3rd Party Risk Management , Governance & Risk Management , Privacy
US Commerce Department Blacklists Israeli Spyware FirmsDepartment Adds 4 Companies to Entity List for 'Malicious Cyber Activities'
The U.S. Department of Commerce has added four companies to its Entity List for allegedly engaging in activities "contrary to the national security or foreign policy interests of the U.S." Two Israeli companies - NSO Group and Candiru - were cited for allegedly supplying spyware to foreign governments to target officials, journalists, activists, academics, embassy workers and others.
The action - a final rule from the Commerce Department's Bureau of Industry and Security, or BIS - also names Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy PTE. LTD. The department alleges in a statement that the four companies were added after a determination that they "traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide."
In a parallel statement from the U.S. Department of State, officials confirm, "We are not taking action against countries or governments where these entities are located." It remains to be seen, however, how the action will be perceived by new Israeli Prime Minister Naftali Bennett.
According to The Washington Post, Israeli officials were notified just one hour before the U.S. effectively blacklisted NSO Group and Candiru.
And according to Reuters, citing an Israeli official, Bennett has reportedly discussed the Israeli spyware use with French President Emmanuel Macron, reportedly noting the continued investigation would be handled "discreetly and professionally."
U.S. Department of Commerce officials say in a statement, "[This] action is part of the Biden-Harris administration's efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression."
Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, says, "Here, the U.S. is on the side of the angels - relief organizations, dissidents, refugees and more - that have been targeted and persecuted using information gained by authoritarian governments. Economic measures can be effective against these groups, although the effort can seem like hitting puddles with sledgehammers. … Still, this is a good thing."
Conducting 'Transnational Repression'
Spyware tools from NSO Group and Candiru, the Department of Commerce says, have allegedly "enabled foreign governments to conduct transnational repression," or the practice of authoritarian governments targeting high-profile individuals outside their borders to quell dissent. The department says "such practices threaten the rules-based international order."
Placement on the Entity List follows a conduct review from a committee chaired by the Department of Commerce, and including the departments of State, Energy and Treasury.
Those on the Entity List cannot purchase U.S. technologies or goods without a license provided by the Department of Commerce.
The additions follow an interim final rule published by the Department of Commerce last month establishing controls around certain offensive hacking products. That rule, officials at the U.S. Department of State say, implements decisions taken by the Wassenaar Arrangement - a multistate export control regime charged with preserving international security via the transfer of both arms and technologies.
"This effort is aimed at improving citizens' digital security, combating cyberthreats, and mitigating unlawful surveillance," Department of Commerce officials say in their statement.
NSO: Front and Center
The action against NSO Group follows a string of activity that has kept it in the headlines. WhatsApp previously accused NSO Group of using its platform to target some 1,400 officials in nearly two dozen countries, The New York Times reported. According to the same outlet, in September, Apple issued emergency updates for its products after discovering a vulnerability that kept them susceptible to NSO Group spyware.
Reporting from The Guardian in July linked NSO Group's Pegasus spyware to a list of 50,000 high-profile individuals possibly targeted since 2016 - and at the hands of foreign governments.
NSO Group did not immediately respond to Information Security Media Group's request for comment.
A spokesperson told The Hill, however, "NSO Group is dismayed by the decision given that our technologies support U.S. national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed."
Jake Williams, a former member of the National Security Agency's elite hacking team and co-founder and CTO of the firm BreachQuest, tells ISMG: "It isn't just the targeting of these individuals that got NSO in hot water, it's that entities unfriendly to the U.S. used NSO tools to target friendly journalists, activists, etc. That's never a winning business plan."
This week, NSO Group's co-founder and CEO, Shalev Hulio, stepped down from the role and was replaced by the company's co-president, Itzik Benbenisti, according to Israeli newspaper Haaretz. Hulio, however, will remain with the company as vice chairman of its board, and president, the report says. The move comes as the company is reportedly planning an initial public offering.
Citizen Lab at the University of Toronto in Ontario, Canada, which studies network surveillance and content filtering, found in July that Candiru's spyware allowed victims to be targeted around the world, particularly by exploiting privilege escalation vulnerabilities. Microsoft subsequently acted to disrupt the operation.
Cristin Goodwin, general manager of Microsoft's Digital Security Unit, wrote at the time: "The weapons disabled were being used in precision attacks targeting more than 100 victims around the world." She said Microsoft built protections into its products, shared them with the security community and issued a software update to protect Windows customers from exploits by Sourgum - a group linked to Candiru.