Hacking for hire has emerged as a major cybersecurity threat in the last 15 months, with some criminal groups offering ransomware and phishing as services, according to a new report from ENISA, the European Union’s cybersecurity agency.
Hacker-for-hire groups cater their services to governments but also to businesses and individuals and operate legally in their countries of origin, the report said. “The clients of these companies pay them mostly to conduct cyber espionage operations, get access to advanced offensive cyber capabilities and enjoy plausible deniability,” the authors wrote.
There’s been a “bit of a Cambrian explosion” of hacking-for-hire activity in the past 18 months, said Mario Santana, security fellow with cybersecurity vendor Appgate Threat Advisory Services. Appgate has seen gangs and other criminals diversify into cybersecurity to supplement other income, he told the Washington Examiner.
“Hackers for hire allow these sorts of actors to outsource the technical aspect of the cyberoperation while allowing them to leverage their own specializations, like general money-laundering, mules to withdraw money from ATMs, intimidation to gain insider access, etc.,” he said. “At the same time, it allows hackers for hire to monetize their technical expertise without also having to operate mule networks and money-laundering schemes.”
The report accused Israeli surveillance firm NSO Group of being a hacker-for-hire group, although the company has repeatedly said it offers a legitimate service to governments and law enforcement agencies targeting “terrorists, drug traffickers, pedophiles, and other criminals.” News reports from July found that NSO’s Pegasus surveillance tool had been used to spy on dozens of human rights activists, journalists, and politicians.
The ENISA report also points to DeathStalker, a hacker-for-hire group targeting the financial and legal services industries, Bahamut, targeting entities in the Middle East and South Asia, and CostaRico, mostly focused on targets in South Asia, as major threats.
ENISA predicted that hacker-for-hire groups will fall under increasing state control in the coming years, and possibly more attention from cybersecurity vendors, “due to potential national security risks as well as human rights abuse.”
The 116-page report points to ransomware-as-a-service schemes, in which hacker groups provide ransomware malware tools to customers, and phishing-as-a-service schemes, in which hackers design email phishing campaigns for customers. Another as-a-service trend highlighted in the report is disinformation as a service, in which groups run disinformation campaigns for customers such as government agencies.
Several cybersecurity experts said they see the same hacking-for-hire trends that ENISA does.
The growth in hacking-for-hire schemes should be concerning for everyone because it violates human rights and privacy, said Chloe Messdaghi, a cybersecurity consultant and researcher.
“Cases of hacking as a service can involve hurting people, including children,” said Messdaghi, creator of OverStalkers.com, a site focused on combating cyberstalking. “We have seen it used to monitor without permission and stalk victims. These are malicious acts that are disgusting and unbelievably unacceptable.”
J.R. Cunningham, chief security officer at Nuspire, a managed security services provider, agreed that hacking for hire has grown in recent months.
Hacking for hire creates problems “because it decouples the creation of the attack from the criminal,” Cunningham told the Washington Examiner. “A criminal used to have to be sophisticated to be a cybercriminal. Now, an unsophisticated criminal only has to purchase the tools to launch an attack.”
The ENISA report also details several other major cybersecurity threats over the past 15 months. The agency noted that the COVID-19 pandemic drove cyberespionage attacks, with state-sponsored hackers and other cybercriminals using information related to the pandemic to create social engineering and phishing campaigns. Other state-sponsored groups also tried to steal information about COVID-19 vaccine development, the report noted.
The report also points to “highly sophisticated” supply chain attacks from state-backed hackers, including the SolarWinds compromise revealed early this year. In that attack, “the threat actor showed exceptional knowledge of cloud environments, something that highlights the threats and current gaps in our knowledge of cloud environments,” the report said. “The threat actor had well-defined and long-term espionage objectives judging from the careful selection of the targets and subsequent post-compromise activity.”
