NSO Group – the Israeli-based maker of the notorious, military-grade Pegasus spyware that’s been linked to cyberattacks against dissidents, activists and NGOs (and murders of journalists) at the hands of repressive regimes – has been blacklisted by the United States.
NSO Group is one of four spyware developers or traffickers that the U.S. Commerce Department added to its “Entity List” on Wednesday, effectively banning trade with the company. The list is used to restrict those deemed to pose a risk to the country’s national security or foreign policy.
Also added was fellow Israeli company Candiru – aka Sourgum, Grindavik, Saito Tech or Taveta – which allegedly sells the DevilsTongue surveillance malware to governments around the world and which was founded by engineers who left NSO.
The State Department said that both NSO Group and Candiru were added because they “developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers.”
The third entity added to the trade-ban was Russia’s Positive Technologies, which was sanctioned in April for its work with Russian intelligence.
And finally, also blacklisted was the Singaporean security company Computer Security Initiative Consultancy (COSEINC), which the State Department said was added to the list for trafficking in malicious cyber-tools “used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide.”
Companies placed on the Entity List are subject to trading restrictions: They can’t purchase U.S. technology or goods without explicit permission from the Commerce Department, which they aren’t likely to secure, since the rules don’t allow license exceptions for exports.
NSO’s Non-Winning Business Plan
NSO Group’s blacklisting is likely the least surprising of the four new Entity List entries, given the history of its spyware repeatedly being used to target civil society and government officials.
But it’s not just the targeting that got NSO banned. Jake Williams, co-founder and CTO at incident response firm BreachQuest, conjectured that it’s the fact that NSO’s tools have allegedly been used to go after targets the U.S. likes.
“It isn’t just the targeting of these individuals that got NSO in hot water, it’s that entities unfriendly to the U.S. used NSO tools to target friendly journalists, activists, etc. That’s never a winning business plan,” he told Threatpost.
It’s not surprising to see Positive Technologies on the list either, Williams commented. The addition of COSEINC is the most surprising, he said, given that for the most part, it’s flown under the public radar until now, though it was identified as a zero-day vendor in 2018.
NSO Says It’s ‘Dismayed’
According to a statement that NSO sent to media outlets on Wednesday and eventually to Threatpost on Friday, the company was “dismayed” by the U.S. decision and claimed that its tools actually help to prevent terrorism and crime.
It’s going to call for the United States to reverse the ban, NSO said, sticking to its oft-repeated claim that it has the “world’s most rigorous” human rights and compliance systems. The full statement:
NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.
As the New York Times reported, regardless of NSO Group’s claims, its spyware keeps appearing “on the phones of journalists, critics of autocratic regimes, even children. Some of NSO’s targets — like Ahmed Mansoor, a critic of the United Arab Emirates — have been imprisoned and held in solitary confinement for years after NSO’s spyware was found on their phones.”
The ban marks a first: The Entity List hasn’t historically included technology companies. Rather, the blacklist is typically reserved for abusers of human rights or others that the U.S. thinks deserve the rating of “worst enemy.”
So far this year, the Biden administration has added Myanmar entities in response to the country’s military coup as well as entities in Russia, Switzerland and Germany. China and Venezuela are also included in the list.
The addition of the tech companies to the list reveals the United State’s sharpened concern with spyware as it relates to national security. It’s apparently right to be concerned: Besides all of the journalists and activists who’ve allegedly been surveilled by foreign governments using NSO’s spyware, the mobile phone of a senior U.S. diplomat, Robert Malley, was also found on a leaked list of individuals selected as potential targets of surveillance by NSO’s clients, as The Guardian has reported. So too was a list of French officials that reached all the way up to President Emmanuel Macron.
‘Hitting Puddles With Sledgehammers’
Bill Lawrence, CISO of the risk-management acceleration platform vendor SecurityGate, said that the ban on spyware will put some economic hurt on the blacklisted companies, but such economic measures can feel “like hitting puddles with sledgehammers” as they reform in other ways.
Oliver Tavakoli, CTO at cybersecurity company Vectra AI, agreed, telling Threatpost that these sanctions, for the most part, represent “a speed bump” for the surveillance companies.
Meanwhile, contracts have language that can be flexibly interpreted when it comes to what constitutes “appropriate use” of such tools, Tavakoli said.
“The murky business of supplying offensive cyber-capabilities to governments across the world invariably leads these companies to make a judgment on what constitutes ‘appropriate use’ of the technologies and whether their clients can be trusted to honor the spirit of constraints – often expressed in vague terms referring to ‘threats’ and ‘security’ – written into contracts,” he said via email.
Tavakoli continued: “It’s pretty clear that most governments ignore those constraints and do what they believe to be in the self-interest of the government and its current leader, though the companies can then claim plausible deniability.”
The ban, while being a good step, would be even better if the U.S. would itself stop “trying to get ‘back doors’ installed in its own citizens’ electronics,” Lawrence told Threatpost on Thursday via email. One example jumps out: the FBI’s repeated attempts to compel Apple to install backdoors.
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at firstname.lastname@example.org.