When an insider rides Pegasus into the dark web

An NSO Group employee, who'd worked there for only about 90 days, copied the company's Pegasus software and offered it for sale on the dark web for $50 million.

Employee copies NSO Group software, puts it for sale on dark web
Thinkstock

The white hat cybersecurity sector, specifically the Israeli cybersecurity firm NSO Group, experienced what happens when a well-motivated employee decides to break trust and feather their own nest or do harm to their employer.

NSO found itself in the thick of what some might describe as the basis for a good techno-drama, when a relatively new employee (~ 90 days), copied the Pegasus software, exited the company with the software, and then let fly that the software was available for sale via the dark web. Price tag? $50 million.

The last time a tool kit was offered for sale carrying this size of a price tag was when the NSA suite of tools was offered for sale by Shadow Brokers for $500 million.

What is Pegasus?

The Pegasus application is a suite of tools, including malware, which are sold to “governments only” ostensibly to be used in their lawful intercept programs. According to an August 2016 Forbes article, NSO has created “the world's most invasive mobile spy kit.” With Pegasus, malware is delivered via an SMS text and the iPhone is, for all intents and purposes, splayed open for examination. Forbes continues how this includes “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.”

It has been widely reported that Mexico used Pegasus in their efforts to monitor journalists, and the United Arab Emirates has used Pegasus to surveil and prosecute dissidents. The Israeli government, Ministry of Defense's Defense Export Control Department, monitors the sale of Pegasus.

Who has Pegasus now?

No evidence has been shared, which indicates that a sale was ever consummated, nor any information indicating that the employee shared a copy with others.

When asked if the “Pegasus” is now available in the wild due to the actions of their former employee, the NSO told Israeli media outlet Globes (Hebrew), "Attempts to steal internal information from a company are always challenging threats to prevention and identification, in which case the company quickly identified the theft attempt, immediately investigated, identified the relevant agent. And within a short time the former employee was caught and arrested by the police on the basis of the incriminating material collected by the company.”

The disgruntled NSO employee

The indictment (Hebrew), according to the Globes, provides the details on why the trusted employee opted to break trust and demonstrates that data loss prevention (DLP) tools work only if you use them, notwithstanding NSO’s statement, which does not provide a specific timeline of discovery of the insider’s activities.

The individual is not identified by name, rather he is identified as a 38-year-old male who joined NSO in November 2017 as a senior programmer within NSO’s automation team. In February 2018, some three months following hire, he was called into a meeting to discuss his unsatisfactory performance.

Whether he was told that he was being discharged or being placed on a performance improvement plan is unclear. What is clear is that the individual departed the meeting and returned to his workstation. There he began searching for ways to circumvent security software, presumably DLP. The indictment goes on to describe how the employee disrupted the security software and then downloaded the files associated with Pegasus. Once on his workstation, he transferred the files to an external drive (a USB) and then walked them out of the building. 

His attempt to sell Pegasus on the dark web went sideways when his potential buyer informed NSO. NSO brought in the police, and the Israeli internal security service, Shin Bet, became involved. The employee was arrested. Total elapsed time: 21 days.

As this story plays out, it will be interesting to know whether the employee successfully disarmed the DLP schema of NSO or if the DLP sounded an alarm but was ignored.

While the Israeli Ministry of Defense's Defense Export Control Department oversight of the sales ensures the application is sold only to those who do not pose a threat to Israel, we should remain vigilant for the proliferation of Pegasus to non-state actors and/or countries like Iran.

Perhaps the most important takeaway are the questions for every company:

  • Does your firm monitor the internal access of new employees?
  • When an employee is identified as having performance issues, is the employee highlighted to the insider threat prevention team?
SUBSCRIBE! Get the best of CSO delivered to your email inbox.