By Samuel Rubenfeld
Wednesday, November 3, 2021
The U.S. Commerce Department on Wednesday announced export restrictions on four companies, including NSO Group, an Israeli technology firm.
NSO Group developed and supplied spyware to foreign governments that used the tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers around the world, the Commerce Department said.
The company is behind the military-grade spyware Pegasus, which was highlighted this summer in a global investigation involving leaked documents that revealed who had bought the tool and against whom it was deployed. Notable targets of Pegasus included the wife of Jamal Khashoggi, the journalist murdered in a Saudi consulate; three sitting presidents; three prime ministers; a king; businessmen and others, according to the leaked documents.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials and organizations here and abroad,” said Commerce Secretary Gina Raimondo.
As a result of the listing, exports of goods and services to NSO Group and the other firms require a license, which faces a presumption of denial.
In a statement, NSO Group said it was “dismayed” by the U.S. listing, “given that our technologies support U.S. national security interests and policies by preventing terrorism and crime.” The company will “advocate” for a reversal, the statement said, adding that it plans to present how its compliance programs “are based on American values we deeply share.”
The listing followed interim rules announced last month that established controls on exports of items that can be used for malicious cyber activity, including surveillance or espionage.
The U.S. will not take action against countries or governments where the companies are located, the State Department said in a statement. “As part of its commitment to put human rights at the center of U.S. foreign policy, the Biden-Harris Administration is working to stop the proliferation and misuse of digital tools used for repression,” it said. “This effort is aimed at improving citizens’ digital security, combating cyber threats and mitigating unlawful surveillance.”
A second Israeli firm, Candiru, was also listed for developing spyware tools used for malicious purposes; the company, shrouded in secrecy, sells tools used to break into computers and servers, according to a 2019 report by the newspaper Haaretz. Its malware has been found on devices in Europe and the Middle East, Haaretz reported last month.
Candiru has also made efforts to obscure its ownership structure, staffing and investment partners, the Citizen Lab, a research institute at the University of Toronto, found this summer.
Two other companies, Singapore-based Computer Security Initiative Consultancy PTE. LTD. and Russia-based Positive Technologies, were added to the export controls list for trafficking in cyber exploits used to gain access to information systems, which threatens individuals and organizations worldwide, according to the Commerce Department.
Positive Technologies was sanctioned by the U.S. in April for providing support services to the Federal Security Service (FSB) and other Russian government clients. The company continued finding vulnerabilities for U.S. firms despite the designation, Kharon reported in June.
The Commerce Department had also restricted exports to Positive Technologies in July under its alias, Aktsionernoe Obshchestvo Pozitiv Teknolodzhiz, Kharon reported at the time.
Positive Technologies appears to continue to identify and work with U.S. companies as it identifies problems, according to a review of recent press releases.
The company released a report this week examining the threat posed by rootkits, which are programs that hide the presence of an intrusion by an attacker. Rootkits tend to be associated with high profile attacks involving high-impact consequences, typically against government or research institutions for espionage purposes, the company said.
On Friday, Positive Technologies responded to the export controls listing, saying the development isn’t new and all of the company’s business plans, including an effort to go public, will go forward unchanged. “Every one of our developments is strictly protection-focused. The time is ripe to develop tools of this kind, and we shall continue to do so,” said Denis Baranov, the chief executive, in the statement. “On what basis the [Commerce Department] included us in this list, we do not know. In any case, we preempted the sanctions risks ahead of time, and now they pose no additional threats to us."