The U.S. government has banned European commercial spyware manufacturers Intellexa and Cytrox, citing risks to U.S. national security and foreign policy interests.
The Commerce Department’s Bureau of Industry and Security (BIS) added four commercial entities to its Entity List: Intellexa S.A. from Greece, Intellexa Limited from Ireland, Cytrox Holdings Zrt from Hungary, and Cytrox AD from North Macedonia.
This decision was motivated by the four companies’ involvement in trafficking cyber exploits used to gain unauthorized access to the devices of high-risk individuals worldwide, threatening their security and privacy.
According to the U.S. State Department, the deployment of these surveillance tools on a worldwide scale aimed to intimidate political adversaries, suppress dissent, restrict freedom of speech, and keep track of journalists’ and activists’ activity, thereby sustaining a climate of repression and human rights violations.
“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. government personnel and their families,” the U.S. State Department said in a press release on Tuesday.
“The misuse of these tools globally has also facilitated repression and enabled human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”
Google’s Threat Analysis Group (TAG) linked the Cytrox in May 2022 with multiple zero-day vulnerabilities used to deploy Predator spyware on Android devices.
“We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below,” said Google TAG members Clement Lecigne and Christian Resell at the time.
The same month Intellexa was tagged as the maker of the Predator Android spyware and its loader Alien by Security researchers at Cisco Talos and the Citizen Lab.
The inclusion of these spyware entities in the Entity List builds upon previous regulatory measures taken by the U.S. government to address the risks associated with commercial spyware companies.
It is consistent with previous initiatives, including a Biden administration executive order issued in March prohibiting the government’s use of commercial spyware posing national security risks.
The Biden admin also released a set of guiding principles regarding the government’s use of surveillance tech as part of a joint effort with a group of 36 other governments (known as the Freedom Online Coalition) aiming to prevent its misuse to enable human rights abuses.
The U.S. Commerce Department sanctioned four other companies from Israel, Russia, and Singapore in November 2021 due to their involvement in developing spyware or selling hacking tools employed by state-sponsored hacking collectives.
Israeli spyware makers NSO Group and Candiru were banned for creating and selling spyware used to target activists and journalists, while Positive Technologies in Russia and Computer Security Initiative Consultancy (CSIS) in Singapore were sanctioned for the trafficking of hacking tools and exploits.
Positive Technologies was also sanctioned in April 2021 over allegations that it helped the Russian Federal Security Service (FSB) carry out cyberattacks targeting U.S. interests.
“This rule reaffirms the protection of human rights worldwide as a fundamental U.S. foreign policy interest. The Entity List remains a powerful tool in our arsenal to prevent bad actors around the world from using American technology to reach their nefarious goals,” said Deputy Secretary of Commerce Don Grave.