Doing so would effectively freeze NSO’s assets and force its largest investors, including Novalpina Capital, a British private equity firm — and its investors, which include Oregon’s state pension fund — to divest. It could also thwart NSO Group’s plans for a lucrative exit, such as an initial public offering or acquisition.
NSO was one of four companies that were blacklisted on Wednesday.
Candiru, another Israeli firm, was sanctioned based on evidence that it supplied spyware to foreign governments. Positive Technologies of Russia, which was targeted with sanctions last April for its work with Russian intelligence, and Computer Security Initiative Consultancy of Singapore were added to the list for trafficking in hacking tools, according to the Commerce Department’s announcement.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials and organizations here and abroad,” Gina Raimondo, the commerce secretary, said in a statement.
NSO has said it only sells its spyware to governments whose human rights records have been vetted, for the purpose of countering terrorism and crime. But its spyware continues to pop up on the phones of journalists, critics of autocratic regimes, even children. Some of NSO’s targets — like Ahmed Mansoor, a critic of the United Arab Emirates — have been imprisoned and held in solitary confinement for years after NSO’s spyware was found on their phones.
Apple has patched its iOS software several times to mitigate vulnerabilities exploited by NSO’s spyware.
Candiru was founded by engineers who left NSO. Last July, Microsoft reported that Candiru’s spyware exploited a pair of Windows vulnerabilities to target the phones, computers, and internet-connected devices of some hundred activists, journalists and dissidents across ten countries.
Both NSO and Candiru were supposed to be under the strict control of Israel’s Ministry of Defense. But the ministry authorized the companies to sell their products to a number of countries with a long history of severe human rights violations, like Saudi Arabia, and continued to approve their sale even after the murder of Mr. Khashoggi and the discovery of spyware on his associates’ phones.