In yet another instance of how malicious insiders can easily compromise sensitive enterprise data by misusing their access to company servers, NSO Group, a well-known supplier of surveillance tools to governments, announced that it recently apprehended a senior programmer just in time before he could sell information worth hundreds of millions of pounds to third parties on the Dark Web.
So far, NSO Group has declined to name the employee nor is it willing to divulge exactly what information the said employee was trying to sell to prospective buyers on the Dark Web. However, it did confirm that the employee was attempting to sell proprietary information on the Dark Web in exchange of $50 million in untraceable virtual currency.
NSO failed to detect insider breach
What’s significant is that the malicious insider wasn’t caught by NSO Group itself but was apprehended by the company after it was alerted about the possible sale of company information by a potential buyer who was contacted by the employee. Had the buyer not alerted the company, sensitive enterprise info including cutting-edge surveillance tech and malware could have landed in the hands of malicious hackers on the Dark Web.
“Today nobody is safe from a wide spectrum of malicious insider activities. Four-eyes principles, anomaly detection, role-based access to sensitive data and two-factor authentication, continuous monitoring and employee vetting – can substantially reduce those risks, but not eliminate them,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge.
“Worse, being extremely busy with external security threats, many organizations blindly trust their internal employees and tend to ignore automated security alerts coming from the inside. In many cases, conscientious employees are tricked in a sophisticated manner by cybercriminals to unwittingly help them get inside of corporate networks.
“It would be interesting to know which factors and evidence have led to the arrest in this particular case. Usually, it is very difficult or even technically impossible to attribute complicated insider activities and prove further malicious exploitation of the allegedly stolen data.
“Moreover, if as asserted by the defendant’s lawyer, the accusations are indeed “baseless”, the company may itself face criminal charges, let alone considerable civil claims from the defendant. Anyway, it’s far too early to make reliable conclusions at this stage of investigation,” he added.
Even though NSO Group averted a major breach of surveillance tech this time, it remains to be seen if it will be able to prevent similar instances in the future, considering that the NSA itself wasn’t able to safeguard high-tech surveillance tools and malware which were stolen by hackers and employed with disastrous consequences.
NSO Group’s surveillance tools a dream for hackers
NSO Group has, in the recent past, attracted the ire of privacy campaigners and human rights groups for supplying high-tech surveillance tools to despotic governments across the world. One such tool was a spyware app named Pegasus which was capable of not just recording every action on a mobile phone but also self-destruct when it ‘felt’ it had been compromised.
Pegasus’ capabilities included keylogging, screenshot capture, live audio capture, remote control of malware via SMS, data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao, browser history exfiltration, and email exfiltration from Android’s Native Email client.
According to mobile security firm Lookout, Pegasus was used by the Mexican government to spy on citizens who were critics of the country’s soda laws, as well as by several other governments who wanted to keep an eye on dissidents and human rights campaigners.
“In the course of researching the iOS threat, Lookout researchers mined our comprehensive dataset and located signals of anomalous Android applications. After looking into these signals, we determined that an Android version of Pegasus was running on phones in Israel, Georgia, Mexico, Turkey, the UAE, and others,” the firm said in its blog.
In June last year, security firm Citizen Lab also uncovered a spate of spyware attacks conducted on a number of Mexican journalists and lawyers between August 2015 and July 2016. These journalists and lawyers were, at that time, investigating allegations of corruption by the Mexican President as well as of human rights abuses initiated by Mexican federal authorities.
Citizen Lab determined that the modus operandi of people behind the spyware operation was very similar to the activities of NSO group, a ‘cyber-warfare group’ that sells exploits and spyware tools to governments around the world.
“In February 2017 Citizen Lab, with the assistance of Mexican non-governmental organizations (NGOs) R3D and SocialTic, documented how Mexican government food scientists, health, and consumer advocates also received links to infrastructure that we connected to NSO Group. We suspect that the links were designed to install Pegasus on their phones,” the firm said.
Considering how advanced surveillance tools developed by the NSO Group are and how costly they are to procure, it is beyond doubt that malicious hackers looking to carry out surveillance on their own would want to get their hands on such tools. As such, while NSO Group’s activities may be termed immoral by privacy campaigners, the company will need to double down on its cyber security protocols for as long as it lasts to prevent high-level data breaches.