The U.S. Department of Commerce today announced that it has sanctioned four companies after finding they have engaged in malicious cybersecurity activities.

The companies are Israel-based NSO Group and Candiru, Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy. The sanctions were applied by the Commerce Department’s Bureau of Industry and Security. As a result, the four companies are now on the bureau’s Entity List.

According to cybersecurity publication The Record, the move means that U.S.-based organizations are banned from buying, exporting or transferring any cybersecurity tools developed by the firms unless they receive a special license. The Commerce Department said that organizations applying for such a license should expect a “presumption of denial.”

U.S. Secretary of Commerce Gina Raimondo said in a statement that “the United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.”

The department stated that NSO Group and Candiru were added to the Entity List for providing spyware used by foreign governments to target government officials, journalists, businesspeople, activists, academics and embassy workers maliciously. Previously, both companies have drawn scrutiny in recent years over their hacking tools. 

NSO Group is the maker of the Pegasus spyware, which uses so-called zero day exploits, or unfixed software vulnerabilities unknown to cybersecurity researchers, to infect mobile devices. In some cases, Pegasus can reportedly breach a mobile device without requiring the user to perform any action. The spyware is known to be capable of infecting most versions of iOS and Android. 

Earlier this year, a consortium of international media outlets revealed new details about Pegasus. Journalists uncovered a list containing more than 50,000 phone numbers believed to belong to individuals identified as people of interest by NSO’s clients. Earlier, the WhatsApp unit of Meta Platforms Inc., formerly Facebook Inc., launched a lawsuit against NSO Group charging that Pegasus was used to target more than 1,400 devices via a vulnerability in its messaging service.

Candiru, the second company sanctioned by the Commerce Department today, was recently named by Microsoft Corp. and Citizen Lab as the creator of a Windows spyware strain used to infect more than 100 victims. Microsoft said that the spyware was used to launch cyberattacks against politicians, human rights activists, journalists, academics, embassy workers and political dissidents. The Candiru spyware exploited two zero-day vulnerabilities in Windows to breach the targeted devices. 

Positive Technologies and Computer Security Initiative Consultancy are the two other companies that the Commerce Department has sanctioned. The department stated that the companies “traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

Photo: U.S. Department of Commerce