US Sanctions Could Cut Off NSO From Tech It Relies On

The U.S. government added NSO Group to a federal denylist that prohibits any American company or individual from selling or providing services to the controversial Israeli spyware seller.

On Wednesday, the Commerce Department’s Bureau of Industry and Security (BIS) published a list of companies subject to these restrictions, which includes NSO Group. 

“NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” the Commerce Department wrote in a press release.

The list also includes another Israeli spyware seller, Candiru; a Singapore-based company that also sells hacking services, Computer Security Initiative Consultancy, better known as COSEINC; and Positive Technologies, a Russian company that had previously been accused and sanctioned by the Biden administration for helping Russian spies. 

“NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed,” an NSO spokesperson told Motherboard in a text message. “We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.”

The sanctions come after a series of investigations in the last few months that detailed multiple cases where NSO customers around the world allegedly used its spyware to target human rights activists, dissidents, journalists, and even heads of state. 

The sanctions effectively prohibit any U.S. company, as well as American citizens working in the U.S. from doing any business with NSO, including selling hardware and software. If anyone wants to do business with NSO Group from now on, they will have to apply for a license and get approval from the US government, according to Douglas Jacobson, an expert in sanctions and export law. 

According to documents published in the past, as well as news reports, NSO has in the past relied on products and services from several U.S. companies such as Amazon, Dell, Cisco, Intel, and Microsoft in order to deploy its spyware. This means that these sanctions may seriously hobble NSO’s regular operations. The documents are part of a contract between an NSO reseller and the government of Ghana highlighted during Facebook and WhatsApp’s lawsuit against NSO. The documents include technical specifications of hardware and software used by NSO’s Pegasus hacking system.

Jacobson, however, explained that the Commerce Department listed these companies under a “presumption of denial.”

“You have to overcome that presumption. And that is not an easy burden,” Jacobson, who is a lawyer at Jacobson Burton Kelley PLLC, told Motherboard in a phone call.

Jacobson explained that this applies to all kinds of software and hardware, such as licenses for Microsoft’s cloud service Office 365, or server racks made by U.S. companies. 

This sanction could also indirectly affect NSO’s business across the world. 

“It doesn't put a scarlet letter per se. But it definitely raises questions. And there it certainly raises red flags that some companies just may choose not to continue to sell,” Jacobson said.

This sanction does not prevent NSO from selling its spyware to U.S. law enforcement or intelligence agencies, Jacobson said. But it could be the first step that leads to wider sanctions against the company. 

Activists who for years have denounced abuse from NSO’s customers rejoiced at the news. 

“I very much welcome this news. For years we have been documenting extensive and serial abuses of mercenary spyware sold by companies like NSO Group and Candiru. For years, many people have debated how to mitigate these harms, with little concrete progress. I am and my colleagues have long argued that it must start with serious government regulation. The US Department of Commerce’s designation is a very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace,” Ron Deibert, the founder and director of Citizen Lab, a research group housed at the Munk School of Global Affairs & Public Policy, University of Toronto, told Motherboard in an email “This designation should put companies like NSO and Candiru on notice that they cannot frivolously and repeatedly make sales to government clients that will routinely mis-use such powerful tools. Now it is time for other governments to follow suit.”

A Dell spokesperson told Motherboard that the company “received notice this morning of the Commerce Department’s new designations to the list.”

“We’re currently evaluating the impact to our business, and will take all actions necessary to ensure the company meets any applicable regulatory requirements,” the spokesperson said in an email.

An Intel spokesperson denied the company was part of the contract between an NSO reseller and the Ghana government. And he also said: “Intel complies with U.S. export restrictions, including the requirements of the Bureau of Industry and Security’s Entity List.”

Cristin Goodwin, the general manager for Microsoft’s Digital Security Unit said in an email that “This rule is a strong step toward addressing the danger these actors pose, and we encourage other countries to adopt similar policies.”

“We’ve taken both legal and technical steps to disrupt these actors in the past, and we will work hard to look for any instances these groups attempt to use our services and comply with the rule,” he added.

Amazon and Cisco did not immediately respond to a request for comment. 

This story has been updated to include comment from NSO, Dell, Intel and Microsoft.

Joseph Cox contributed reporting. 

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.