NSO Employee 'Stole' Classified Israeli Cyberweapons to Sell on Darknet

According to indictment, former employee contacted a foreign entity and attempted to sell a hard drive containing the code for $50 million

File photo: NSO offices in Israel.
Ofer Vaknin

A former employee of Israeli cybercompany NSO has been accused of stealing the company's spyware and trying to sell it on the darknet, it was revealed Thursday morning.

NSO has developed cyberweapons used by dozens of intelligence apparatuses, militaries, and law enforcement around the world. Its most important product is a spyware known as Pegasus. The software can infect cellphones, allowing someone to record calls, remotely access the device's camera, see text messages, obtain GPS coordinates, and more. The software can be remotely installed onto any mobile device without the owner's knowledge.

The employee, who was told of his imminent dismissal in April, worked in the company's quality assurance department. He was indicted last week, but only on Thursday was publication of the indictment permitted. 

According to the indictment, upon realizing that he was going to lose his job, the employee copied top-secret code from the company's networks – code that could damage security in several countries, including Israel, if it reached the wrong hands. Following his dismissal, he contacted a foreign entity and attempted to sell a hard drive containing the code for $50 million.

NSO said in a statement that it had quickly identified the breach and suspect, adding that no materials had been shared with a third party and that no data was compromised.

However, during a three-week period between the time the employee was asked to appear at a dismissal hearing and the time the hearing actually took place, he had the sensitive code on a disc in his home. He could have fled the country with it, possibly to a state with which Israel has no extradition treaty. In that case, the spyware could have fallen into the hands of enemy countries, terror groups or crime organizations. 

After his dismissal hearing, the employee used the darknet to offer to sell the spyware to a specific foreign source, who immediately informed NSO of the employee's actions. Three days later he was in an interrogation room.

NSO was founded in 2010 by three high school friends from Haifa: Niv Carmi, Omri Lavie and Shalev Hulio. At least one of them is a veteran  of the army’s premier signals intelligence unit, 8200, a breeding ground for many of Israel's cyberexperts.  

Unlike other cybersecurity companies, such as the Israeli firm Check Point Software Technologies, NSO doesn’t deal with data security. It sells offensive software and spyware to governments and law enforcement and espionage agencies. The company argues that by limiting its sales to government and law enforcement agencies, it minimizes the danger of the product falling into the wrong hands. But that is only the case if those bodies act legally.

Last year, the firm  sold its highly-advanced Pegasus software to Mexican federal agencies, which used the program to infiltrate mobile devices held by human rights lawyers, journalists and activits fighting government corruption in Mexico, The New York Times reported. 

In August in 2016, researchers in the U.S. claimed that the group's technology was used against a political dissident in the United Arab Emirates, a journalist in Mexico and a minority party politician in Kenya. 

In May, the Wall Street Journal reported that the Israeli-U.S. cybersecurity company Verint Systems was negotiating to buy NSO Group for $1 billion.