NSO Group Employee Allegedly Stole Company’s Powerful Spyware for Personal Profit

NSO sells its potent iPhone malware to governments, including Mexico and the United Arabs Emirates. But according to a newly released indictment, a disgruntled employee stole the company's code and tried to sell it for $50 million worth of cryptocurrency.

|
Jul 5 2018, 11:20am

Image: Getty

NSO Group sells some of the most potent, off-the-shelf malware for remotely breaking into smartphones. Some versions allow a law enforcement or intelligence agency to steal essentially all meaningful data from an iPhone with no interaction from the target. Others just require the victim to click one link in a carefully crafted text message, before giving up their contacts, emails, social media messages, GPS location, and much more.

NSO only sells its tools to government agencies, but a newly released, explosive indictment alleges that a company employee stole NSO’s spyware product, dubbed Pegasus, and tried to sell it to non-authorized parties for $50 million worth of cryptocurrency.

These capabilities “are estimated at hundreds of millions of [US] dollars,” a translated version of the indictment reads. Several Israeli outlets were the first to report on and upload the indictment. The news shows a danger often highlighted by critics of the malware industry: that hacking tools or exploits typically reserved for law enforcement or intelligence agencies may fall into other hands.

Omri Lavie, the co-founder of NSO, told Motherboard in an online chat “no comment.”

Ron Deibert, director of the Citizen Lab, Munk School of Global Affairs at the University of Toronto, and which has exposed abuses of NSO's products, told Motherboard in an email "The commercial spyware industry as a whole is new, lucrative and powerful, but also immature, largely unregulated, lacking in professional conduct, and prone to abuse. Theft and illicit sale of powerful surveillance technologies will happen in such circumstances, and provides yet another example of the need for greater regulatory control over the industry."

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

NSO has faced serious controversy for repeatedly providing phone spying tools to governments that went on to abuse them. In Mexico, authorities used NSO’s malware to spy on journalists and human rights activists. In the United Arab Emirates, the government targeted prominent activist and political dissident Ahmed Mansoor with Pegasus. According to Amnesty International, Mansoor was recently given a 10 year prison term.

According to the indictment, the unnamed employee started work as a senior programmer at NSO last year. As part of his job, the employee had access to NSO’s product and its source code, the document adds.

NSO’s computers have systems in place to stop employees attaching external storage devices to company computers. But the employee searched the internet for ways to disable those protections, turned them off, and then stole a cache of data, the document reads.

That cache includes NSO’s product source code, “which allows exposure and a full understanding of how the system operates” and “cyber capabilities.”

Shortly before the alleged theft, managers called the employee into a meeting, as the company was considering firing him, the document says.

After stealing the bevvy of powerful malware, the employee allegedly took to the so-called dark net to try and sell the code for $50 million in cryptocurrencies such as Monero, Zcash, and Verge, the indictment adds. The document says the defendant created an account on the Mail2Tor email service. The defendant also allegedly searched Google for ways to sell cyber capabilities, and who to sell them to.

That cache includes NSO’s product source code, “which allows exposure and a full understanding of how the system operates” and “cyber capabilities.”

A potential customer engaged the employee, who was now posing as a hacker that had penetrated NSO’s systems, but reported the attempted sale back to NSO. Then in collaboration with NSO, the customer asked the defendant for more details. Days later, police raided the employee’s apartment, the document adds.

The indictment says that the defendant’s alleged actions have harmed the security of Israel, in part, because it could have “caused the collapse of NSO.”

John Scott-Railton, a senior researcher also from Citizen Lab, told Motherboard in an online chat that "The concern about proliferation of spyware and exploit tech is not just about sales to paying customers, it's about the potential diversion and theft of the technology."

The document says that, during the period relevant to the indictment, NSO employed around 500 workers and its market value was estimated at some $900 million. In May, Reuters reported that US surveillance giant Verint was in talks to buy NSO in a deal worth about $1 billion.

Verint did not respond to a request for comment. Francisco Partners, the global equity firm which currently owns most of NSO, did not respond either.

"If I were an investor looking at NSO, this case would make me deeply concerned: how much liability would I be exposed to if leaked or stolen code/exploits are used by non-customers are part of an attack?" Scott-Railton added.

Update: This piece has been updated to include additional comment.