A lead programmer working for NSO Group, the Israeli cybersecurity firm behind the notorious Pegasus iPhone malware has been arrested after a failed attempt to illegally sell the top-secret spyware to an unauthorized party via the dark web in exchange for $50 million worth of cryptocurrency.
A report from the Times of Israel states that the 38-year-old engineer from the Netanya has been indicted by prosecutors at the Tel Aviv District Court on charges of “trying to damage property in a way that would harm national security, theft by an employee, activities to market defense material without a permit, and obstruction and interfering with computer material.”
Although the attempted $50 million sale was unsuccessful, the incident raises a number of questions about the internal security processes of NSO and other private cybersecurity firms whose products like Pegasus could have potentially disastrous and far-reaching consequences if they fall into the wrong hands.
Access to NSO Servers
According to a report from Israeli tech news platform CTech, even though the suspect was aware of the damage that could be caused by leaking Pegasus to non-government entities, he went ahead with his plan to sell the top-secret malware because he was set to lose his job at NSO after violating company policy by connecting an external storage device to the company’s computers after researching to how to do so without being detected on the internet.
The company detected his actions and summoned him to a pre-termination hearing on April 29. Following the hearing, for an unspecified reason, he was permitted to return to his workstation where he connected a storage drive to the company server and downloaded the company’s source code along with additional information that could potentially be used to create a black market version of Pegasus.
His plan was to sell the code on the dark web for $50 million in untraceable anonymous crypto coins – Monero, Zcash and Verge, the indictment reveals – posing as a member of a hacker group that gained access to NSO servers. The proposed buyer however grew suspicious of the suspect’s claims and contacted NSO to inform them that their software was being touted online. Remarkably, until that point, NSO was not aware of the theft.
Following a complaint by NSO, the Israeli police cyber crimes unit arrested the programmer on May 6, and brought him up on a number of serious charges including “attempting to maliciously damage assets used by Israel’s security arms in a way that could jeopardize the country’s security.”
Following his indictment, NSO was at pains to point out that despite the theft, Pegasus has not found its way into the public domain, and no confidential information has been leaked.
A statement released to the press by NSO said in part:
“The company was able to quickly identify the breach, collect evidence, identify the perpetrator, and share its findings with the relevant authorities. The authorities, in turn, responded quickly and effectively, so that within a very short time the former employee was arrested and the stolen property was secured. No (intellectual property) or company materials have been shared with any 3rd party or otherwise leaked, and no customer data or information was compromised.”
It will be recalled that Pegasus attained global notoriety after it was revealed that a number of governments around the world have made use of the malware to spy on activists. Pegasus remains uniquely attractive as a malware because it is the only malware solution that combines complete surveillance of an iOS user’s actions with easy installation, reportedly installing itself via a simple SMS link.