According to a report by the UK National Cybersecurity Centre (NCSC), the proliferation of the commercial cyber tools and services will be transformational on the cyber landscape, as such tools and services enable state and non-state actors to obtain cyber capabilities they could not develop or acquire on their own. In some cases, these capabilites rival the capabilities of state-linked Advanced Persistent Threat (APT) groups.
These capabilities include Hacking-as-a-Service, hackers-for-hire, and the sale of enabling capabilities such as zero-day exploits and customisable tool frameworks.
Hacking-as-a-Service has been used against law enforcement targets, but also against journalists, human rights activists, political dissidents and opponents and foreign government officials. At least 80 countries bought spyware from Hacking-as-a-Service companies over the last 10 years, NCSC writes.
The NCSC cautioned that the activities of hackers-for-hire, or mercenary spies, pose a potential corporate espionage threat and increase the risk of unpredictable targeting or unintentional escalation.
States and companies that sell commercial cyber intrusion to staes are primary customers of the zero-day market. Commodisation of customisable tool frameworks is also a concern, as they are repurposed by state and non-state actors to uplift cyber capability.
The NCSC estimates that global commercial cyber intrusion sector will expand in the next five years, expanding number of elements for cyber defence to detect and mitigate, and expanding number and type of victims.