US sanctions NSO Group, others, for trafficking spyware and exploits

The US Department of Commerce this week announced it’s sanctioning four groups for their roles in spying on and otherwise maliciously targeting people like journalists and academics online. They include the controversial NSO Group and three other entities from Israel, Russia, and Singapore.

The Department of Commerce’s Bureau of Industry and Security (BIS) is updating its list of sanctioned entities with a document it plans to fully publish on Thursday, but is viewable in a PDF now. It claims all four groups are engaged in activities “contrary to the national security or foreign policy interests of the United States.”

Most famous of these is the Israeli NSO Group. The BIS document specifically points it out for developing spyware it then supplied to governments to target people such as journalists, academics, embassy workers, and activists. The document names fellow Israeli group Candiru alongside NSO in those charges.

Last year it was reported that NSO was making spyware to track the spread of the Coronavirus. In September of this year, however, Apple had to issue a security update for all its operating systems to patch an exploit NSO’s software had been using since February to spy on people. NSO’s “Pegasus” spyware, a “zero-click exploit,” could penetrate an Apple device by simply sending a text without the device’s user doing anything. It could access things on an iPhone like the camera, microphone, or device settings.

The BIS document also names Russian group Positive Technologies and Singaporean group Computer Security Initiative Consultancy PTE. LTD., as entities that traffic cyber exploits. In 2017, Positive Technologies identified a massive security hole that affected Intel CPUs. The US Treasury Department previously sanctioned Positive Technologies for allegedly helping Russian intelligence services conduct cyber attacks against the US.

This mean exports or in-country transfers of items related to these entities will require a license from the End-User Review Committee. Those licenses for sanctioned entities will fall under a “presumption of denial,” so they’ll automatically be denied except for in special circumstances.

The US Department of Commerce recently banned sales of hacking software to the governments of “countries of concern.”