An employee of cyberweapon manufacturer, NSO Group, tried to sell advanced malware to unauthorized parties for $50-Million, according to an Israeli indictment unsealed last week against the individual in question.
About two years ago, Herzliya-based NSO Group developed a powerful cyberweapon called Pegasus, which operated as malware that exploited three previously unknown vulnerabilities in iPhones (i.e., three Apple iOS zero-day exploits). Pegasus gave attackers the ability to spy on many activities taking place on infected devices, including listening in to phone calls, reading text messages, tracking location, and accessing images and emails. Pegasus was also notable in that all that was required by a victim to get infected was to click on a link to the install code – something that an attacker could easily facilitate with spear phishing or other targeted social engineering mechanisms.
NSO Group claims to sell its cyberweapons strictly to approved government agencies in order to assist them in combating crime and terrorism; the indicted employee, however, had access to Pegasus and its source code, and stands accused of stealing a copy of the cyberweapon and attempting to sell it to unauthorized parties for $50-Million worth of cryptocurrency.
The indictment, which lists the accused’s birth year as 1980, and utilizes language indicating that he is male, does not disclose his name, but, notes that he has been held in prison since June 5th. The indictment also indicates that the rogue employee is believed to have intentionally turned off protections that NSO had against employees attaching unauthorized storage devices to company computers, and exploited that disablement in order to attach a storage device and steal the company’s files. He was ultimately caught after NSO launched an investigation after finding its extremely-sensitive material for sale online.
This incident highlights three important points:
1. Internal threats are almost always the most dangerous. Insiders are far more likely than outsiders to know what electronic assets an organization has, where and how it stores them, and what defenses are in place to protect them from being stolen. If someone with such knowledge goes rogue, and adequate defenses are not in place, serious problems are likely to occur.
2. There is significant danger involved in creating and storing cyberweapons, and any party doing either must give serious thought to the potential consequences of its actions. Powerful cyberweapons have apparently been stolen not only from NSO Group, but from the NSA, CIA, and other highly-secure government agencies. Remember, those who store cyberweapons must defend against 100% of all attempts to pilfer them, whereas attackers only need to succeed once; a tremendous imbalance of this sort translates into strong odds that many stored cyberweapons will ultimately end up in the hands of nefarious parties.
3. If cyberweapons must be stored, extreme caution must be exercised vis-à-vis how they are protected. In no case, for example, should anyone with access to cyberweapons and/or their source code be given the capability to disable Data Loss Prevention systems and other mechanisms that shield against the copying of files to external storage devices or to the cloud.