The U.S. government added NSO Group to a federal denylist that prohibits any American company or individual from selling or providing services to the controversial Israeli spyware seller.
On Wednesday, the Commerce Department’s Bureau of Industry and Security (BIS) published a list of companies subject to these restrictions, which includes NSO Group.
The list also includes another Israeli spyware seller, Candiru; a Singapore-based company that also sells hacking services, Computer Security Initiative Consultancy, better known as COSEINC; and Positive Technologies, a Russian company that had previously been accused and sanctioned by the Biden administration for helping Russian spies.
A spokesperson for NSO Group did not respond to a request for comment via email and WhatsApp. Shalev Hulio, NSO’s former CEO and now vice chairman of the board of directors and president, did not respond to a text message asking for comment.
The sanctions come after a series of investigations in the last few months that detailed multiple cases where NSO customers around the world allegedly used its spyware to target human rights activists, dissidents, journalists, and even heads of state.
The sanctions effectively prohibit any U.S. company, as well as American citizens working in the U.S. from doing any business with NSO, including selling hardware and software. If anyone wants to do business with NSO Group from now on, they will have to apply for a license and get approval from the US government, according to Douglas Jacobson, an expert in sanctions and export law.
According to documents published in the past, as well as news reports, NSO has in the past relied on products and services from several U.S. companies such as Amazon, Dell, Cisco, Intel, and Microsoft in order to deploy its spyware. This means that these sanctions may seriously hobble NSO’s regular operations. The documents are part of a contract between an NSO reseller and the government of Ghana highlighted during Facebook and WhatsApp’s lawsuit against NSO. The documents include technical specifications of hardware and software used by NSO’s Pegasus hacking system.
Do you work or have worked for NSO Group, or a similar company? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Jacobson, however, explained that the Commerce Department listed these companies under a “presumption of denial.”
“You have to overcome that presumption. And that is not an easy burden,” Jacobson, who is a lawyer at Jacobson Burton Kelley PLLC, told Motherboard in a phone call.
Jacobson explained that this applies to all kinds of software and hardware, such as licenses for Microsoft’s cloud service Office 365, or server racks made by U.S. companies.
This sanction could also indirectly affect NSO’s business across the world.
“It doesn’t put a scarlet letter per se. But it definitely raises questions. And there it certainly raises red flags that some companies just may choose not to continue to sell,” Jacobson said.
This sanction does not prevent NSO from selling its spyware to U.S. law enforcement or intelligence agencies, Jacobson said. But it could be the first step that leads to wider sanctions against the company.
Activists who for years have denounced abuse from NSO’s customers rejoiced at the news.
“I very much welcome this news. For years we have been documenting extensive and serial abuses of mercenary spyware sold by companies like NSO Group and Candiru. For years, many people have debated how to mitigate these harms, with little concrete progress. I am and my colleagues have long argued that it must start with serious government regulation. The US Department of Commerce’s designation is a very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace,” Ron Deibert, the founder and director of Citizen Lab, a research group housed at the Munk School of Global Affairs & Public Policy, University of Toronto, told Motherboard in an email “This designation should put companies like NSO and Candiru on notice that they cannot frivolously and repeatedly make sales to government clients that will routinely mis-use such powerful tools. Now it is time for other governments to follow suit.”
Amazon, Dell, Cisco, Intel, and Microsoft did not immediately respond to a request for comment.
Joseph Cox contributed reporting.
This post has been read 12 times!