Washington: The United States on Wednesday added the Israeli spyware company NSO Group to its “entity list,” a federal blacklist prohibiting the company from receiving American technologies, after determining its phone-hacking tools had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world.
The move is a significant sanction against a company spotlighted in July by the global Pegasus Project consortium, including The Washington Post and 16 other news organisations worldwide. The consortium published dozens of articles detailing misuse of the Pegasus spyware by customers of NSO.
It could also hinder it from future business arrangements and challenge their ability to work as an international company.
For example, it is now far harder for American researchers to sell them information or technology.
Following the initial concern over Pegasus, a subsequent wave of worries emerged when iPhone maker Apple released a fix in September for a weakness that can let the spyware infect devices without users even clicking on a malicious message or link.
The so-called "zero-click" is able to silently corrupt the targeted device, and was identified by researchers at Citizen Lab, a cybersecurity watchdog organization in Canada.
UN experts have called for an international moratorium on the sale of surveillance technology until regulations are implemented to protect human rights following an Israeli spyware scandal.
Israel's defence establishment has set up a committee to review NSO's business, including the process through which export licenses are granted.
NSO has insisted its software is intended for use only in fighting terrorism and other crimes, and says it exports to 45 countries.
Researchers say methods used by NSO Group, the world's most infamous hacker-for-hire company, have grown so sophisticated that it can now infect targeted mobile phones without any user interaction.
In July, Microsoft said it had blocked tools developed by Candiru that were used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents. -- Agencies
The Commerce Department said in a statement that the action is part of the Biden administration’s “efforts to put human rights at the centre of US foreign policy, including by working to stem the proliferation of digital tools used for repression.”
The company did not immediately respond to requests for comment.
The company has consistently denied the findings of the Pegasus Project, which found that some of NSO’s dozens of law enforcement, military and intelligence customers in more than 40 countries target journalists, politicians and human rights workers on a routine basis with Pegasus, which can hack into a victim’s cellphone. NSO has acknowledged problems with certain customers in the past.
“The impact is broader than just the legal prohibition,” said Kevin Wolf, an international trade lawyer at the firm Akin Gump who previously ran the entity list process. “It’s a huge red flag.”
Commerce officials said NSO Group and another Israeli surveillance company, Candiru, had enabled “foreign governments to conduct transnational repression,” allowing authoritarian governments to target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”
Past administrations added Huawei and other Chinese firms to the list, citing their alleged contributions to human rights abuses of the Uyghurs, a mostly Muslim minority group detained en masse in Chinese “reeducation” camps.
But it is rare for the U.S. government to target companies from US allies, including NSO Group’s home country of Israel. NSO’s addition to the list also marked one of the first times that the US government had cited cyber-surveillance issues as the cause for the penalty.
Three other companies were also added to the list: Israel’s Candiru, Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy PTE.
