NSO Group employee allegedly stole, attempted to sell 'Pegasus' iOS malware for $50M

Posted:
in General Discussion edited July 2018
A disgruntled employee at NSO Group, an organization that creates tools to exploit iPhones and other mobile devices, allegedly stole the firm's infamous "Pegasus" code and tried to sell it to unauthorized buyers for upwards of $50 million in cryptocurrency.


Leaked NSO Group materials demonstrate what data can be stolen from a compromised phone.


Located in Israel, NSO markets highly effective malware solutions to governments and law enforcement agencies looking to gain access to smartphones. One of the firm's spyware products, known as "Pegasus," was allegedly stolen earlier this year by an employee, Motherboard reports.

Citing an indictment, reports from Israeli news media outlets claim the unnamed person started work at NSO as a senior programmer in 2017, a position that granted access to highly sensitive, potentially dangerous code. Facing possible termination, the employee downloaded a copy of NSO source code worth "hundreds of millions of [US] dollars."

NSO has security protocols in place that prevent employees from using external storage devices, but the apparently disgruntled employee searched online -- namely Google -- for ways to disable those security features and save the data cache that included Pegasus, the indictment reads. His search history also revealed queries regarding how and where to sell cyber secrets, and who might be a good buyer.

The cache was peddled on the dark net for around $50 million in crypto before a possible buyer engaged. Instead of following through on the deal, the potential buyer alerted NSO of the theft, who in turn worked with law enforcement to identify the thief. The employee's apartment was raided a few days later.

Publication of the indictment was delayed due to concerns over national security, the report said.

Pegasus made waves a couple years ago before being patched in iOS 9.3.5. Using it, attackers could gain access to an iPhone and steal a nearly endless amount of data.

After clicking a seemingly innocuous link received through a message, the target device would be jailbroken, and malware would be loaded to monitor and steal data. Pegasus allowed attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and more.

After being patched on iOS, Apple soon after issued a patch for Safari on macOS 10.11. El Capitan to address the vulnerability. The assault package on iOS was able to leverage the same zero-day vulnerability to take over a Mac with a single click.

Comments

  • Reply 1 of 14
    SpamSandwichSpamSandwich Posts: 30,412member
    Wonderful.  :|
  • Reply 2 of 14
    SoliSoli Posts: 8,433member
    So he's smart enough to become a senior programmer at a firm that focuses on hacking OSes but he's not smart enough to not use his own computer, to use a browser that records his history, or to use Google search. I bet he never used a VPN or makes his MAC address either.

    PS: If you use a browser like Tor it'll inform you that going fullscreen can get help determine your computer type because JS will determine your display resolution so if you really want to be clever and you're using a laptop (preferably running a flavor of Linux) you should attach of some old monitor to run the web browser on that display to be obfuscate any source even further which you can then discard.
    viclauyycviclauyycMplsPcornchipjony0
  • Reply 3 of 14
    JanNLJanNL Posts: 251member
    So you see, in relation to creating backdoors, it only needs 1 disgruntled employee and the privacy of many is gone...

    Unbelievable a senior programmer at this kind of company leaves his search history like this... have to wonder why he faced a possible termination  :/
    anton zuykovrobin hubercornchip
  • Reply 4 of 14
    SoliSoli Posts: 8,433member
    JanNL said:
    So you see, in relation to creating backdoors, it only needs 1 disgruntled employee and the privacy of many is gone...

    Unbelievable a senior programmer at this kind of company leaves his search history like this... have to wonder why he faced a possible termination  :/
    I'm not one for conspiracy theories (and I'm not putting any real stick in it with this comment), but  part of me wonders if this was an intentional bread crumb because it's such a stupid way to get caught.
    cornchip
  • Reply 5 of 14
    lightknightlightknight Posts: 2,312member
    Soli said:
    JanNL said:
    So you see, in relation to creating backdoors, it only needs 1 disgruntled employee and the privacy of many is gone...

    Unbelievable a senior programmer at this kind of company leaves his search history like this... have to wonder why he faced a possible termination  :/
    I'm not one for conspiracy theories (and I'm not putting any real stick in it with this comment), but  part of me wonders if this was an intentional bread crumb because it's such a stupid way to get caught.
    Historical evidence shows stupidity to be a very common factor with getting caught, along with sex. Sometimes both compounded.
    stompySoli
  • Reply 6 of 14
    This could never happen at the NSA...
    cornchip
  • Reply 7 of 14
    macxpressmacxpress Posts: 4,673member
    This could never happen at the NSA...
    NEVER! Or the FBI for that matter!
    cornchip
  • Reply 8 of 14
    georgie01georgie01 Posts: 203member
    Soli said:
    JanNL said:
    So you see, in relation to creating backdoors, it only needs 1 disgruntled employee and the privacy of many is gone...

    Unbelievable a senior programmer at this kind of company leaves his search history like this... have to wonder why he faced a possible termination  :/
    I'm not one for conspiracy theories (and I'm not putting any real stick in it with this comment), but  part of me wonders if this was an intentional bread crumb because it's such a stupid way to get caught.
    Historical evidence shows stupidity to be a very common factor with getting caught, along with sex. Sometimes both compounded.
    Unless the dude wasn’t involved in security and wasn’t knowledgeable about it (maybe he had different responsibilities?), he wouldn’t have left a trail like that even out of stupidity. I’m not suggesting a conspiracy but with the limited information in this article it could be considered very unusual.
    edited July 2018
  • Reply 9 of 14
    MacProMacPro Posts: 17,835member
    Soli said:
    JanNL said:
    So you see, in relation to creating backdoors, it only needs 1 disgruntled employee and the privacy of many is gone...

    Unbelievable a senior programmer at this kind of company leaves his search history like this... have to wonder why he faced a possible termination  :/
    I'm not one for conspiracy theories (and I'm not putting any real stick in it with this comment), but  part of me wonders if this was an intentional bread crumb because it's such a stupid way to get caught.
    Historical evidence shows stupidity to be a very common factor with getting caught, along with sex. Sometimes both compounded.
    Wait, was this a politician?  ;)
  • Reply 10 of 14
    NSO lives off of supporting other countries suppression of their people by spying on their devices and then taking whatever action they see fit like imprisonment or you just disappear. 
    They pretend to be legit by claiming to only do business with governments and police forces when most of those are corrupt and a bunch of murderers. 

    Good to see that backstabbing and betrayal run deep in their own company. It's also good to see that all of their security keys can be removed by just a google search. Sounds like a bunch of script kiddies who pretend to be white hats.

    They have no ethics so they get what they deserve. 
    cornchip
  • Reply 11 of 14
    DAalsethDAalseth Posts: 363member
    This is why you cannot have back doors. They always are exposed. Secrets always leak. I don't care if you are a high tech, high security company, the FBI, the NSA or whomever. Secrets always get out. Secret doors always are found out. Private entrances never stay that way. 
    cornchip
  • Reply 12 of 14
    mcdavemcdave Posts: 1,010member
    Following Pharma, the best business isn’t where you find it, it’s where you make it.
  • Reply 13 of 14
    netlingnetling Posts: 33member
    I call MARKETING BS! 

    There is ZERO chance that anyone with "Senior" seniority at a company like NSO Group would leave all of the most common tracks as a mistakes... I don't even work in computers and I know to use a VPN, SandBox, VirtualBox, Tor, mask MAC address on both your local router and host PC and virtual PC, etc. 

    This isn't rocket science and when dealing with $50,000,000 you take SUPER EXTRA PRECAUTIONS!  Heck, based on this story, I'm sure that he didn't have a backup on a external storage; micro-ssd, wrapped in a lot aluminum foil, Zip locked in plastic, placed in a small fire/water proof safe, wrapped in extra-thick trash bags buried remotely.  Going to that site without your phone or any other new electronics other than an old-school GPS or map.  We are talking about $50,000,000 here!

    Yeah, this was a way for NSO Group to get their name in the Media... THEY MUST BE HURTING!!



  • Reply 14 of 14
    eliangonzaleliangonzal Posts: 470member
    >A disgruntled employee at NSO Group, an organization that creates tools to exploit iPhones and other mobile devices...

    This is a curious description. If your "group" is all about exploiting other people' devices, exactly how can an employee of that group be described as "disgruntled"? This is like calling a member of a theft ring as a law-abiding citizen.
    edited July 2018
Sign In or Register to comment.