The NSO Group is an Israel-based security firm dealing in hacking tools that law enforcement agencies use to hack smartphones. The company came under fire earlier this year. Security researchers found that attackers used the Pegasus family of hacking programs to target individuals. The Pegasus hack allowed nation-states to spy on iPhones without user knowledge via sophisticated attacks that leave no trace. A New York Times journalist recently detailed his experience with the hack. He explained that he had no way of knowing who hacked him or what they had stolen. All he knew was that they got into his iPhone. The NSO Group denied the reports every step of the way.
NSO’s denials apparently weren’t enough to convince the US government, though. The US has now placed the Israeli company on the infamous entity list. As a result, the NSO Group can’t do any business with American companies, whether on the hardware or software side.
The US ban
The US announced on Wednesday that it added four companies to the entity list, including NSO Group. Israeli surveillance company Candiru is also on the list. Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy are the others. Both trafficked in hacking tools that threaten “the privacy and security of individuals and organizations worldwide.”
The commerce department said the new additions to the entity list are part of the Biden administration’s “efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression.” Here’s the part that concerns the NSO Group:
NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.
The NSO Group protested the decision. The company is “dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed,” according to a statement. “We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contracts with government agencies that misused our products.”
No longer business as usual
The US routinely adds companies to the entity list, with Huawei being a prominent example in recent years. But The Washington Post remarks that it’s rare for the US to target companies from allied countries like Israel. The report also points out that the NSO’s addition is one of the first times when the US government cited cyber-surveillance as the reason for the ban.
Being on the entity list makes it impossible for NSO to conduct business with US companies. That might include companies like Amazon and Microsoft that can provide cloud computing services to the Israeli company. Or security researchers who might work on the kind of exploits that the NSO packages in its iPhone hacking tools.
NSO Group’s iPhone hacking tools are notorious
According to The Post, dozens of articles from the Pegasus Project consortium have detailed the sophisticated iPhone hacking tools under the Pegasus umbrella earlier this year. The Post and 16 other news organizations partnered on the effort.
The NSO Group has consistently denied that its customers abused the hacking tools. But the reports showed that military and intelligence customers in more than 40 countries did it. They used the Pegasus hacks to target journalists, politicians, and human rights activists.
Some of the older Pegasus hacks involved messages that contained links to malicious sites. When the user clicks the link, the iPhone would be hacked. The newest Pegasus attacks discovered in 2020 and 2021 involve a so-called “zero-click” exploit that requires no user interaction. Apple patched the security vulnerability that allowed the hack.
The NYT reporter said that he reverted to a US phone number to hopefully skirt similar hacks, as the NSO Group has avoided hacking US numbers to prevent such incidents. However, The Post explains that the US number of at least one American diplomat was on a list of numbers that served as a source for the Pegasus Project investigation. The foreign numbers of other US government employees were on the list.