It's a useful distinction because it clarifies your threat model: any attempts at security without a threat model is hokum, IMO. It's good to know the limits of your security stance by modeling how many resources your opponent can muster, and how many you can spare to defend yourself.
The resources required to develop these exploits (and mitigate against them), were at least an order of magnitude above the next tier, because there was very little sharing and reuse (except among allies). Now, thanks to NSO, any backwater tinpot dictatorship that can't provide reliable electricity or offer a coherent policy for longer than a few months at a time qualifies as a "nation-state" (i.e. hack anyone in the world), if they can spare a 6 or 7 digit budget to hire exploits.
What NSO/HackingTeam and similar offensive security companies did was to lower the bar on nation-state capabilities by removing the need to develop a local program over many years, and allowing the reuse of infrastructure, personnel and exploits by countries that aren't allies. Call it a SpaceX for hacking as opposed to space launches.
The resources required to develop these exploits (and mitigate against them), were at least an order of magnitude above the next tier, because there was very little sharing and reuse (except among allies). Now, thanks to NSO, any backwater tinpot dictatorship that can't provide reliable electricity or offer a coherent policy for longer than a few months at a time qualifies as a "nation-state" (i.e. hack anyone in the world), if they can spare a 6 or 7 digit budget to hire exploits.
What NSO/HackingTeam and similar offensive security companies did was to lower the bar on nation-state capabilities by removing the need to develop a local program over many years, and allowing the reuse of infrastructure, personnel and exploits by countries that aren't allies. Call it a SpaceX for hacking as opposed to space launches.