Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist
from the unwelcome-to-the-party,-pals dept
A couple of Israeli spyware purveyors have finally gotten themselves disinvited from the good graces of the federal government of the United States. The Commerce Department’s Bureau of Industry and Security has amended its export regulations to hand NSO Group and the more mysterious Candiru a “presumption of denial,” meaning they’ll have to prove they’re trustworthy again before US entities will be able to do business with them.
The new rules also make it more difficult for NSO and Candiru to sell their products using middlemen who aren’t affected by the regulations.
In addition, the ERC [End-User Review Committee] also determined that no license exceptions should be available for exports, reexports, or transfers (in-country) to the persons being added to the Entity List in this rule.
NSO and Candiru weren’t the only ones affected by this amendment, but they’re the most notable recipients of the export controls.
The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Also added to the blacklist were two other malware purveyors located in countries the United States has a much frostier relationship with.
The ERC determined that Positive Technologies, located in Russia, and Computer Security Initiative Consultancy PTE. LTD., located in Singapore, be added to the Entity List based on their engagement in activities counter to U.S. national security. Specifically, these entities traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.
US companies and agencies will now have to approach the Commerce Department and ask for permission to purchase exploits from these companies, with the presumption being that their requests will be denied. This effectively shutters a large and presumably profitable market for these companies. It also prevents US-based exploit developers from selling their discoveries to any of the affected companies. And it’s just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.
That hasn’t stopped it from complaining that this blacklisting is unfair. Here’s the statement it gave to The Record after the publication of the export regulation amendment.
NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.
We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.
That is hilarious. It will be fun seeing how NSO proves it has the “world’s most rigorous compliance and human rights program” after it has been observed selling its products to countries with dismal human rights records. Combine that statement with its defense that it has no “visibility” into how its customers use its products and it’s pretty clear the “rigorous compliance program” NSO claims to have is about 50% delayed reaction and 50% bullshit.