An employee of Israeli cyber company NSO Group Technologies stole the company's software and tried to sell it on the dark web. The program, called Pegasus, is classified as a security tool; in the wrong hands, it was liable to damage state security. The value of the program and other NSO products stolen by the accused was believed to be in the hundreds of millions of dollars. An indictment filed against the employee last week charged him with security offenses, in addition to theft from his employer. Up until now, a gag order was imposed on the particulars of the indictment, but publication of some of them has now been permitted.
The indictment filed last week by the cyber department in the State Attorney's Office is regarded by the authorities as one of the worst cybersecurity and economic crime affairs in Israel's history. The state asked for the accused's remand to be extended until the conclusion of the legal proceedings against him.
The accused, a 38 year-old man, is charged with attempting to damage property in a manner liable to damage state security, theft by an employee, defense marketing without a defense marketing license, and disruption or obstruction of computer material.
NSO provides technological solutions in the field of cyber attacks for the purpose of obtaining intelligence information for security purposes. The company produces tools and software facilitating the production of information required for the security of the state and its citizens and for thwarting terrorist attacks. NSO markets its product to security agencies in Israel and overseas, with exports being supervised by SIBAT - The Foreign Defense Assistance and Defense Export Organization in the Ministry of Defense. The company had 500 employees during the period relevant to the indictment and is believed to be worth at least $900 million.
The indictment indicates that the accused worked in NSO as a senior programmer. In the course of his job, he was given access to the company's computer servers, the tools that it had developed that were stored on the servers, and the source code of the company's products, which was also stored on the servers. On April 29, the employee was summoned to a pre-dismissal hearing. The indictment states that following the discussion with his manager, the accused connected a mobile storage device to the company's servers and downloaded the software, products, and information onto it, including the source code of the software, overcoming the protection systems on the company's computers.
After copying the company's products, the accused contacted another person through the dark web. The accused falsely represented himself to that person as a hacker belonging to a group of hackers that had managed to break into NSO's computer systems and proposed that the second person buy NSO's cyber capabilities for $50 million. He asked to be paid in cryptocurrency that does not allow the holder to be traced. The attempted sale was discovered when the person who had been offered the software reported being contacted by the accused to NSO. NSO entered the picture and asked for further particulars about the cyber capabilities being offered for sale by the accused. The accused gave more information about the cyber capabilities that he was trying to sell and the versions of the products.
Following these events, the company made an urgent request to Israel Police on June 5 and the accused was arrested by the Lahav 433 cyber unit. The investigation found that because of this action by the company and the swift handling of the incident by the police cyber unit, the accused's planned sale did not materialize.
Evidence gathered in the investigation shows that the accused's actions jeopardized NSO and could have resulted in its collapse. Furthermore, the indictment asserts that the accused's actions endangered state security, and the accused is consequently being charged with an attempt to damage property used by the security forces in a manner that could have damaged state security. Under the gag order, however, additional particulars about the damage to state security involved in the affair cannot be reported.
The request to keep the suspect under arrest until the end of proceedings states, "The defendent (accused) carried out the offenses attributed to him in a sophisticated manner using his highly developed technological capabilities… The defendent committed the offenses out of greed, although he was aware, or at least ignored the fact, that the offenses would harm state security and were liable to cause the collapse of a company with 500 employees and a value of at least $900 million… All of these facts indicate the grave risks stemming from the defendant and the great concern that the defendant will continue to endanger state security and public safety if he is released."
The State Attorney's Office says that one of the greatest information security threats comes from an "inside mole." A number of significant cases of theft of computerized information have occurred in recent years in which the perpetrator was an employee with legal access to information; out of financial motivation or bitterness at his employers, the perpetrator stole the information and made illegal use of it.
It now appears that the theft of the Pegasus program will go down as one of the most dangerous security offenses ever that ended without damage only by a miracle, provided, that is, that the investigators are correct in concluding that the errant employee was unsuccessful in selling or transferring the software to anyone.
The accused held in his possession for three weeks one of the most dangerous espionage tools - a powerful tool enabling the user to eavesdrop on and film any person in the world without their knowledge - with no one preventing him from doing whatever he wanted with it.
Grave security vulnerability
The Pegasus affair gives rise to several grave questions. The most disturbing is whether the stolen software reached unauthorized or even hostile hands. If during the 21 days during which the accused possessed the program he made contact with any such parties, he could have easily given them the program through the Internet. In the wrong hands, such a tool could become an extremely dangerous weapon used with no restriction or supervision.
The investigation shows that this apparently did not happen. The first attempt to sell the program took place only after the accused was finally fired by the company and engaged in loud arguments with his employer. This was very fortunate for NSO, which could have suffered a critical blow had its program made its way around the world and its most secret capabilities been exposed. It is also very fortunate for every person concerned about individual rights and privacy and the ability of certain countries to affect democratic processes and information systems in other countries. It still must be asked whether NSO behaved negligently by not taking immediate action to retrieve its code from X.
A second question arising from the affair is the quality of the employees employed in high-tech companies and their reliability, particularly when such dangerous technology is involved. Employees of Israeli security companies are scanned and investigated in depth before they are accepted. In high tech, any person can be hired with almost no checking.
A third disturbing question is the effectiveness of the Ministry of Defense's supervision of cybersecurity systems. This supervision is now being exposed as ineffective because it allowed critical technology to find its way into irresponsible hands. In the era of cyber warfare, it may be that the Ministry of Defense needs to revise the way it works.
"No use was made of the material"
NSO said in response, "Attempts to steal inside information from within the company are always threats that are challenging to prevent and detect. In this case, a former employee allegedly stole intellectual property from the company and attempted to illegally monetize it for his personal financial gain.
"The company was able to quickly identify the breach, collect evidence, identify the perpetrator, and share its findings with the relevant authorities. The authorities in turn responded quickly and effectively, so that within a very short time the former employee was arrested and the stolen property was secured. We will continue to support the prosecution of the perpetrator to the full extent of the law and pursue all available legal action.
"As stated clearly in the indictment, no IP or company materials have been shared with any 3rd party or otherwise leaked, and no customer data or information was compromised.
"We would like to thank the police and the Attorney General’s team for their swift and professional work."
Published by Globes [online], Israel business news - www.globes-online.com - on July 5, 2018