The U.S. Department of Commerce added four organizations, including Israeli cyberarms industry NSO Group to the Entity List for engaging in malicious cyber activities that are conflicting with the nation’s national security and foreign policy.
This move comes months after reports released by several news organizations across the world that many governments are using the Pegasus spyware tool to conduct surveillance on politicians, activists, journalists, and other media personalities. Though the NSO company claimed that its spyware is used only to prevent terrorism and crime.
US Commerce Department’s Entity List is a federal backlist that would restrict exports and re-exports of technologies to different companies.
Along with NSO Group, Candiru company was also added to the entity list based on the evidence of selling their spyware products to other countries’ governments for spying. According to reports, these two companies were involved in the exploitation of zero-day vulnerabilities in Apple iOS and Google Chrome web browser for spoofing and spying the individuals for their customers.
What is Pegasus?
Pegasus is a spyware hacking software suite basically used for the surveillance of individuals that can be secretly installed on mobile phones and other devices that run iOS and Android operating systems. Once the software is installed, it can run arbitrary code, collect any data from the device and transmit it back to the attacker.
Read more about the Pegasus spyware discovery, evolution, how it infects the phone and what it can do in detail – Pegasus – A Sophisticated Spyware Tool.
Official Statement from United States Department of Commerce:
These entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.
US Commerce Department Spokesperson
The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.
Gina M. Raimondo, U.S. Secretary of Commerce
NSO Group Denied the Decision of Including It in Entity List of US Commerce Department:
As per Reuters report, NSO Group challenged the US Commerce Department’s decision on adding them to the entity list and will advocate on this.
The company was “dismayed” by the decision since its technologies “support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed. NSO will present information regarding its “rigorous” compliance and human rights programs, “which already resulted in multiple terminations of contacts with government agencies that misused our products.
NSO Group Emailed statement sent to Reuters
Positive Technologies and COSEINC also Included in the Entity List:
The other two companies included in the entity list are Computer Security Initiative Consultancy PTE. LTD (COSEINC) and Positive Technologies based on the evidences that they are used to traffic in cyber tools for gaining unauthorized access to public and private networks, which eventually makes vulnerable the privacy and security of the targeted victim and organizations worldwide.
All four organizations are located in Israel, Russia, and Singapore, but US government officially confirmed that they are not taking any action against countries or governments where these firms are located.
US Department of Commerce Entity List Tool Utilized to Restrict Risked Technologies:
The Entity List is a tool used by BIS that comes under EAR (US’ Export Administration Regulations) to ban the export, re-export and transfers to in-country to the certain products, technologies, software, or services that involved or have a serious risk of being involved in the activities that are conflicting to the United States national security or foreign policy interests.
Here is the official statement released by US government on 3rd November – Commerce Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities
Conclusion:
Still, it remains unclear what this listing would affect NSO Group in future outside the US, such as India. As per Indian Express, an official from the Indian Ministry of Electronics and Information Technology said that-
“Though addition of companies to the list does not outright bar any non-US company or country from doing business with such companies, most ‘avoid’ doing business for the ‘fear of sanctions.”
Know how Pegasus spyware tool used in India and other countries | What is Pegasus Project – A Global Investigation? | Click Here → Pegasus Spyware usage in India and Worldwide
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.