Hackers for Hire
The market for Access-as-a-Service remains open for state actors to utilize
The category of threat actors known as “hacker-for-hire” consists of entities within the “Access-as-a-Service” (AaaS) market, which mainly consists of companies offering offensive cyber capabilities. These companies typically provide services bundled together, such as Vulnerability Research and Exploitation, Malware Payload Development, Technical Command and Control, Operational Management, and Training and Support. While their clients are usually governments, they also serve corporations and individuals. The CTI community maintains a list of publicly known private companies involved in nation-state offensive cyber operations, which continues to grow.
Interpol’s Secretary-General expressed concern on May 23, 2022, that state-developed cyber weapons will soon be available on the darknet, as was almost the case in 2016 when the Shadow Brokers allegedly sold NSA tools for cryptocurrency. The darknet and underground marketplaces make it relatively easy for threat actors with interests and resources to buy advanced cyber tools to increase their capabilities. ENISA noted in 2021 the trend of rising hacker-for-hire threat actors and their services, which remained consistent throughout the reporting period.
In the last year, some significant developments included:
- Threat actors persist in utilizing the tools and capabilities of private companies to carry out surveillance operations worldwide. The NSO Group and Candiru are among the private companies providing or supplementing state actors with such capabilities.
- The DeathStalker cyber mercenary group continues to target law firms and financial institutions, and there are suspicions that it has expanded its focus to include travel agencies.
- Candiru has been employing several 0-day exploits sold to governmental agencies and other actors, with notable cyber activity linked to the company identified in the Middle East.
- The 0-day market has grown in terms of development and trading, with individual researchers, cybercriminals, and private companies expanding their involvement. Access-as-a-Service companies have notably developed seven out of nine 0-days discovered by the Google Threat Analysis Group, with Cytrox identified as having sold five 0-days in Google Chrome and Google Android to different state actors.
- Access-as-a-Service companies have highly sophisticated research and development capabilities, enabling them to quickly retool and continue servicing their clients by conducting cyber operations even after public exposure.
- Spyware cases involving Pegasus (NSO Group) and Predator (Cytrox) have garnered significant media attention, sparking discussions about state control, (un)lawful interception, and the targeting of civil society.
It is highly probable that threat actors, mainly nation-states, will continue to purchase services and outsource cyber operations as the list of Access-as-a-Service companies expands. This outsourcing will make the threat landscape more intricate and likely contribute to increased cyber espionage and surveillance activities. Therefore, it is necessary to consider the implications associated with attributing such cyber activities, the rapid development and empowerment of cyber capabilities, and the misuse of such capabilities to target journalists, activists, and civil society. One notable implication is that government programs aiming to prevent greater harm caused by undisclosed vulnerabilities (known as the vulnerability equity process) may lose their effectiveness because the necessary vulnerability details required for a judgment are not available to the involved entities.
Pegasus and governmental responses
The most significant event of 2021/2022 was the Pegasus Project involving the Israeli-based NSO Group, which targeted over 30,000 human rights activists, journalists, and lawyers worldwide, as well as 14 world leaders. There were multiple updates during the reporting period.
- The Israeli government conducted an investigation into the NSO Group, which is based in Israel.
- Several US technology companies initiated legal proceedings against the NSO Group.
- The Supreme Court of India investigated the effects of Pegasus spyware on Indian citizens.
- Pegasus spyware was used to hack phones belonging to the US State Department.
- A significant number of cases involving NSO’s Pegasus spyware were reported in Europe, including the targeting of Spanish politicians and Catalan independence leaders.
- The NSO Group disclosed that five EU countries utilize Pegasus spyware.
The Israeli-based Candiru and NSO Group, the Russian-based Positive Technologies, and the Singapore-based Computer Security Initiative Consultancy were deemed by the US Department of Commerce to have enabled or facilitated cyber activities that go against US national security or foreign policy interests. As a result, export controls were implemented by the US administration to hold these companies accountable for their cyber activities and technological developments.
Meanwhile, on 10 March 2022, the European Parliament established the PEGA Committee to investigate potential violations or misconduct in the application of EU law in regard to the use of Pegasus and similar spyware surveillance software.
Surveillance and Targeting of civil society
Commercial threat intelligence reporting has been observed to neglect cyber threats to civil society. Meanwhile, the Access-as-a-Service companies’ tools are increasingly being used to target private citizens such as dissidents, human rights activists, journalists, and civil society advocates. While the use of spyware surveillance technologies may be legal under national or international laws, governments often abuse these technologies for purposes not aligned with democratic values.
European Commission President Ursula von der Leyen condemned the use of spyware on journalists on 19 July 2021. Within the EU, high-profile cases have been reported in which the Pegasus and Predator spyware software have been used to target journalists.
Big tech companies are working to protect their customers and defend against spyware activities regardless of who is behind the attacks or who the targets might be. Additionally, these companies have shared their findings with security researchers and policymakers. However, defenders’ means of investigating mobile phone compromises are still limited and need to be further improved.