Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist

from the unwelcome-to-the-party,-pals dept

A couple of Israeli spyware purveyors have finally gotten themselves disinvited from the good graces of the federal government of the United States. The Commerce Department’s Bureau of Industry and Security has amended its export regulations to hand NSO Group and the more mysterious Candiru a “presumption of denial,” meaning they’ll have to prove they’re trustworthy again before US entities will be able to do business with them.

The new rules also make it more difficult for NSO and Candiru to sell their products using middlemen who aren’t affected by the regulations.

In addition, the ERC [End-User Review Committee] also determined that no license exceptions should be available for exports, reexports, or transfers (in-country) to the persons being added to the Entity List in this rule.

NSO and Candiru weren’t the only ones affected by this amendment, but they’re the most notable recipients of the export controls.

The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Also added to the blacklist were two other malware purveyors located in countries the United States has a much frostier relationship with.

The ERC determined that Positive Technologies, located in Russia, and Computer Security Initiative Consultancy PTE. LTD., located in Singapore, be added to the Entity List based on their engagement in activities counter to U.S. national security. Specifically, these entities traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.

US companies and agencies will now have to approach the Commerce Department and ask for permission to purchase exploits from these companies, with the presumption being that their requests will be denied. This effectively shutters a large and presumably profitable market for these companies. It also prevents US-based exploit developers from selling their discoveries to any of the affected companies. And it’s just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.

That hasn’t stopped it from complaining that this blacklisting is unfair. Here’s the statement it gave to The Record after the publication of the export regulation amendment.

NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.

We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.

That is hilarious. It will be fun seeing how NSO proves it has the “world’s most rigorous compliance and human rights program” after it has been observed selling its products to countries with dismal human rights records. Combine that statement with its defense that it has no “visibility” into how its customers use its products and it’s pretty clear the “rigorous compliance program” NSO claims to have is about 50% delayed reaction and 50% bullshit.

Filed Under: , , , ,
Companies: candiru, nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist”

Subscribe: RSS Leave a comment
7 Comments
ECA (profile) says:

Umm, ok, yea.

"involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. "

REALLY?
Arnt we the ones that hacked a few other countries ability to process Radioactive materials?
Did the USA gov. do anything to protect and discourage Corps from sharing our data with NO ramifications beyond the fines and fee’s?

Anonymous Coward says:

Re: Umm, ok, yea.

The only use to ANY punishment, for issues such as this, is "décourager les autres".

Your comment is very strange. You’re not even complaining that the fines weren’t ruinous. ("… no ramifications beyond fines and fees") You’re complaining that you didn’t get to see blood run in the streets. Or imprisonment of a corporation, or like that.

And best, you’re reacting. To misuse a quote, "The producer’s purpose is to suggest some possible explanations, but not necessarily the only ones, to the mysteries we will examine." Feel free to show the specific instances where specific laws would have completely prevented the problem you’re trying to solve. Anything less than that is "Something must be done. This is something. It must be done."

ECA (profile) says:

Re: Re: Umm, ok, yea.

you are trying to talk about 1 country trying to control others.
The only power the USA has is NOT intervention.
The only control 1 nation has over another is SQUAT.
What international law would you recommend?
The only recourse is NATO.

But, What course does the company have? NONE. it will take nothing to hack their program and take any remote control OUT of it.

THEN, since the use of Social security, there has been a regulation that, the USE of the SS# is not for identification use by Any one, except your work and the bank and the Gov.
NO personal protections have been enforced in the last 30+ years. Including the Credit agencies Loosing millions of Identifiable data ot the internet, because they hadnt updated security in over 5 years?? Ok.

Eldakka (profile) says:

And it’s just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.

And in more bad news for them (good for us), the Whatsapp (Facebook) suit against NSO is being allowed to go forward: Legal woes mount for NSO after court rules WhatsApp lawsuit can proceed.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...