Spyware firm NSO and others added to US banned Entity List

US government bans target Israeli spyware makers and cyber firms in Russia and Singapore

Israeli cyber firm NSO Group – the company at the centre of a surveillance scandal that saw its Pegasus mobile spyware product used by government customers to maliciously target government officials, journalists, business people, activists, academics and embassy workers – has been added to the US Commerce Department’s Entity List for engaging in activities against the country’s national security and foreign policy interests.

The Commerce Department said NSO’s tools also enabled authoritarian governments to conduct transnational repression, targeting dissidents, journalists and activists beyond their borders. It said this practice threatened the “rules-based international order”.

The nefarious activities of NSO’s customers were revealed this summer by investigative journalists, prompting a furious response from the organisation, which claims to carefully vet its customers and to shut off their access to Pegasus if it finds it is being used maliciously. NSO said its product had proved invaluable to organisations fighting organised crime, terrorism, human trafficking and child sex abuse.

“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cyber security of members of civil society, dissidents, government officials and organisations here and abroad,” said US commerce secretary Gina Raimondo.

The ruling issued by the department’s Bureau of Industry and Security (BIS) also targets Candiru – also known as Saito Tech Ltd or Sourgum in Microsoft’s threat matrix. Candiru is another Israel-based firm that weaponised vulnerabilities in Google and Microsoft products to enable its government customers to conduct illicit surveillance on their targets.

Microsoft’s investigations found Candiru’s flagship product, a malware dubbed DevilsTongue, being used against targets located in Armenia, Iran, Israel, Lebanon, Singapore, Spain (specifically Catalonia), Turkey, the UK and Yemen.

The two other companies added to the list are: Positive Technologies, a Russia-based specialist in vulnerability and compliance management, incident and threat analysis, and application protection, and a recognised authority in the field of industrial control system (ICS) security; and Computer Security Initiative Consultancy PTE Ltd, a Singapore-based provider of cyber security services. Both firms are accused of trafficking cyber tools used to gain unauthorised access to information systems, threatening the privacy and security of multiple organisations around the world.

The US government said the addition of these companies to its Entity List, effectively banning them from the country, was part of the Biden administration’s efforts to centre human rights in US foreign policy by stemming the proliferation of digital tools used for repression.

Read more on Privacy and data protection

Data Center
Data Management