US blacklists maker of Pegasus spyware that helps governments spy on activists

NSO Group added to Entity List to stem spread of “digital tools used for repression.”

Jon Brodkin – Nov 3, 2021 1:57 pm | 74

KOLKATA, WEST BENGAL, INDIA: On July 25, 2021, protesters criticized the Indian government for using Pegasus spyware to snoop on journalists, opposition leaders, and activists. Credit: Getty Images | SOPA Images

The US has blacklisted Pegasus spyware maker NSO Group, saying that the Israeli company “developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The Biden administration’s Commerce Department today announced a final rule that adds NSO Group and three other foreign companies to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.” The other three companies are Israel-based Candiru, Russia-based Positive Technologies, and Singapore-based Computer Security Initiative Consultancy. Exports and transfers of their products will be restricted.

As we explained in a previous article, “Pegasus is frequently installed through ‘zero-click’ exploits, such as those sent by text messages, which require no interaction from victims.” Pegasus can jailbreak or root an iPhone or Android phone and make copies of call histories, text messages, calendar entries, and contacts. Pegasus can also activate cameras and microphones to eavesdrop, track a target’s movements, “and steal messages from end-to-end encrypted chat apps.”

While NSO Group’s website says its technology “helps government agencies prevent and investigate terrorism and crime,” an investigation by The Washington Post and other news organizations found it “was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi.” That report was released in July 2021, but there have been other reports of Pegasus targeting human rights activists over the past several years.

Apple has been patching iOS vulnerabilities exploited by Pegasus since at least August 2016, but NSO Group found ways to continue exploiting iPhones. Another Apple patch to close a vulnerability exploited by Pegasus was issued in September 2021.

“Digital tools used for repression”

“Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” the Commerce Department announcement said. The decision was made by the End-User Review Committee, which is chaired by the Commerce Department and includes the Departments of Defense, State, Energy, and Treasury.

NSO Group and Candiru made tools that “enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists, and activists outside of their sovereign borders to silence dissent,” the Commerce Department said. Positive Technologies and Computer Security Initiative Consultancy “were added to the Entity List based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

Candiru is a secretive company whose “founder is [venture capital investor] Isaac Zack, who was also a founder of NSO,” a January 2019 Haaretz report said. At the time, Candiru was “believed to employ 120 people and generate annual sales of $30 million a year,” which “would make it Israel’s second-largest offensive cyber company after NSO, not counting publicly traded Verint and general defense companies.”

Blacklisting restricts exports and transfers

The US government’s Entity List is used “to restrict the export, reexport, and in-country transfer of items” that are subject to US Export Administration Regulations (EAR), the Commerce Department said.

“For the four entities added to the Entity List in this final rule, BIS [Bureau of Industry and Security] imposes a license requirement that applies to all items subject to the EAR,” the Commerce Department said. “In addition, no license exceptions are available for exports, reexports, or transfers (in-country) to the entities being added to the Entity List in this rule. BIS imposes a license review policy of a presumption of denial for these entities.”

After the July 2021 reports on Pegasus targeting journalists and human rights activists, NSO Group claimed that a “well-orchestrated media campaign” pushed by “special interest groups” had exhibited a “complete disregard of the facts.” NSO Group also said it “will no longer be responding to media inquiries on this matter” and “will not play along with the vicious and slanderous campaign,” but it did offer this defense:

NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.

NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary.

NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.