RICHMOND (VA) — Wednesday’s announcement by the Biden administration that it will impose new export restrictions on Israel’s NSO Group – The world’s most infamous hacker for hire company – stating its tools were used to “conduct international repression.”
According to spyware researchers, the company has been used all over the world to hack into phones of journalists, human rights activists, and members of the Catholic clergy. The company stated that it would support a reversal.
According to the U.S. Commerce Department, NSO Group and three additional firms have been added to the “entity” list. This restricts their access to U.S. technology and components by requiring government approval for exports. According to the department, the Biden administration was trying to protect human rights in U.S. foreign policies by adding these companies to the entity list.
“The United States is committed at aggressively using export control to hold companies accountable who develop, traffic or use technologies that are malicious activities that threaten cybersecurity of members of civil societies, dissidents and organizations here and overseas,” Gina Raimondo, U.S. Secretary for Commerce, stated in a statement.
This was yet another blow to NSO Group. NSO Group was previously the subject of reports from a media consortium that earlier this year found that the spyware tool Pegasus had been used in numerous successful or attempted phone hacks against business executives and human rights activists around the globe.
Pegasus infiltrates smartphones to steal personal and place data, and then secretly controls microphones and cameras. Researchers discovered several instances of NSO Group tools that use so-called “zeroclick” exploits to infect targeted mobile phones.
Facebook, the tech giant, is currently suing NSO Group in a U.S. federal Court for allegedly targeting 1,400 WhatsApp users with its spyware.
The company has denied any wrongdoing, and Wednesday’s statement stated that its tools “support US security interests and policies by preventing terrorist and criminal activity.”
The company stated that it was looking forward to sharing all information about how they have implemented the most stringent compliance and human rights programs in the world. These are based on American values, which has already led to multiple terminations of contact with government agencies who misused our products.
It is not clear what the full impact of being placed on the entity list will be. Kevin Wolf, a lawyer with Akin Gump, and a former top Commerce official, stated that being on the entity list can have a wide impact on a company.
He said that many companies avoid doing business with listed entities to avoid inadvertent violations and to save money on legal analysis.
The Commerce Department added Chinese tech giant Huawei to the entity list in 2019. This was a move that the U.S. intelligence and defense communities had long criticized as being untrustworthy by Beijing’s rulers.
Stewart Baker, a cybersecurity lawyer who was also the former general counsel for the National Security Agency, stated that it is still to be seen what impact Wednesday’s announcement has on the NSO Group’s long-term health. According to Baker, the Commerce Department will have a lot of discretion when it comes to licensing requests for the NSO Group. This could lead to pressure from the U.S. government and Israeli exporters.
He said, “We could see a scenario in which the sanction was granted and it has both a great symbolic and practical significance for NSO but certainly not a death penalty and may eventually just be really aggravating.”
Candiru, an Israeli spyware company was also added. Microsoft announced in July that it had blocked Candiru’s tools from being used to spy on over 100 people, including journalists, human rights activists and academics.
The department also said that Positive Technologies, a prominent Russian company, and Computer Security Initiative Consultancy, based in Singapore, were placed on the list because they trafficked in “cyber tools” used to gain unauthorized entry to IT systems. Positive Technology was placed under sanctions by the Treasury Department earlier in the year. The company has an extensive international presence and is a partner with IT giants like IBM and Microsoft.