US adds Euro spyware makers to export naughty list
Predator dev joins Pegasus slinger
The US government on Tuesday added commercial spyware makers Intellexa and Cytrox to its Entity List, saying the duo are a possible threat to national security.
According to the Feds, Greece's Intellexa SA, Ireland's Intellexa Limited, North Macedonia's Cytrox AD, and Hungary's Cytrox Holdings are allied companies that developed and sold software that could be used by clients to infect and monitor other people's electronic devices and equipment. This "is acting contrary to the national security or foreign policy interests of the United States," as the US Dept of Commerce put it [PDF].
Adding Intellexa and Cytrox to the Entity List places export restrictions on the software vendors as part of the Biden administration's ongoing crackdown against commercial surveillance technology. It is now impossible for US organizations to do business legally with those placed on the list without special permission from Uncle Sam; the list effectively cuts off Intellexa et al from America.
The move also follows warnings from cybersecurity researchers about abuses committed using the firms' snooping products.
Google's Threat Analysis Group (TAG), Cisco Talos, and Canadian nonprofit Citizen Lab have published reports on Cytrox's Predator and Alien spyware, which we're told have been used by the biz's customers to target politicians, journalists and activists.
Like similar snoopware package Pegasus, whose maker NSO Group was added to the federal Entity List in 2021, Predator and Alien have been documented exploiting zero-day flaws and other vulnerabilities to infect and take over Android phones and Apple iOS devices to spy on users and extracting data.
According to Citizen Lab, Cytrox is part of Intellexa, which formed the "Star Alliance of spyware" in 2019 to compete against NSO. Although, as the nonprofit noted in a 2021 report, "the specific link between Cytrox and Intellexa, as well as other companies in the 'alliance,' remains murky at best."
Last year, Google TAG said Cytrox sold zero-day exploits to government-backed snoops who used them to deploy Predator in at least three campaigns in 2021. The TAG team believes the buyers of these exploits are in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.
"We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns," Google security researchers Clement Lecigne and Christian Resell said.
And in March, Meta's former security policy manager, who split her time between the US and Greece, sued the Hellenic national intelligence service for compromising her phone and deploying Predator spyware. The case is as yet unresolved.
- US govt pushes spyware to other countries? Senator Wyden would like a word
- President Biden kind of mostly bans commercial spyware from US govt
- Alien versus Predator? No, this Android spyware works together
- Pegasus-pusher NSO gets new owner keen on the commercial spyware biz
"This rule reaffirms the protection of human rights worldwide as a fundamental US. foreign policy interest," Deputy Secretary of Commerce Don Graves said in a statement today. "The Entity List remains a powerful tool in our arsenal to prevent bad actors around the world from using American technology to reach their nefarious goals."
Google, Citizen Lab, and other digital privacy advocates have called on Congress to weigh in on spyware, asking for sanctions and increased enforcement against surveillanceware makers.
The Commerce Department updated its list a few months after US President Joe Biden issued an executive order to (somewhat) prohibit the US government from using commercial spyware.
Meanwhile, the Feds continue to promote the sale of American-approved commercial spyware to foreign governments at the expense of US taxpayers. ®