Amidst a recent storm of controversy in which leaks have revealed that repressive governments and even criminal groups have wound up with access to its Pegasus spyware, NSO Group now finds itself unwelcome in the United States.
The Israel-based firm can no longer sell the Pegasus spyware product to any government agencies in the country, as the Biden administration condemned it for providing its services to regimes that used it to “maliciously target” journalists, human rights activists and political dissidents. NSO Group’s tool is particularly worrisome as it has been able to compromise the latest versions of both Apple and Android phones with “zero click” attacks that exploit flaws in messaging systems.
NSO Group banned from doing business in US
The Biden administration said that Pegasus spyware was knowingly supplied to foreign governments that intended to use it for repressive purposes. The Pegasus Project, an investigative report published in August, found that it was used by government agencies to track the family of murdered Saudi journalist Jamal Khashoggi and to spy on the ex-wife and daughters of the ruler of Dubai among other cases of abuse.
NSO Group has claimed that it only sells the Pegasus spyware to nations for legitimate law enforcement purposes and that it vets customers prior to making sales. After the Pegasus Papers story was printed, pressure from the US and France led to an investigation by Israel’s government. NSO Group said that it suspended sales to some governments, but did not get into specifics (reporting from the Washington Post indicates that Saudi Arabia and Dubai were blacklisted). Israel also took a more active role in the company’s business, requiring government approval of all future sales.
Private industry has also taken voluntary measures against NSO Group in the past year; Amazon Web Services terminated the company’s accounts, and WhatsApp is suing the group as the Pegasus spyware at one point exploited a vulnerability in the messaging app to breach target phones.
The action by the Biden administration is the strongest individual government measure against NSO Group to date, and against the industry of private sector spyware. The Commerce Department stated that sale of the Pegasus spyware was “contrary to the national security (and) foreign policy interests of the United States.” Democrats in the House of Representatives have been calling for a ban and potential sanctions for human rights violations. Senator Ron Wyden of Oregon proposed invoking the Global Magnitsky Act, which would freeze the company’s assets and force its biggest investors to divest.
NSO Group now finds itself on the US “Entity List,” which not only prohibits them from selling their software in the country but also prevents US firms from selling technology to them. The ban follows a new rule from the Commerce Department that requires US companies to obtain a special license to sell any form of spyware to any foreign company. The list is often used for foreign cyber threat actors that have been identified, particularly those that are nation-state backed.
This move also comes as NSO Group was preparing an initial public offering in Tel Aviv; the company is estimated to be worth as much as $2 billion. While the cyber defense industry is a major piece of Israel’s economy, the incoming Prime Minister has shown an eagerness to have a strong relationship with the Biden administration.
Jake Williams, Co-Founder and CTO at BreachQuest, notes that three other organizations that deal in spyware were added to the blacklist: “The organizations COSEINC and Positive Technologies are perhaps more academically interesting. Both were added to the Entity List because they ‘misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide.’ While Positive Technologies (a Russian company) isn’t a surprise to see on this list, COSEINC (a Singapore company) is. COSEINC has largely flown under the public radar before today, though prior reporting from Joseph Cox of Motherboard/VICE identified the firm as a zero-day vendor in 2018. It appears likely that COSEINC was found to be selling exploits or collaborating with foreign intelligence organizations or cybercriminals to have gained such a designation on the Entity List.”
Prolific use of Pegasus Spyware may not slow down
While the move sends a strong message to the spyware industry, it does not cut NSO Group off from any market that it was already in. And while the Entity List prevents US firms from selling technology to listed organizations, it does not restrict private US citizens from doing business with them. There is the possibility that this may increase NSO Group’s resolve in making its money from bad actors around the globe; the company responded with a huffy denial when confronted with the Pegasus Papers story and vowed to stop speaking to the media entirely.
Bill Lawrence, CISO of SecurityGate, also notes that the US government has been observed doing some of the same things that spyware vendors do: “Economic measures can be effective against these groups, although the effort can seem like hitting puddles with sledgehammers as they reform in other ways. Still, this is a good thing, and another would be if the US government stopped continually trying to get “back doors” installed in its own citizens’ electronics. For those concerned about the spy technology, keeping up-to-date operating systems and regularly rebooting (at least daily) seem to be effective.”
The Pegasus spyware is widely considered the world’s most dangerous form as it uses previously unknown “zero click” exploits that are extremely difficult for the end user to detect. Once installed, Pegasus grants the attacker surreptitious access to just about every function of a phone. The most recent way in which the Pegasus spyware exploited iOS devices was through a vulnerability in the pre-installed iMessage app. The user’s device could be compromised simply by receiving the message, without a need to click on an attack link or even open the message. Apple has since patched out this vulnerability, but prior to this it was able to exploit all versions of iOS up to the most recent. Pegasus has also cycled through several different major vulnerabilities of this sort over the years.
The leaks indicate that a strong market remains for it. An estimated 50,000 non-criminal individuals have been targeted by it since 2016, that list consisting largely of journalists and political opponents of a nation’s sitting government. The WhatsApp lawsuit against the company revealed some 1,400 people in over 20 countries had been targeted by that particular vulnerability.