The US Commerce Department’s Bureau of Industry and Security (BIS) determined that NSO Group’s Pegasus spyware has been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world.

This led to the blacklisting of the Israeli NSO Groups’ organisation, along with three other companies. The ‘Entity List’- is a federal blacklist prohibiting companies from receiving any American hardware or software technology.

The rare move by the US government against an Israeli company is expected to hinder the firm’s operations and increase tensions between the US and its ally.

This came two weeks after the Commerce Department announced a new policy to ban sales of American hacking technology to any entity overseas reportedly involved in hacking for malicious motives.

“NSO Group could not have operated without Israeli government knowledge and toleration, if not encouragement,” said David Kaye, a former United Nations special rapporteur who called earlier for global restrictions on sales of surveillance technology.

“So part of this cannot be seen merely as the US government making a statement about this particular company; it’s also a statement about the Israeli government, its export controls and engagement in transnational repression.”

Israel’s Foreign Minister Yair Lapid on Saturday distanced his government from the NSO Group, claiming it is a “private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.”

At a press conference in Jerusalem, Lapid said “I don’t think there is another country in the world which has such strict rules according to cyber warfare and that is imposing those rules more than Israel and we will continue to do so.”

His comments were the first to be made public by a senior Israeli official since the US sanctioning on Wednesday.

The BIS explained that the NSO Group was listed due to engaging in activities that threatened the “national security or foreign policy interests” of the US, through developing and supplying spyware to foreign governments, via its Pegasus programme.

Pegasus enables governments to discreetly hack into mobile phones without knowledge of the user, essentially providing access to crucial information such as messages, location tracking as well as the ability to tap into cameras and microphones.

The Israeli firm reportedly sold its spyware to several repressive governments around the world, claiming it was used for tackling national security issues such as capturing terrorists and criminals.

“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order”, the BIS said.

The NSO Group has repeatedly stressed that it monitors the use of its services and strictly prohibits its use for political purposes. However, according to Forbidden Stories and Amnesty International’s July report, multiple political activists and journalists around the world were on the list of 50,000 hacked numbers by Pegasus.

“Forensic analyses of phones by Amnesty International, which provided technical support for the Pegasus Project investigation, found evidence that NSO’s clients had used Amazon Web Services and other Internet service companies to deliver Pegasus malware to targeted phones,” The Washington Post reported.

An Amazon spokeswoman told The Post earlier this year that the firm “shut down the relevant infrastructure and accounts” after finding out.

The US government also slapped sanctions on Candiru, which is another Israeli company similar to Pegasus that also sold its programme to several governments, such as Uzbekistan, Saudi Arabia, Qatar, Singapore and the UAE.

Apart from Israel’s NSO Group and Candiru, the BIS added Russian firm Positive Technologies and Singapore-based Computer Security Initiative Consultancy PTE. LTD to the Entity List for delivering hacking tools used in breaching computer systems.

This marks one of the very few times the US government imposes a penalty over cyber-surveillance issues.

“We look forward to further discussions with the government of Israel about ensuring that these companies’ products are not used to target human rights defenders, journalists and others who shouldn’t be targeted,” State Department spokesman Ned Price said earlier.

The latest move by the US is considered part of the new Biden administration’s “efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” according to the Commerce Department.

NSO spokesperson Oded Hershkovitz said the company is “dismayed” by the decision and will seek to drop it.

The company said its “rigorous” human rights policies “are based on the American values we deeply share, which already resulted in multiple terminations of contracts with government agencies that misused our products.”

Sen. Ron Wyden (D-Ore.) said in a statement on Wednesday that “President Biden is sending a strong message that the US won’t stand for foreign hacking companies that violate human rights and threaten our national security.”

He also called for implementing strict measures, including “cutting them off from the American financial system and investors by issuing sanctions under the Global Magnitsky Act.”

The blacklisting could also weaken NSO’s standing with investors and cast a cloud over the company’s attempts to rehabilitate its image as a maker of critical surveillance tools that law enforcement needs to catch criminals.

Commerce officials said NSO Group and another Israeli surveillance company, Candiru, had enabled “foreign governments to conduct transnational repression,” allowing authoritarian governments to target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”

The research group Citizen Lab, in a July report, found that Candiru markets to governments “untraceable” spyware that may be used for repressive purposes. Working with Microsoft, Citizen Lab found that the spyware was used to target human rights activists, dissidents, journalists and politicians in the Palestinian territories, Iran, Lebanon, Britain, Turkey, Yemen and other countries.

Kaye, the former UN special rapporteur, said the listing will have major practical and symbolic implications for NSO Group, which has worked aggressively to attract investors, government clients and positive media coverage.

Pegasus uses during the Gulf crisis 2017

Last year, the UAE and Saudi Arabia were accused of hacking at least 36 Al Jazeera journalists, and one journalist from the London-based Al Araby TV, with the Pegasus spyware.

On 21 December 2020, University of Toronto’s Citizen Lab published an incendiary report detailing how the UAE and Saudi Arabia used the intrusive electronic spyware tool Pegasus to hack journalists working at the Qatar-based news channel Al Jazeera.

Politically, the Citizen Lab report came on the back of talks of normalisation between Qatar and Saudi Arabia, who, along with the UAE, Bahrain and Egypt, severed diplomatic and economic ties with Qatar in 2017.

That crisis ended just months ago in January after all parties involved signed the Al Ula accord to end the rift and resume diplomatic ties.

The 36 Al Jazeera journalists formed the large bulk of the 50-or-so journalists known to have been targeted with Pegasus. That’s a whopping 72%.

The consequences of such tracking costs journalists their freedom, liberty, and in some cases, their lives.

Saudi Arabia and the United Arab Emirates did not just target Qatar, but also activists and journalists for simply criticising their governments.

The kingdom reportedly used NSO surveillance tools on phones of those close to Saudi journalist Jamal Khashoggi before and after he was killed by order of Saudi Crown Prince Mohammed bin Salman.

Additionally, while an investigation into his murder was ongoing, Saudi Arabia used Pegasus spyware to target Khashoggi’s son, activist friends, and people opposing the Saudi regime.

Khashoggi was not the only activist targeted by the kingdom.

Prominent activist Loujain Al-Hathloul’s phone number also appeared in the leaked list of NSO targets. Al-Hathloul is known for publicly opposing the female driving ban and the male guardianship systems in Saudi Arabia.

It’s believed she was chosen as a target just a few weeks before she was captured in the UAE. She was then returned to Saudi Arabia and put in prison for three years before global calls for her release finally led to her freedom.