The Department of Commerce declared on Wednesday that the designation of both firms was “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, artists, activists, academics, and embassy workers.”
The agency also claimed NSO and Candiru’s products had “enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.”
“Such practices threaten the rules-based international order,” the Commerce Department concluded, trotting out one of its most notorious catchphrases.
NSO’s star product, the military-grade encryption-breaker Pegasus, has been deployed extensively around the world and was recently revealed to have been used to hack into smartphones belonging to 37 persons of interest — journalists, human rights activists, and others — last year alone.
Pegasus has the ability to turn the user’s smartphone into an audiovisual bug with just a click. The target is sent a bogus link and, upon opening it, the microphone and camera function become controllable by the remote hacker – all without knowledge of the user.
However, digital rights group CitizenLab discovered earlier this year that the software was also capable of exploiting a vulnerability built into all iPhones that did not require a single click on the part of the target.
While the company insists it only sells its spyware to nations looking to fight “terrorism” and “serious crime,” it also only sells to nations approved by the Israeli government.
Currently, a list of governments accused of using the malware includes Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates – along with Israel itself.
Another report suggested as many as 52,000 names had been marked as potential surveillance targets, though only a tenth of the targets had supposedly been surveilled.
In addition to NSO and the Tel-Aviv-based Candiru –which somewhat disturbingly shares its name with a parasitic catfish – the US Commerce Department also added Russian firm Positive Technologies and Singapore’s Computer Security Initiative Consultancy to the entity list, declaring that both trafficked in “cyber tools” used to gain “unauthorized access to computer systems.”