US Adds Israel’s NSO Group To Entity List

The United States has placed export controls on a group of four companies, two of which are located in Israel, one in Russia and the other in Singapore.

The US Commerce Department on Wednesday announced that it has placed the four companies on its Entity List, which means that exports to them from US companies are now restricted.

Included in the four companies added to the Entity List is NSO Group, the Israeli surveillance specialist NSO Group, which has been at the centre of the furore surrounding its Pegasus spyware.

Entity list

“The Commerce Department’s Bureau of Industry and Security (BIS) has released a final rule adding four foreign companies to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States,” said the US Commerice department.

It said that two firms from Israel are NSO Group and Candiru were added to the Entity List “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,” said the department. “Such practices threaten the rules-based international order.”

Meanwhile Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy were added to the Entity List based on a determination that “they traffic in cyber tools used to gain unauthorised access to information systems, threatening the privacy and security of individuals and organisations worldwide.”

Positive Technologies reportedly provided support to Russian security services.

“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said US Secretary of Commerce Gina M. Raimondo.

Being placed on the Entity List means the US can restrict the export, re-export, and in-country transfer of items, and any firms trading with them will need a licence from US authorities.

“Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” said the Commerce Department.

“This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities.”

Pegasus spyware

Last month a very senior official in the French government met his Israeli counterpart, to discuss and resolve the fallout from NSO Group’s Pegasus spyware furore.

In September the investigative website Mediapart alleged that traces of Pegasus spyware had been found on the mobile phones of at least five current French cabinet ministers. It cited multiple anonymous sources and a confidential intelligence dossier as its source.

But matters ramped up in July this year, when the Pegasus Project alleged that NSO’s Pegasus spyware had been used “to facilitate human rights violations around the world on a massive scale.”

It allegedly uncovered evidence that revealed that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had appeared in a leaked database at the heart of the investigative project.

NSO always said it only supplies to law enforcement and governments, but privacy campaigners in December last year said they had found multiple cases in which its spyware was deployed on the devices of dissidents or journalists.