The NSO Group and Candiru were added to Washington’s Entity List for Malicious Cyber Activities “based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” said the United States State Department.
By Erin Viner
Positive Technologies of Russia and Computer Security Initiative Consultancy PTE LTD (COSEINC) from Singapore were also listed, said the US government statement, “based on a determination that they misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide.”
Even though a State Department spokesperson said, “We are not taking action against countries or governments where these entities are located,” exports to the 4 companies will nevertheless be restricted due to new requirements for US suppliers to apply for sales licenses are likely be rejected.
“The Entity List is a tool used by the Department of Commerce Bureau of Industry and Security (BIS) to restrict the export, re-export, and in-country transfer of items subject to the Export Administration Regulations (EAR) to persons – individuals, organizations, and/or companies – reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States,” read a statement from the State Department, further explaining that the determination came “As part of its commitment to put human rights at the center of U.S. foreign policy, the Biden-Harris Administration is working to stop the proliferation and misuse of digital tools used for repression. This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance.”
In addition to difficulty in obtaining technology information such as about computer vulnerabilities from US security researchers, there could be a far broader impact on the listed companies.
“Many companies choose to avoid doing business with listed entities completely in order to eliminate the risk of an inadvertent violation and the costs of conducting complex legal analyses,” former Assistant Secretary of Commerce for Export Administration during the Obama administration told Reuters.
Both the Israeli NSO and Candiru have faced prior allegations of selling hacking tools to authoritarian regimes.
NSO has repeatedly denied the charges, insisting that its products are sold exclusively to law enforcement and intelligence agencies, and that measures are implemented to curb violations.
Expressing “dismay” over the development since its technologies “support US national security interests and policies by preventing terrorism and crime,” an NSO spokesperson the company will “advocate for this decision to be reversed.” The appeal will include documentation of its “rigorous” compliance and human rights programs, “which already resulted in multiple terminations of contacts with government agencies that misused our products,” the spokesperson wrote in an emailed statement to Reuters.
The Israeli Defense Ministry, which grants export licenses to NSO, and the Ministry of Foreign Affairs have so far declined to comment on the matter.
There has also been no comment from the secretive Tel Aviv-based Candiru technology company, which sells surveillance and cyberespionage technology to governmental clients.
Meanwhile, Russia’s Positive Technologies cybersecurity firm has already been this year by Biden administration sanctions for providing support to Russian security services. A former US official familiar speaking to Reuters on condition of anonymity said the firm had helped establish computer infrastructure used in Russian cyberattacks on American organizations.
The company denies any wrongdoing and said the new development will not have any impact of trading.
Singapore’s COSEINC, which did not immediately respond to requests for comment, was founded by Thomas Lim. He sold his SyScan security conference to a sanctioned Chinese Qihoo 360 technology firm and is suspected of trying to sell hacking tools to the infamous Italian HackingTeam spyware vendor.
The Entity List for Malicious Cyber Activities was used extensively by the administration of former US President Donald Trump, notably against China’s Huawei telecom company.