass bootkit.
Kaspersky Lab. "CosmicStrand: Sophisticated Firmware Rootkit Allows Durable Persistence." Kaspersky press release, July 2022.
Bleeping Computer. "MosaicRegressor: Second-Ever UEFI Rootkit Found in the Wild." bleepingcomputer.com, October 2020.
Binary Defense. "Running Malware Below the OS: The State of UEFI Firmware Exploitation." binarydefense.com, 2025. Comprehensive state-of-play survey of UEFI bootkit lineage.
SolarWinds and Supply Chain Compromise
US Government Accountability Office. "SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response." gao.gov, April 2021.
SolarWinds. "New Findings From Our Investigation of SUNBURST." solarwinds.com, January 2021.
Threat Intelligence Report. "SolarWinds Supply Chain Attack of 2020: A Massive Espionage Campaign." threatintelreport.com, 2026.
The Zero-Day Market
TechCrunch. "Price of Zero-Day Exploits Rises as Companies Harden Products Against Hackers." techcrunch.com, April 2024. Covers Crowdfense's 2024 revised price list and the escalation in mobile platform exploit pricing.
Packetlabs. "Demystifying the Market for Zero-Day Software Exploits." packetlabs.net, 2024.
Chinese and Russian Long-Term Infrastructure Targeting
CISA Advisory AA24-038A. "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure." cisa.gov, February 2024. Primary source for Volt Typhoon five-year access period confirmation.
New Jersey Cybersecurity and Communications Integration Cell. "China-Linked Cyber Operations Targeting US Critical Infrastructure." cyber.nj.gov.
SecurityWeek. "China's Salt Typhoon Hacked Critical Infrastructure Globally for Years." securityweek.com, August 2025.
Vault 7 and the CIA's Windows Exploitation Programme
WikiLeaks. "Vault 7: CIA Hacking Tools Revealed." wikileaks.org/ciav7p1, March 2017.
Bitdefender. "Vault 7: WikiLeaks Exposes Pandemic, CIA Infection Tool for Windows Machines." bitdefender.com, June 2017.
Center for Democracy and Technology. "Vault 7: The CIA's Cyber Capabilities Escape from the Lab." cdt.org, March 2017.
Platform Governance and the Case for Structural Reform
European Union Agency for Cybersecurity (ENISA). Analysis of the EU Cyber Resilience Act. enisa.europa.eu.
Schneier, Bruce. A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend Them Back. W.W. Norton, 2023.
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — buy us a coffee: https://bordercybergroup.com/#/portal/support
Member discussion: