On Wednesday, the U.S. Commerce Department announced the addition of four companies, including two Israeli spyware firms—NSO Group and Candiru—to its list of foreign entities implicated in “malicious cyber activities.” This designation follows findings that both companies provided spyware to foreign governments, which in turn have targeted officials, journalists, business professionals, activists, academics, and diplomats.
The Commerce Department’s statement highlighted that these spyware tools have facilitated transnational repression, a strategy employed by authoritarian regimes to pursue dissenters and critics beyond their borders. Such actions raise significant concerns about the implications for privacy and human rights on a global scale. The Department outlined that this move is part of a broader commitment to counter technology misuse that threatens cybersecurity.
Along with NSO Group and Candiru, the list includes Singapore-based Computer Security Initiative Consultancy PTE. LTD and Russia’s Positive Technologies. The latter has previously faced sanctions from the U.S. Treasury for allegedly providing vital support to Russian intelligence services in cyberattack operations aimed at American companies. All these firms have been linked to the distribution of weaponized software that enables state-sponsored hacking groups to infiltrate corporate networks globally.
The Entity List serves as a regulatory measure enforcing trade restrictions on foreign entities deemed a threat to U.S. national security. These restrictions require U.S. companies to secure special government licenses before engaging in business with the listed entities, a move aimed at minimizing the risk of sensitive technologies falling into the wrong hands.
This announcement follows revelations from July 2021, exposing NSO Group and Candiru for exploiting critical vulnerabilities in Apple iOS and Google Chrome. These vulnerabilities have been utilized to monitor and track the activities of individuals identified as targets by customers. NSO Group, known for its development of the notorious Pegasus spyware, has capabilities ranging from accessing contacts and call logs to collecting messages and passwords without detection.
The recent actions coincide with increasing calls for a moratorium on the sale and use of intrusive digital surveillance technologies, demanding regulations that enforce human rights standards on private surveillance firms. U.S. Secretary of Commerce Gina M. Raimondo emphasized the United States’ commitment to using export controls to ensure accountability for companies that engage in malicious cyber activities affecting civil society and government officials both domestically and internationally.
