Stealing Secrets or Securing Systems: Decoding the Ethical Enigma of Hacking-for-Hire
Atlas VPN’s latest report reveals that cybercrime rakes in a staggering USD $1.5 trillion annually. Yes, you read that correctly. To truly grasp the enormity of this figure, consider this: it would be possible to construct an entirely new Great Wall of China, twice the length and height of the original, with that kind of money. Moreover, this astronomical sum could also be utilised to provide clean water and sanitation to every individual on the planet while simultaneously eradicating extreme poverty on a global scale. This stark perspective illuminates the astounding gains amassed by the cybercrime industry over the years through its illicit activities.
The convergence of digital technology and the allure of substantial rewards have increasingly enticed a burgeoning number of young individuals into the realm of malevolent computer programming.
Many of these hackers, often acting independently without solicitation, have ventured into a realm known as Hacking-as-a-Service (HaaS) in recent years. Here, they monetise their hacking prowess and operate as freelance contractors, offering advanced code-breaking capabilities to anyone with nothing more than a web browser and a credit card.
While grey markets for HaaS have existed for some time, there’s been a noticeable shift towards purpose-driven websites that facilitate the hiring of such skills. One such platform, Hackers List, not only provides a money-back guarantee but also formalised review systems, complaint procedures, and a directory of hackers with specific proficiencies. Furthermore, there’s a proliferation of HaaS tools and platforms, such as Alienspy, designed to streamline the hacking process, enabling individuals with minimal technical knowledge to conduct attacks themselves.
The range of services encompassed within HaaS is extensive and includes:
- Social Networking Account Access.
- Malware Deployment.
- DoS (Denial of Service) and DDoS (Distributed Denial of Service) Attacks.
- Telephone DoS: Interfering with telephone services to disrupt communication.
- Telephone Number Hijacking and Call Blocking.
- Network Infrastructure Attacks.
- Command and Control (C&C) of a Botnet Army.
- Phishing or Social Engineering Campaigns.
- Cyber Espionage and Surveillance.
The evolution of HaaS presents a stark reflection of how hacking services are not only increasingly commercialised but also made readily accessible to those who seek them, emphasising the pressing need for heightened cybersecurity measures.
The Spectrum of Hackers: Unveiling the Diverse Landscape
The realm of Hacking-as-a-Service remains deeply controversial, and the landscape of hackers is far from “black and white.” Within this domain, various classifications emerge, delineated by intent, consent of targets, and legal frameworks:
- White Hat Hackers: These ethical hackers legally enhance digital security by identifying vulnerabilities in systems and reporting them to clients. Companies and organisations hire them to proactively fortify their defences, ensuring vulnerabilities are addressed before malicious hackers exploit them.
- Black Hat Hackers: The malefactors of the digital realm, black hat hackers engage in cybercrime with the primary intent of financial gain. They employ various tactics to steal funds, crack passwords, access valuable information for sale on the dark web, or ransom sensitive data. Their activities pose a grave threat to individuals and businesses.
- Gray Hat Hackers: Operating in an ethical grey area, these hackers infiltrate systems without consent but do not harm them. They typically inform victims of vulnerabilities, sometimes charging fees for disclosure. While they aim to enhance security, their actions are still illegal.
- Red Hat Hackers: These “hacktivists” consider themselves digital vigilantes. They target black hat hackers to disrupt their activities or seek retribution. Red hat hackers employ similar techniques to neutralise malicious hackers, aiming to right perceived wrongs.
- Blue Hat Hackers: Employed by organisations, blue hat hackers focus on maintaining cybersecurity and preventing attacks. They often work in teams, safeguarding a company’s digital assets and reputation. They are just like white hat hackers; however, they are often employed rather than just hired. Once employed, they will not be called “hackers” anymore.
- Script Kiddies and Green Hat Hackers: Script kiddies and green hat hackers are relatively inexperienced. Script kiddies typically engage in malicious activities, using existing malware and scripts, often relying on social engineering. Green hat hackers aspire to develop technical skills and may eventually transition to white or black hat roles.
- Hacktivists: These hackers target systems to combat perceived political or social injustice. Anonymous, a notable hacktivist group, has been known to target organisations, governments, and institutions to protest against alleged wrongdoing, even if their actions harm reputations.
- State/Nation-Sponsored Hackers: Working for governments, these hackers can be either white or black hat hackers. Some enhance national cybersecurity, while others employ black hat tactics for espionage, gathering sensitive information and potentially launching subversive attacks.
- Malicious Insider (Whistleblower): Operating from within organisations, malicious insiders expose wrongdoing, often having access to confidential information. Motivations may range from financial gain and revenge to a sense of duty. Edward Snowden, a famous whistleblower, leaked classified information to unveil mass surveillance programs conducted by the US government.
Deciphering the Moral Code of Hacking Services
The ethical considerations surrounding hiring hackers, whether for corporate or personal purposes, present a complex and multifaceted issue, epitomised as a “double-edged sword” by Daniel Tan, Head of Solution Engineering – ASEAN, Japan, Korea, and Greater China at Commvault. Ian Lim, Field Chief Security Officer, JAPAC, Palo Alto Networks, notes that in Singapore, ethical hacking endeavours must obtain a licence from the Cyber Security Agency, suggesting that hacking services are not inherently unethical.
On one hand, ethical hackers, or white hats, play a vital role in enhancing cybersecurity by identifying vulnerabilities before they are exploited by malicious actors. Their contributions are essential for organisations looking to fortify their digital defences and safeguard sensitive information. Hiring hackers in such contexts can be seen as ethical, serving the greater good of protecting individuals, businesses, and society from cyber threats.
Conversely, engaging hackers, particularly black hat hackers, for nefarious or illegal purposes is highly unethical and often illegal. Such actions not only violate legal standards but also ethical principles, eroding trust in the digital realm and posing significant harm to individuals, organisations, and even nations.
Ryan Lo, Senior Manager of Solutions Engineering at F5 Inc., underscores that involvement in Hacking-as-a-Service may be illegal in certain jurisdictions. Strict adherence to legal boundaries is crucial, even when intentions are well-meaning, to avoid unintended harm. Pursuits like “scammer revenge” or “fraud tracking” may inadvertently harm innocent individuals or facilitate additional unlawful acts. Reporting instances of scams and fraud to law enforcement authorities is advised rather than resorting to Hacking-as-a-Service.
Ultimately, the ethicality of hiring hackers hinges on the intent and legality of their actions. When aligned with principles of protecting digital security and respecting consent, it can be deemed ethical. However, actions that breach legal and moral boundaries must be unequivocally condemned.
What if the Tables Are Turned?
Securing services of any kind entails a degree of trust, yet when it involves hacking services, the stakes can be notably higher.
“How far can you actually trust a person/entity who you’ve most likely never met in person to carry out an illegal activity on your behalf?” Aaron Bugal, Field CTO, APJ, Sophos raised that question.
Consider the scenario where the hacker for hire leverages the information provided to extort you. The very data and instructions you share could very well be manipulated against you.
Wai Kit Cheah, Senior Director of APAC Products and Practices, Lumen Technologies believes that not all these services can be deemed as legitimate. Involvement in such activities even comes with the substantial risk of unintentionally endorsing criminal pursuits – a peril that can entail significant legal consequences, particularly in the wake of regulations such as Singapore’s Online Criminal Harms Act, which takes a stringent stance against malevolent online actions.
In alignment with Wai Kit Cheah’s perspective, Yong Kwang Kek, Head of Solution Architect at Infoblox APJ, underscores the potential for hiring hackers to lead to grave legal, financial, and reputational repercussions. Hacking remains illegal across the majority of jurisdictions, irrespective of the purported defensive intent. Furthermore, Yong emphasises that hackers may demand exorbitant fees, often without providing any tangible assurance of successful outcomes. Moreover, the exposure of an organisation’s engagement with a hacker could inflict harm upon its reputation and strain professional relationships with stakeholders.
In my view, the ethicality of hiring hackers ultimately depends on intent and compliance with the laws and regulations governing such actions. The evolving nature of the digital landscape necessitates constant scrutiny and ethical evaluation; thus, it is imperative to strike a balance between enhancing cybersecurity and, at the same time, ensuring that the integrity of digital ecosystems is well maintained.
As HaaS evolves, so too must our ethical frameworks to address the complex interplay of intent, legality, and consequence in the world of hacking services. With billions of dollars at stake, the hacking industry is currently thriving and will only continue to grow, showing no signs of slowing down.