Commerce Dept sanctions NSO Group, Positive Technologies and more for selling spyware and hacking tools

The US Commerce Department has sanctioned four cybersecurity companies for allegedly selling spyware and other hacking tools to repressive foreign governments. 

The department’s Bureau of Industry and Security added Israeli companies NSO Group and Candiru as well as Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy (COSEINC) to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.”

The US said NSO Group and Candiru were added to the list because officials had found “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” 

The Commerce Department noted that the governments given these tools repressed a number of people in other countries beyond their borders, explaining that some authoritarian governments target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”

Positive Technologies and Computer Security Initiative Consultancy are accused of trafficking “in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said US Secretary of Commerce Gina Raimondo.  

The ruling was made in coordination with the Defense Department, the State Department, the Treasury Department and the Energy Department

Officials said the Entity List restricts the “export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.”

There will be no license exceptions are available for exports, reexports, or transfers in-country to the entities being added to the Entity List, the Commerce Department added. 

The NSO Group has become infamous for its involvement in a series of global scandals earlier this year involving their Pegasus spyware. Citizen Lab and dozens of researchers revealed that the spyware was being used widely by cybercriminals, dictators and others to spy on prime ministers, diplomats, journalists and human rights activists. One dictator even used it to spy on his ex-wife and her lawyers. 

The company denied the allegations in a statement to The New York Times, claiming its “technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”

Positive Technologies has long been accused of providing hacking tools and support to the intelligence arm of the Russian government. The $1 billion-dollar cybersecurity company was sanctioned in April by the Treasury Department for providing computer network security solutions to the FSB and GRU as well as Russian businesses, foreign governments and international companies. The company even hosts “large-scale conventions that are used as recruiting events for the FSB and GRU.” 

Despite its ties to Russian Intelligence, the company nearly went public this year and was valued at $2.5 billion thanks to ties to Samsung, Microsoft and IBM, according to Forbes. 

Haaretz reported in 2019 that the secretive Candiru specialized in hacking computers and servers. The news outlet said Isaac Zack founded the company and was also involved in the founding of the NSO Group. Both Microsoft and Citizen Lab published reports in July on DevilsTongue, a spyware created by Candiru. 

According to The Record, the Computer Security Initiative Consultancy has ties to Pwn0rama, an exploit acquisition program. 

“This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities,” the Commerce Department said in a statement. 

BreachQuest CTO Jake Williams told ZDNet that each of the additions to the Entity List are interesting in its own right, but the most significant in his eyes was NSO Group. 

While NSO tried to spin its software as being used for legitimate purposes, it’s clear that it has been used repeatedly to target journalists, activists, and government officials, Williams explained. 

“It isn’t just the targeting of these individuals that got NSO in hot water, it’s that entities unfriendly to the US used NSO tools to target friendly journalists, activists, etc. That’s never a winning business plan,” Williams said, adding that the COSEINC and Positive Technologies “are perhaps more academically interesting.”

“While Positive Technologies (a Russian company) isn’t a surprise to see on this list, COSEINC (a Singapore company) is. COSEINC has largely flown under the public radar before today, though prior reporting from Joseph Cox of Motherboard/VICE identified the firm as a zero-day vendor in 2018. It appears likely that COSEINC was found to be selling exploits or collaborating with foreign intelligence organizations or cybercriminals to have gained such a designation on the Entity List.”

Oliver Tavakoli, CTO at Vectra, said the sanctions are “mostly represent a speed bump for these companies” considering the murky business of supplying offensive cyber capabilities to governments across the world invariably leads these companies to make judgments on what constitutes “appropriate use” of the technologies and whether their clients can be trusted to honor the spirit of constraints — often expressed in vague terms referring to “threats” and “security” — written into contracts.

“It’s pretty clear that most governments ignore those constraints and do what they believe to be in the self-interest of the government and its current leader, though the companies can then claim plausible deniability,” Tavakoli said.