The U.S. Commerce Department on Wednesday added four companies, including Israel-based spyware companies NSO Group and Candiru, to a list of entities engaging in “malicious cyber activities.”
The agency said the two companies were added to the list based on evidence that “these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists, and activists outside of their sovereign borders to silence dissent,” the Commerce Department said.
Two other firms on the list include Singapore-based Computer Security Initiative Consultancy PTE. LTD. and Russia’s Positive Technologies, the latter of which was already sanctioned by the U.S. Department of the Treasury for allegedly providing support to Russian Intelligence Services in mounting cyberattacks against U.S. companies.
Both the companies have been added owing to their trafficking of weaponized software and exploits that were then used by state-sponsored hacking outfits to gain unauthorized access to corporate networks across the world.
Entity List, as the name implies, refers to a list of entities that have been found engaging in activities that are contrary to the national security or foreign policy interests of the U.S., necessitating they be subject to additional trade restrictions, which mandate other U.S. organizations to acquire a special license from the government to conduct business with the four companies.
The development follows twin revelations in July 2021 that unmasked NSO Group and Candiru as behind the exploitation of zero-day vulnerabilities in Apple iOS and Google Chrome web browser to eavesdrop and track the movements of individuals deemed of interest to their customers. NSO Group is the developer behind the infamous Pegasus spyware that’s capable of harvesting contacts, call histories, text messages, photos, and passwords stored in a phone without leaving a trace.
The designation also comes amid calls for a moratorium on the sale, use, and transfer of digital intrusive technologies until robust regulations are put in place and a legal framework requiring human rights due diligence is enforced upon private surveillance companies.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” U.S. Secretary of Commerce Gina M. Raimondo said in a statement.