The US Department of Commerce has ordered American companies to not sell their tech to NSO, citing reports that the group’s Pegasus spyware is used against journalists, government officials, activists, and more. In its press release, the regulator says that the company is being added to the Entity List because its tool threatens “the rules-based international order” when its sold to repressive foreign governments.
Pegasus is a program designed to infect targets without notice, allowing police and intelligence agencies to get access to a phone’s text messages, photos, and passwords, all without leaving a trace. The Washington Post reported in July that the spyware could infect someone’s phone with a single, invisible text message: a target wouldn’t have to click on a link or take any action for their fully updated phone to be infected.
NSO’s Pegasus spyware was recently in the spotlight because of The Pegasus Project, a collection of journalists who revealed a list of names seemingly connected to the spyware. That list included journalists, activists, heads of state, and others from across the globe, people that NSO says its software shouldn’t be used to target. The Pegasus Project also analyzed a handful of journalists’ phones and found evidence that the spyware had been installed on them — almost certainly by a government agency, as NSO says those are the only clients it’ll sell its software and services to.
Pegasus had made headlines before this year, too. Journalists in Mexico were reportedly targeted with the tool, WhatsApp sued NSO for using an exploit in the messaging app to hack people’s phones, and the FBI is said to have at least looked into the company in relation to Jeff Bezos’ phone being hacked.
The Department of Commerce says (pdf) that NSO being added to the entity list, which restricts US companies from exporting products to it because the company “poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States.”
This likely relates to US affairs outside its actual borders — NSO has said that its tool can’t be used to target American phone numbers, and the Department of Commerce and Pegasus Project haven’t contested that fact.
NSO isn’t the only company being added to the entity list on Thursday. Candiru, another Israeli IT firm that sells spyware (that’s reportedly used for similar purposes), is also being blacklisted. The Department of Commerce cited two more companies — one from Russia and one from Singapore — that it says are involved in selling hacking tools.