All is not well with the Israeli NSO Group, which developed the infamous Pegasus spyware used to hack phones. First of all, some four months after the revelations of the Pegasus Project, the US Department of Commerce’s Bureau of Industry and Security (BIS) on November 3 decided to blacklist the Israeli firm.
The Pegasus Project, in which Daraj was a partner, had revealed in detail how repressive governments use the NSO technology to target phones of journalists, activists, dissidents and diplomats in order to surveil them and silence any dissenting voices.
BIS added four foreign companies to its so-called Entity List for engaging in “malicious cyber activities.” However, located in Israel, Russia and Singapore, the most prominent of the four is the NSO Group. The other three are: Candiru (Israel), Positive Technologies (Russia), and Computer Security Initiative Consultancy (Singapore).
On November 16, Canada-based researchers presented new evidence indicating that spyware made by “Israel’s most mysterious cyberwarfare company,” as Candiru is known, was used to target critics of Saudi Arabia and other autocratic regimes, as well as London-based website Middle East Eye.
The Entity List restricts the export, re-export, and transfer of materials or programs deemed harmful to US national security or foreign policy. It is extremely rare for a US government to target a company in an allied country, especially an Israeli company.
A few days after being blacklisted, NSO Group’s problems further deepened when a US appeals court ruled that the firm is not protected under sovereign immunity laws. The firm has been sued in the US by WhatsApp over allegations it in 2019 sent malware to 1400 WhatsApp users over WhatsApp’s servers.
According to the American firm, some 100 of the individuals targeted were members of civil society, including journalists and activists. Several senior government officials around the world – some of whom US allies – were also targeted.
NSO argued it should be enjoy immunity as a “foreign agent” because its software was used by foreign governments. The US appeals court flatly rejected the argument
Journalism AwardThe blacklisting of the NSO Group highlights the importance of investigative journalism and cross-border cooperation. The Pegasus Project, which revealed in what ways Pegasus spyware was used, is a partnership of 17 media organizations in ten countries, coordinated by the Paris-based NGO Forbidden Stories, with technical assistance from Amnesty International’s Security Lab.
On October 14, Forbidden Stories won the 2021 Daphne Caruana Galizia Journalism Prize.
NSO Group and Candiru were added to the BIS Entity List based on evidence they sold spyware to governments, which was used it to target journalists, activists, academics and foreign embassy staff. This echoes almost literally what the Pegasus Project had exposed.
According to BIS, the technologies developed by the four firms, including NSO Group and Candiru, also enabled governments to target opponents outside their borders: “Such practices threaten the rules-based international order.”
US Secretary of Commerce Gina M. Raimondo released the following statement: “The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.”
The NSO spyware targeted at least 50,000 people around the world. The leaked data showed that about 200 journalists, in addition to numerous human rights defenders, religious, political and military leaders, were targeted in countries such as: Lebanon, Iraq, India, Mexico, Hungary, Morocco, Saudi Arabia and the UAE.
There is no doubt that the US decision to blacklist NSO Group will hamper the firm’s present and future activities. Although it is not known to what extent the Israeli company uses American technology, it is officially no longer allowed to do so. Media reports have shown that NSO has used Amazon software. But the decision is bigger than the ban. It is a warning to everyone dealing with NSO.
Doing so will have a negative impact on one’s reputation. In addition, the decision will hinder the company’s attempts to rehabilitate its image, which is based on (false) claim that its technologies “help government agencies prevent and investigate terrorism and crime to save lives.” NSO said to deplore the BID decision.
“Because our technologies support the national security interests and policies of the US by preventing terrorism and crime, and therefore we call for this decision to be reversed.”