US puts Israeli spyware firm NSO Group on trade blacklist

The US has added NSO Group, the Israeli military spyware company that created software traced to the phones of journalists and human rights activists around the world, to a trade blacklist as it targets the growing surveillance threat posed by hacking-for-hire companies.

NSO and a competitor, Tel Aviv-based Candiru, were among four companies added by the commerce department on Wednesday to its so-called entity list, which would restrict exports of US hardware and software to the companies.

Groups like NSO use developer versions of popular operating software to develop “zero-click exploits”, which do not require the user to open a malicious link to deploy, according to a person familiar with their practices.

NSO said in a statement it was “dismayed by the decision, given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed”.

 “We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programmes that are based [on] the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.”

Being blacklisted from US exports might effectively mean they “are finished”, said Eitay Mack, an Israeli human rights lawyer who has campaigned for years to get NSO’s export license revoked by the Israeli government, with little success.

 “NSO has tried for years tried to be on the ‘good side’, to try to claim that its activities are above reproach,” said John Scott-Railton, at the University of Toronto’s Citizen Lab, which advocates on behalf of journalists and dissidents. “This designation by the commerce department gives us the strongest indication of the US view of the NSO Group, which suggests they take a dim view . . . and see the company’s activities as potentially contrary to the national security of the US.”

The US commerce department said the designation of the two companies was “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers.

 “These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order,” the department said.

In the past NSO has allegedly rented server space from companies such as Amazon Web Services and used it to surreptitiously break into phones and computers, Facebook has alleged in a lawsuit filed against the company in the US. Amazon reportedly shut down that access in July, after an Amnesty International report detailed the alleged use of other Amazon services to deliver hacks.

The lawsuit from WhatsApp’s owner, Facebook, alleges that NSO Group exploited a vulnerability in the world’s most popular messaging service to deliver its spyware. NSO has asked for the suit to be dismissed.

While it is unclear what effect this move will have on the technical capabilities of NSO, Candiru and the two other companies blacklisted on Wednesday, the commerce department’s decision supports findings by the University of Toronto’s Citizen Lab and Amnesty International that their tools are regularly abused by repressive regimes.

Danna Ingleton, deputy director of Amnesty Tech at Amnesty International, said in a statement that in addition to sending a “strong message” to NSO, the commerce department’s move also represented “a day of reckoning for NSO Group’s investors”.

NSO, the largest of the known Israeli largest cyber warfare companies, has said repeatedly that it sells its weapon only to nations in order to fight terrorism and serious crime, and with the approval of the Israeli government. Candiru could not be reached for comment.

Both companies are part of a growing Israeli cyber industry that often recruits veterans of the army’s elite units and sells software that enables clients to hack computers and mobile phones remotely.

NSO’s licensed military-grade software, Pegasus, was last year revealed to have been used to target smartphones belonging to 37 journalists, human rights activists and other prominent figures. French media reported that it had been used by Morocco to spy on senior French officials, including the personal mobile phone of President Emmanuel Macron.

Those revelations caused a diplomatic spat between Israel and France, which has demanded that Israel rein in NSO Group’s sales, according to two people briefed on the talks.

According to research by Microsoft and the University of Toronto’s Citizen Lab, Candiru exploited vulnerabilities in Microsoft and Google products, enabling governments to hack the laptops of more than 100 journalists, activists and political dissidents globally.

The commerce department also added a Russian company, Positive Technologies, and Singapore-based Computer Security Initiative Consultancy to its list, alleging that they “traffic in cyber tools” used to gain unauthorised access to computer systems. Neither company immediately returned a request for comment.

Gina Raimondo, commerce secretary, said the US was “committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cyber security of members of civil society, dissidents, government officials, and organisations here and abroad”.

Kevin Wolf, a partner at law firm Akin Gump and a former senior commerce official, said US companies often “choose to avoid doing business with listed entities completely in order to eliminate the risk of an inadvertent violation and the costs of conducting complex legal analyses”.