The tools include one piece of software for scanning the internet for security vulnerabilities and another that seemed designed to organize disinformation campaigns and coordinate offensive hacking operations. Perhaps most disturbing of all was a proposal for a third tool that appeared to be designed to allow hackers to train in simulated networks of infrastructure systems like railways and pipelines, with specific references to methods to sabotage those systems with catastrophic effects. But it’s not clear whether that last tool was ever built, and if so, whether it was used primarily for offensive hacking or “red team” defensive training, or whether it led to the development of any actual hacking capabilities targeting critical infrastructure.

Security experts say North Korea–linked hackers have successfully carried out a supply chain attack through compromised versions of 3CX, a video and voice communications platform used by high-profile companies including American Express and Mercedes-Benz. 3CX says it has more than 600,000 customers. The hackers were able to install malware within the Mac and Windows versions of 3CX, which were signed with the company's keys, thus allowing the Trojanized apps to go undetected. The attack is being compared to Russian hackers' SolarWinds supply chain attack, which wrought havoc around the world for months. 

As hacker-for-hire firms' tools proliferate to governments around the world, the Biden administration has made clear: The US will not be one of that industry's customers. A new executive order bans US agencies from buying access to that commercial spyware, a key step in a growing effort to curb companies like NSO Group, Cytrox, and Candiru, which have enabled surveillance and human rights abuses from Spain to Mexico to Saudi Arabia. US agencies haven't been confirmed to be past customers of any of those companies, though the FBI did at one point test NSO's Phantom spyware before ultimately walking away from a deal with the company. But the order nonetheless sets a precedent for governments worldwide, assuring that US taxpayer funds won't flow to a dangerous industry whose tools have offered intrusive hacking techniques to repressive regimes targeting activists, journalists, and human rights defenders.

While we're on the subject of dangerous hacker-for-hire firms targeting vulnerable activists: The Wall Street Journal reported this week that Indian hacker-for-hire firm BellTroX targeted climate change activists campaigning against Exxon, including Greenpeace, Public Citizen, 350.org, and the Rockefeller Family Fund. The firm was hired by Israeli private detective Aviram Azari, who has since pleaded guilty to hacking conspiracy charges. Exactly who hired Azari remains unclear, and Exxon denies having any connection to Azari or the hacking campaign. The hackers successfully accessed email accounts for Greenpeace, Public Citizen, and 350.org, but it's not yet clear whether they successfully penetrated the Rockefeller Family Fund, an organization created by Rockefeller heirs that has worked to combat the oil industry's efforts to lobby against climate change solutions.