What is the commercial cyber proliferation threat?
The widespread availability of cyber tools and services has significantly reduced the barriers to entry for both state and non-state actors seeking advanced capabilities and intelligence. Some commercially available intrusion cyber products and services now rival the sophistication of state-linked Advanced Persistent Threat (APT) groups. This makes an increased threat to UK businesses who are looking to protect themselves online.
While much of the commercial cyber sector primarily caters to domestic state demand from law enforcement and government agencies, there has been a noticeable increase in enterprises offering a wide range of products and services to global customers over the past decade. These offerings include off-the-shelf capabilities like Hacking-as-a-Service, bespoke hacking services such as hackers-for-hire, and the sale of enabling technologies like zero-day exploits and tool frameworks.
Spyware: Hacking-as-a-Service companies
In the past decade alone, around 80 countries have acquired commercial cyber intrusion software, also known as spyware. For numerous states lacking in technical expertise, the commercial sector represents a significant transformation, offering cost-effective access to capabilities that would otherwise require decades to develop.
The capabilities and applications of these products vary, but commercially available mobile device spyware can provide functionalities such as message reading, audio call interception, photo retrieval, device tracking, and remote camera and microphone operation. It’s plausible that certain states procure multiple commercial cyber tools to fulfil their specific needs. Devices can be compromised through various methods, including phishing attacks and ‘zero-click’ exploits, bypassing user interaction and complicating victim mitigation efforts.
At CSG, we provide mobile security solutions for businesses, which is ideal for any organisation wanting a highly responsive, flexible provider. Set up a call with CSG to ensure that cybercriminals cannot attack your organsiation through your employees’ mobile devices today.
Although these tools have been employed by states against law enforcement entities, they have undoubtedly been utilised by certain states to target journalists, human rights activists, political dissidents, opposition figures, and foreign government officials. This targeting likely occurs on a significant scale, with thousands of individuals being targeted annually. While current products primarily concentrate on mobile device exploitation and intelligence gathering, as the sector expands and demand rises, products and services are expected to diversify to meet evolving demands.
Bespoke Services: Hackers-for-hire
Hacker-for-hire groups engage in cyber activities on behalf of paying clients. In addition to supplying information traditionally sought after by states for espionage purposes, these groups are reportedly utilised for a range of activities including legal disputes, intellectual property theft, insider trading, and unauthorised access to private data. The skill and capability of hacker-for-hire groups vary widely, spanning from basic cybercrime to sophisticated network compromises that may evade detection. Some operate within criminal networks, others masquerade as legitimate commercial entities, and some operate anonymously.
Groups focused on data theft typically employ tactics like phishing, social engineering attacks, exploits targeting publicly known vulnerabilities in computer networks, and occasionally zero-day attacks to infiltrate their targets. The most significant threat emanates from high-end hacker-for-hire groups, whose capabilities and impact rival those of adept state actors. Such groups pose a considerable risk of corporate espionage to organisations and individuals possessing privileged or valuable confidential information across various sectors.
While less skilled and cybercriminal hackers-for-hire commonly engage in Denial of Service (DoS) attacks for a fee, aimed at temporarily disrupting a target website or server on behalf of a client, heightened law enforcement scrutiny probably discourages more proficient hackers-for-hire from carrying out destructive or disruptive operations. However, as the market expands and financial incentives increase, the likelihood of hackers-for-hire accepting such tasks is expected to rise over the next five years.
Hackers-for-hire also introduces the risk of unpredictable targeting or unintentional escalation by attempting to compromise a broader array of targets, particularly those with valuable information for resale, rather than operating on specific orders. It’s plausible that substantial financial gains incentivise state employees or contractors with cyber expertise to transition into hackers-for-hire, thereby heightening the risk of cyber techniques migrating from state to non-state actors.
Looking ahead
Over the next five years:
- Increased demand, coupled with a permissive operating environment, will almost certainly result in an expansion of the global commercial cyber intrusion sector, driving an increased threat to a wide range of sectors.
- It is almost certain there will be further high-profile exposures of victims against whom commercial cyber tools or hack er-for-hire operations have been deployed.
- Oversight of the commercial intrusion cyber sector will almost certainly lack international consensus, be difficult to enforce and subject to political and commercial influence.
- However, many commercial cyber companies will likely be incentivised to vet and limit their customer bases, should effective oversight and international norms on the development and sale of commercial cyber capability emerge.
(National Cyber Security Centre, Report 19.04.23). Get protected with CSG today – an IT partner for over 400 Welsh and English SMEs, helping protect your infrastructure: sales@csgrp.co.uk.