The infamous Israel-based NSO Group, known for its hacking spyware Pegasus, was placed on the United States government's Entity List for engaging in malicious cyber activities, along with three other foreign companies: Candiru, Computer Security Initiative Consultancy PTE (COSEINC), and Positive Technologies.
The Entity List is a tool utilized by the federal government that identifies individuals, organizations, or companies that are believed to pose a significant risk to the national security and foreign policy interest of the U.S.
As for exactly why these four companies were placed on the Entity List, here is what the Department of State had to say:
"NSO Group and Candiru were added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Positive Technologies and COSEINC were added to the Entity List based on a determination that they misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide."
NSO Group targets journalists, politicians, activists with spyware
Of these four companies, the NSO Group is by far the most well known, and for good (or bad) reason.
Jake Williams, Co-Founder and CTO at BreachQuest, comments on the move by the U.S. government:
"Each of the additions to the Entity List are interesting in its own right, however, the most significant is almost certainly NSO Group. While NSO tried to spin its software as being used for legitimate purposes, it's clear that it has been used repeatedly to target journalists, activists, and government officials.
It isn't just the targeting of these individuals that got NSO in hot water, it's that entities unfriendly to the U.S. used NSO tools to target friendly journalists, activists, etc. That's never a winning business plan."
Earlier this year, an investigation by 17 of the world's largest media outlets into the NSO Group discovered widespread abuse of the hacking spyware Pegasus.
Pegasus is a malware that infects mobile devices and enables operators to extract messages, photos, and emails, record calls, and secretly activate microphones. It is also a zero-click infection.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, obtained a list of over 50,000 phone numbers believed to belong to persons of interests to clients of NSO.
Through cooperation with other news outlets, more than 1,000 individuals were able to be identified in 50 countries. This includes 189 journalists, more than 600 politicians, 65 business executives, 85 human rights activists, and several heads of state, according to The Washington Post.
Though the list contains 50,000 phone numbers, this does not mean that every single phone was infected with Pegasus, but it is a good indicator of the potential targets clients of NSO have identified.
The journalists identified work for organizations including The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde, and The Financial Times.
Is NSO connected to deaths of journalists?
The company claims to only sells Pegasus to "vetted government agencies" to use against criminals and terrorists and that it does not maintain visibility into customer data, but many critics refute this.
Some critics have even provided evidence that NSO directly manages the spyware, according to the AP.
Forensic researchers from Amnesty determined that Pegasus was installed on the phone of Jamal Khashoggi's fiancee, Hatice Cengiz, only four days after his murder. NSO had also previously been connected to Khashoggi.
In another case in Mexico, reporter Cecilio Pineda Birto was killed in 2017 just a couple weeks after his phone number appeared on the leaked list. Birto was allegedly a person of interest to a Mexican client of NSO in the weeks leading up to his murder. The killers were able to locate him at a carwash and his phone was never found, so no forensic analysis could have been conducted to determine if it was infected with Pegasus.
Lauren Easton, the AP's Director of Media Relations, said the company was "deeply troubled to learn that two AP journalists, along with journalists from many news organizations" are on the list of the 1,000 potential targets for Pegasus infection.
Will adding NSO to Entity List make a difference?
While adding a company to the Entity List can be a significant step in limiting the impact of a malicious threat actor, it is not an end-all, be-all move.
The Department of State says that it will not be taking action against the countries or governments where these four entities are located.
And Christoph Hebeisen, Director of Security Intelligence Research at Lookout, says listing these companies may have limited impact:
"The announcement that four companies including NSO Group, the creator of the mobile phone surveillance malware Pegasus, were added to the Entity List for malicious cyber activities is an important acknowledgement of the harm done by this type of malware.
While being added to the list can make it difficult to sell products to US companies or companies doing business in the US, NSO exclusively sells their product to law enforcement and intelligence agencies. Foreign governments are unlikely to adhere to these rules, which will limit the impact of this step on NSO's business and the business of other companies targeting the same customers."
[RESOURCE] What can organizations, the U.S. government, and everyday citizens do to stop the surge of ransomware and cyber threats hitting us from overseas? In this podcast episode, we hear from retired Air Force Colonel Cedric Leighton.