The US Commerce Department announced on Wednesday that it has added the cyber offense firms NSO Group and Candiru to its blacklist for engaging in “activities that are contrary to the national security or foreign policy interests of the United States.”
At the same time, France and Israel seemed to move on from tensions over the alleged targeting of French President Emmanuel Macron’s phone using NSO’s Pegasus software, with a planned ministerial-level bilateral meeting this week.
Four companies were added to the blacklist: NSO Group and Candiru of Israel, Positive Technologies of Russia, and Computer Security Initiative Consultancy PTE Ltd. from Singapore, the department said in a statement.
The US State Department said the companies trafficked in cyber tools used to gain unauthorized access to computer networks – though it later added that it will not sanction NSO in any way, despite it being on the blacklist, and will not take any actions against any of the companies’ host governments.
The companies’ addition to the list, for engaging in activities contrary to US national security or foreign policy interests, means that exports to them from their US counterparts are restricted. For example, this makes it far harder for US security researchers to sell them information about computer vulnerabilities.
However, from a bare economic perspective, it is more of a public relations problem since NSO does not do any business in the US.
News outlets across the world reported on a leaked list of about 50,000 phone numbers in July, which they claimed were targets of NSO’s Pegasus software, used to hack into phones.
“NSO regrets the decision, since its technologies do indeed support the US’s national interests and policies by preventing terror and crime, and accordingly we will act in order to reverse the decision,” the company said in response.
NSO said that it was looking forward to presenting information that “makes clear that we have the most strict guidelines in the world and plans to advance human rights, which are based on American values that we deeply relate to – which have already caused us to end our engagements with governmental agencies that used our products inappropriately.”
Candiru has a lower public profile than NSO and had not issued a response at press time.
Amnesty International responded to the decision, saying, “With this move, the US government has acknowledged what Amnesty and other activists have been saying for years: NSO Group’s spyware is a tool of repression, which has been used around the world to violate human rights. This decision sends a strong message to NSO Group that it can no longer profit from human rights abuses without repercussions.
“This is also a day of reckoning for NSO Group’s investors – will they continue to bankroll a company whose technology has been used to systematically violate human rights?” Amnesty asked.
Broadening its comments beyond NSO, Amnesty said, “The threats posed by surveillance technology are bigger than one company. This dangerous industry is out of control, and this must spell the end of the impunity spyware companies have so far enjoyed. We need an immediate global moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place.”
Gil Naveh, spokesperson for Amnesty International Israel, added: “This decision shows the complete and utter failure of Israeli systems of oversight and accountability. Both the Israeli Defense Ministry and Israeli courts did not properly do their job of preventing human rights violations with the use of Israeli security exports.
“We call for the Israeli Defense Ministry to immediately halt all of NSO’s activity, and for the Israeli systems to hold accountable all of those who were responsible for this outrageous negligence,” he said.
MK Mossi Raz (Meretz) responded, stating: “The US’s decision regarding NSO was a matter of time. This company not only embarrasses us around the world and not only entangles Israel in political turmoil, but its actions are also dangerous and harmful, and Israel should not sponsor them.
“I intend to turn to the defense minister and prime minister and demand that they act against NSO as soon as possible,” he said.
DESPITE THE condemnations of NSO and some lost clients and investor momentum, the company, or at least the Israeli government, seems to have somewhat survived much of the disastrous public attention it received in July.
After a wave of critical stories hit NSO and Israel, Prime Minister Naftali Bennett established an inquiry into the cyber firm run by a mix of the Defense Ministry, the Mossad, the National Security Council, the Foreign Ministry and others.
Macron demanded explanations from Israel at the time, and Defense Minister Benny Gantz traveled to Paris to clarify that the French president was not being spied on. In the meantime, Macron prohibited his cabinet members from meeting with Israeli ministers.
Bennett and Macron met at the UN Climate Change Conference in Glasgow on Monday, and the Israeli prime minister promised to be more transparent on the matter. The leaders said they would move forward with close cooperation between their countries.
The first indication that the countries’ relations are thawing is Science and Technology Minister Orit Farkash-Hacohen’s trip to Paris this week. The minister held meetings in the OECD offices on Wednesday, but she plans to meet her French counterpart on Thursday, in what will be the first such bilateral meeting since Macron banned them.
NSO also seems intent on a rebranding campaign, with its founding CEO, Shalev Hulio, making a lateral move to become vice chairman of the company’s board and global president.
Though details are somewhat hazy, the idea seems to be to make former Partner Communications CEO Isaac Benbenisti the new face of the company, while Hulio will focus on drumming up business in new cellphone and cyber areas, while likely remaining in control of significant aspects of the company behind the scenes.
THE JULY reports themselves came from the Pegasus project – a group of 17 media organizations – being provided with information from a mix of Amnesty, the University of Toronto’s Citizen Lab and Forbidden Stories.
According to the reports, NSO’s Pegasus hacking malware was found on 37 cellphones out of a list of 65 numbers which were checked on a list of more than 50,000 cellphones that were targeted.
Among 1,000 numbers from the list were at least 65 business executives, 85 human rights activists, 189 journalists, several Arab royal family members and more than 600 politicians and government officials — including cabinet ministers, diplomats and security officers.
Top officials whose cellphones appear on the list included Macron, Iraqi President Barham Salih, South African President Cyril Ramaphosa and leaders from Pakistan, Egypt and Morocco.
Countries reportedly accused of abusing NSO technologies included Hungary, India, Mexico, Saudi Arabia, the UAE, Bahrain and Morocco.
NSO itself admitted that it had cut off at least five governmental clients that abused its technology to go after exactly the kinds of people who are on the above list – even if they are not those same people.
An NSO source reportedly leaked to NPR that as a result of the current crisis, the company specifically ended its contracts with the Saudis and the UAE.
However, a deeper investigation by The Jerusalem Post found that there was very little concrete information in these reports to grab on to. Most of what was reported in July did not break new ground as much as add color to prior reports for years that some of NSO’s clients have abused Pegasus.
Some outlets directly involved with breaking the NSO story have admitted that they do not know who provided the 50,000-number list and cannot vouch for its credibility, aside from the 37 cellphones where malware was found.
As questions grew about the list, Amnesty gave two messages: that not all of the numbers are from NSO, and that the numbers are from NSO clients showing whom such clients might go after.
The list of 50,000 cellphones was itself always problematic to close observers, given that each NSO client is usually limited to a dozen or a few dozen targets, and the company has only around 60 clients.