Hacking tools developed by private companies are often used to track down and apprehend dissidents, journalists or politicians.
Over the past few years, the cybersecurity community has repeatedly raised concerns about an ever-growing number of private companies selling offensive cyber capabilities (OCCs) to foreign governments without much oversight.
Hacking tools developed by private companies often end up in the hands of unscrupulous governments, which then use the software to track down and apprehend dissidents, journalists, or political rivals.
The American think tank Atlantic Council has published a report on the OCC market and the companies operating on the Access-as-a-Service (AaaS) model that sell these services. The report provides an analysis of three AaaS vendors - the Israeli NSO Group and the UAE-based DarkMatter.
In particular, the experts spoke about the organizations behind the cyberattacks that exploited a zero-day vulnerability. Of 129 attacks using 0Day vulnerabilities since 2014, 72 of them were associated with a specific attacker. Of these 72 cases, 14 were associated with private companies as creators of the zero-day exploit used in the attack. Thus, private companies turned out to be a larger provider of zero days exploited in real attacks than government and cybercriminal hackers combined.
Many of the AaaS vendors can hardly be distinguished from legitimate cybersecurity companies providing security solutions, experts say. This business model is now becoming more prevalent and current policies restricting the export and transfer of OCC instruments overseas are becoming less effective as AaaS providers find new ways to circumvent them.
The researchers called for the implementation of new and improved policies for the AaaS market and proposed expanding the range of vulnerabilities found by government intelligence agencies that need to be reported to vendors, establishing post-employment restrictions for government information security employees so that they cannot switch to AaaS service providers. resort to legal practice against AaaS suppliers and their contractors that violate export controls and enforce "technical restrictions" such as geographic area on malware to prevent OCC tools from being used in certain areas or against certain purposes.