The US government has blacklisted the Pegasus spyware group
American businesses are prohibited from exporting goods and services to NSO Group, the company that built the Pegasus.
The US Department of Commerce has ordered that no American companies sell their technology to NSO, citing reports that the group’s Pegasus spyware is used against journalists, government officials, activists, and others. According to the regulator’s press release, the company was added to the Entity List because its tool threatens “the rules-based international order” when sold to repressive foreign governments.
Pegasus is a programme that is designed to infect targets without being detected, allowing police and intelligence agencies to gain access to a phone’s text messages, photos, and passwords while leaving no trace. According to the Washington Post, the spyware could infect someone’s phone with a single, invisible text message: a target would not have to click on a link or take any action for their fully updated phone to be infected.
The Pegasus Project, a group of journalists who revealed a list of names allegedly linked to the spyware, recently brought NSO’s Pegasus spyware to light. This list included journalists, activists, heads of state, and others from around the world, all of whom NSO claims should not be targeted with its software. The Pegasus Project also examined a few journalists’ phones and discovered evidence that the spyware had been installed on them — almost certainly by a government agency, as NSO claims that government agencies are the only clients to whom it will sell its software and services.
Pegasus had also made headlines prior to this year. Journalists in Mexico were reportedly targeted by the tool, WhatsApp sued NSO for using a vulnerability in the messaging app to hack people’s phones, and the FBI is said to have investigated the company in relation to Jeff Bezos’ phone being hacked.
According to the Department of Commerce (pdf), NSO has been added to the entity list, which prohibits US companies from exporting goods to it because it “poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States.”
This is most likely related to US affairs outside of its borders — NSO has stated that its tool cannot be used to target American phone numbers, and the Department of Commerce and Pegasus Project have not disputed this.
On Thursday, NSO was not the only company added to the entity list. Candiru, another Israeli IT firm that sells spyware (which is allegedly used for similar purposes), is also blacklisted. The Commerce Department named two more companies, one from Russia and one from Singapore, that it claims are involved in the sale of hacking tools.