CyberUK 23: Irresponsible use of commercial hacking tools a rising threat

The marketplace for commercial hacking tools and services is set to expand dramatically between now and 2028, leading to the victimisation of more organisations and individuals in a far more unpredictable threat landscape, according to threat researchers at the UK’s National Cyber Security Centre (NCSC).

Published on the opening day of the NCSC’s annual CyberUK conference, currently underway in Belfast, the report offers fresh insights into how the barriers to entry for irresponsible or malicious cyber actors is lowering and how commercial products such as spyware, pen-testing and red teaming tools – and even freelance “hackers-for-hire” – are increasing the risk of unpredictable targeting or unintentional escalation.

It highlights in particular how more than 80 countries have purchased cyber intrusion software – such as the Pegasus mobile trojan built by disgraced Israeli firm NSO Group – and used such tools to target activists, dissidents, foreign states, journalists and political opponents. It warns that the development of tools with similar capabilities is likely to diversify to meet demand.

“Over the next five years, the proliferation of cyber tools and services will have a profound impact on the threat landscape, as more state and non-state actors obtain capabilities and intelligence not previously available to them,” said the NCSC’s director of resilience and future technology, Jonathon Ellison. 

“Our new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a wider range of targets and off-the-shelf products and exploits lower the barrier to entry for all.  

“To maintain safety in cyberspace it is crucial these capabilities are managed with a responsible, proportionate and legally sound approach and working with international partners, the UK is determined to address this rising challenge,” said Ellison.

The report highlights how the irresponsible use of spyware is “almost certainly” going on at a scale far larger than we have imagined, and that we should expect to see more high-profile exposures of victims of this technology, and other commercial cyber tools.

It also explores how freelance hackers pose a growing corporate espionage threat, while potentially significant financial rewards from malicious activity may incentivise state employees or contractors to turn to hacking, particularly during the cost-of-living crisis. A similar trend was seen during the Covid-19 pandemic, when many technically savvy people who had been laid off or furloughed during various national lockdowns took to advertising their skills on underground hacking forums to try to pay their bills.