Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist

from the unwelcome-to-the-party,-pals dept

A couple of Israeli spyware purveyors have finally gotten themselves disinvited from the good graces of the federal government of the United States. The Commerce Department's Bureau of Industry and Security has amended its export regulations to hand NSO Group and the more mysterious Candiru a "presumption of denial," meaning they'll have to prove they're trustworthy again before US entities will be able to do business with them.

The new rules also make it more difficult for NSO and Candiru to sell their products using middlemen who aren't affected by the regulations.

In addition, the ERC [End-User Review Committee] also determined that no license exceptions should be available for exports, reexports, or transfers (in-country) to the persons being added to the Entity List in this rule.

NSO and Candiru weren't the only ones affected by this amendment, but they're the most notable recipients of the export controls.

The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Also added to the blacklist were two other malware purveyors located in countries the United States has a much frostier relationship with.

The ERC determined that Positive Technologies, located in Russia, and Computer Security Initiative Consultancy PTE. LTD., located in Singapore, be added to the Entity List based on their engagement in activities counter to U.S. national security. Specifically, these entities traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.

US companies and agencies will now have to approach the Commerce Department and ask for permission to purchase exploits from these companies, with the presumption being that their requests will be denied. This effectively shutters a large and presumably profitable market for these companies. It also prevents US-based exploit developers from selling their discoveries to any of the affected companies. And it's just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.

That hasn't stopped it from complaining that this blacklisting is unfair. Here's the statement it gave to The Record after the publication of the export regulation amendment.

NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.

We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.

That is hilarious. It will be fun seeing how NSO proves it has the "world's most rigorous compliance and human rights program" after it has been observed selling its products to countries with dismal human rights records. Combine that statement with its defense that it has no "visibility" into how its customers use its products and it's pretty clear the "rigorous compliance program" NSO claims to have is about 50% delayed reaction and 50% bullshit.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: commerce department, entity list, export regulations, malware, spyware
Companies: candiru, nso group


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Pixelation, 8 Nov 2021 @ 11:45am

    Give us your source code and open all of your books

    Then, we can begin to discuss your "rigorous compliance" and interest in "human rights".

    link to this | view in thread ]

  2. icon
    ECA (profile), 8 Nov 2021 @ 12:29pm

    Umm, ok, yea.

    "involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. "

    REALLY?
    Arnt we the ones that hacked a few other countries ability to process Radioactive materials?
    Did the USA gov. do anything to protect and discourage Corps from sharing our data with NO ramifications beyond the fines and fee's?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 8 Nov 2021 @ 1:40pm

    Re: Umm, ok, yea.

    The only use to ANY punishment, for issues such as this, is "décourager les autres".

    Your comment is very strange. You're not even complaining that the fines weren't ruinous. ("... no ramifications beyond fines and fees") You're complaining that you didn't get to see blood run in the streets. Or imprisonment of a corporation, or like that.

    And best, you're reacting. To misuse a quote, "The producer's purpose is to suggest some possible explanations, but not necessarily the only ones, to the mysteries we will examine." Feel free to show the specific instances where specific laws would have completely prevented the problem you're trying to solve. Anything less than that is "Something must be done. This is something. It must be done."

    link to this | view in thread ]

  4. identicon
    MTL, 8 Nov 2021 @ 2:22pm

    NSO

    Why don't they do this with Clearview? Seems to me they being TOTALLY unregulated and available across the planet would be as much of (If not more), a risk?

    Thinkin' out loud...

    link to this | view in thread ]

  5. icon
    Federico (profile), 8 Nov 2021 @ 3:24pm

    Raising the price

    I wonder what price the three-letter agencies will demand from NSO for not fully strangling it. Or has it really outlived its usefulness for them?

    link to this | view in thread ]

  6. icon
    Eldakka (profile), 8 Nov 2021 @ 5:34pm

    And it's just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.

    And in more bad news for them (good for us), the Whatsapp (Facebook) suit against NSO is being allowed to go forward: Legal woes mount for NSO after court rules WhatsApp lawsuit can proceed.

    link to this | view in thread ]

  7. icon
    ECA (profile), 9 Nov 2021 @ 2:53pm

    Re: Re: Umm, ok, yea.

    you are trying to talk about 1 country trying to control others.
    The only power the USA has is NOT intervention.
    The only control 1 nation has over another is SQUAT.
    What international law would you recommend?
    The only recourse is NATO.

    But, What course does the company have? NONE. it will take nothing to hack their program and take any remote control OUT of it.

    THEN, since the use of Social security, there has been a regulation that, the USE of the SS# is not for identification use by Any one, except your work and the bank and the Gov.
    NO personal protections have been enforced in the last 30+ years. Including the Credit agencies Loosing millions of Identifiable data ot the internet, because they hadnt updated security in over 5 years?? Ok.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.