As part of its continued effort to put pressure on foreign companies that sell spyware and offensive tools, the Biden administration has added four organizations, including NSO Group and Positive Technologies, to the Department of Commerce’s Entity List, barring American companies and individuals from doing business with them.
The action against NSO Group, Positive Technologies, Candiru, and Computer Security Initiative Consultancy (COSEINC) is based on “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers”, the Commerce Department said in a statement Wednesday. NSO Group and Candiru are Israeli companies, Positive is based in Russia, and COSEINC is based in Singapore.
Adding these four companies to the Entity List means that any U.S. company or individual who wants to export software or hardware to one of them has to apply for a license from the Bureau of Industry and Security. Those licenses will not be forthcoming.
“BIS imposes a license review policy of a presumption of denial for these entities,” the statement says.
This move by the Biden administration is a direct action against companies that the U.S. government believes are selling tools that target activists, journalists, diplomats, and members of civil society. The most prominent of these companies is NSO Group, whose Pegasus tool has been found on devices belonging to journalists and activists in countries around the world. Security researchers and civil society organizations have exposed a number of NSO Group’s customers’ operations and detailed the techniques used to implant Pegasus on targets’ devices. Candiru sells similar tools and claims to only sell to government agencies.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities."
The addition of two Israeli companies to the Entity List is something of a surprise, given that the U.S. and Israel are typically allies. But the visibility of NSO Group’s operations in particular in the last few months has drawn a tremendous amount of attention from governments in several countries.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said Secretary of Commerce Gina Raimondo.
Positive Technologies and COSEINC both provide a variety of security services, including vulnerability research and penetration testing. The Commerce Department said those two companies were added to the Entity List because “they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide”.
Late last month, the Commerce Department issued an interim final rule that restricts the export of surveillance and intrusion tools, another method for preventing U.S. companies and individuals from selling exploits and other tools to designated entities. That rule would restrict the sale of specific tools to customers in “countries of concern for national security reasons or those subject to an arms embargo”.