



The United States has added NSO Group, the Israeli military spyware company that has created software dating back to the phones of journalists and human rights activists around the world, to a commercial blacklist because it targets the growing threat surveillance posed by hacking companies.

NSO and a competitor, Tel Aviv-based Candiru, were among four companies added by the Commerce Department on Wednesday to its so-called list of entities, which would restrict exports of US hardware and software to the companies.

Groups like NSO use development versions of popular operating software to develop “clickless exploits,” which don’t require the user to open a malicious link to deploy, according to someone familiar with their practices.

NSO said in a statement that it was “appalled by the decision, given that our technologies support the interests and national security policies of the United States by preventing terrorism and crime, and we will therefore advocate that this decision be canceled “.

“We look forward to presenting all the information on how we have the most rigorous human rights and compliance programs in the world, based on [on] the American values ​​that we deeply share, which have already led to multiple breaks in contact with government agencies that have abused our products.

Being blacklisted from US exports could effectively mean they ‘are finished,’ said Eitay Mack, an Israeli human rights lawyer who has campaigned for years to have the export license revoked. of NSO by the Israeli government, with little success.

“NSO has tried for years to be on the ‘safe side’, to try to pretend its business is above reproach,” said John Scott-Railton, of the Citizen Lab at the University of Toronto, which defends the rights of journalists and dissidents. . “This designation by the Commerce Department gives us the strongest indication of the US view of the NSO Group, which suggests that they have a grim view. . . and view the company’s activities as potentially contrary to US national security. “

The US Department of Commerce said the designation of the two companies was “based on evidence that these entities developed and supplied spyware to foreign governments who used these tools to maliciously target government officials, journalists, businessmen, activists, academics and embassy workers.

“These tools have also enabled foreign governments to carry out transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside their sovereign borders to silence dissent. Such practices threaten the rules-based international order, ”the department said.

In the past, NSO has reportedly rented server space from companies such as Amazon Web Services and used it to sneak into phones and computers, Facebook said in a lawsuit against the company in the States. -United. Amazon reportedly shut down that access in July, after an Amnesty International report detailed the alleged use of other Amazon services to carry out hacks.

The lawsuit against WhatsApp owner Facebook alleges that NSO Group exploited a vulnerability in the world’s most popular email service to spread its spyware. NSO requested that the lawsuit be dismissed.

While it’s not clear what effect the move will have on the technical capabilities of NSO, Candiru and the other two blacklisted companies on Wednesday, the Commerce Department’s decision supports the findings of the University of Toronto’s Citizen Lab. and Amnesty International that their tools are regularly abused by repressive regimes.

Danna Ingleton, Amnesty Tech’s deputy director at Amnesty International, said in a statement that in addition to sending a “strong message” to NSO, the Commerce Department’s decision also represented “a day of stocktaking for investors in the United States. NSO group ”.

NSO, the largest of Israel’s largest known cyber warfare companies, has repeatedly stated that it only sells its weapon to nations in order to combat terrorism and serious crime, and with the approval of the Israeli government. Candiru could not be reached for comment.

Both companies are part of a growing Israeli cyber industry that often recruits veterans from elite army units and sells software that allows customers to hack into computers and cellphones remotely.

NSO’s licensed military-grade software, Pegasus, was revealed last year to have been used to target smartphones owned by 37 journalists, human rights activists and other prominent figures. French media reported that it had been used by Morocco to spy on senior French officials, including President Emmanuel Macron’s personal cell phone.

The revelations sparked a diplomatic row between Israel and France, which demanded that Israel curb sales of NSO Group, according to two people briefed on the talks.

According to research by Microsoft and the Citizen Lab at the University of Toronto, Candiru exploited vulnerabilities in Microsoft and Google products, allowing governments to hack the laptops of more than 100 journalists, activists and political dissidents around the world.

The Commerce Department also added to its list a Russian company, Positive Technologies and Computer Security Initiative Consultancy, based in Singapore, alleging that they were “trafficking cyber tools” used to gain unauthorized access to computer systems. Neither company immediately returned a request for comment.

Gina Raimondo, Secretary of Commerce, said the United States is “determined to aggressively use export controls to hold companies accountable that develop, commercialize or use technology to carry out malicious activities that threaten cybersecurity. members of civil society, dissidents, government officials and organizations here and abroad ”.

Kevin Wolf, partner at Akin Gump law firm and former senior trade official, said US companies “often choose to avoid doing business with listed entities altogether in order to eliminate the risk of an inadvertent breach. and the costs associated with conducting complex legal analyzes “. .

