A lead programmer working for NSO Group, the Israeli cybersecurity firm behind the notorious Pegasus iPhone
malware has been arrested after a failed attempt to illegally sell the
top-secret spyware to an unauthorized party via the dark web in exchange
for $50 million worth of cryptocurrency.
A report from the Times of Israel states that the 38-year-old engineer from the Netanya has been indicted
by prosecutors at the Tel Aviv District Court on charges of “trying to
damage property in a way that would harm national security, theft by an
employee, activities to market defense material without a permit, and
obstruction and interfering with computer material.”
Although the attempted $50 million sale was unsuccessful, the
incident raises a number of questions about the internal security
processes of NSO and other private cybersecurity firms whose products
like Pegasus could have potentially disastrous and far-reaching consequences if they fall into the wrong hands.
Access to NSO Servers
According to a report from Israeli tech news platform CTech, even though the suspect was aware of the damage that could be caused by leaking Pegasus to non-government
entities, he went ahead with his plan to sell the top-secret malware
because he was set to lose his job at NSO after violating company policy
by connecting an external storage device to the company’s computers
after researching to how to do so without being detected on the
internet.
The company detected his actions and summoned him to a
pre-termination hearing on April 29. Following the hearing, for an
unspecified reason, he was permitted to return to his workstation where
he connected a storage drive to the company server and downloaded the
company’s source code along with additional information that could potentially be used to create a black market version of Pegasus.
His plan was to sell the code on the dark web for $50 million in
untraceable anonymous crypto coins – Monero, Zcash and Verge, the
indictment reveals – posing as a member of a hacker group that gained
access to NSO servers. The proposed buyer however grew suspicious of the
suspect’s claims and contacted NSO to inform them that their software
was being touted online. Remarkably, until that point, NSO was not aware
of the theft.
Following a complaint by NSO, the Israeli police cyber crimes unit
arrested the programmer on May 6, and brought him up on a number of
serious charges including “attempting to maliciously damage assets used
by Israel’s security arms in a way that could jeopardize the country’s
security.”
Following his indictment, NSO was at pains to point out that despite the theft, Pegasus has not found its way into the public domain, and no confidential information has been leaked.
A statement released to the press by NSO said in part:
“The company was able to quickly identify the breach,
collect evidence, identify the perpetrator, and share its findings with
the relevant authorities. The authorities, in turn, responded quickly
and effectively, so that within a very short time the former employee
was arrested and the stolen property was secured. No (intellectual
property) or company materials have been shared with any 3rd party or
otherwise leaked, and no customer data or information was compromised.”
It will be recalled that Pegasus attained global notoriety
after it was revealed that a number of governments around the world have
made use of the malware to spy on activists. Pegasus remains
uniquely attractive as a malware because it is the only malware solution
that combines complete surveillance of an iOS user’s actions with easy
installation, reportedly installing itself via a simple SMS link.
