As Sanctions Continue, Malware Purveyors Starting To Worry It Won’t Be As Easy To Sell Spyware To Bad People
NSO Group rang the bell. Despite all of its ex-intelligence service expertise and backing from its government, it can’t un-ring it. What’s done is done. And the repercussions just keep on coming, paying back NSO for years of selling powerful phone exploits to some of the worst people on earth.
NSO got sanctioned, along with another Israeli malware merchant, Candiru, by the US Commerce Department following weeks of negative press initiated by the leak of document allegedly listing entities targeted by NSO spyware. The list included journalists, activists, human rights lawyers, religious leaders, dissidents, and opposition leaders. What was pitched (at least publicly) as a way to combat crime and terrorism was instead being abused by powerful people to keep tabs on people they didn’t like.
NSO and Candiru weren’t the only ones hit with sanctions. Following a spyware-targeting executive order issued by President Biden, the blacklist was expanded, bringing in the State Department to add known abusers of phone exploits, as well as their friends and families, to the “keep out” list.
Earlier this month, the Treasury Department entered the arena, dropping sanctions on yet another spyware firm with Israeli ties, Intellexa. This was on top of sanctions handed down by the State Department last year, which put both of Dillian’s companies — Intellexa and Cytrox — on the Department’s “entity list.”
Cytrox’s flagship product is Predator, which has also been discovered infecting phones belonging to journalists, activists, and dissidents. Predator was at the center of a scandal in Greece, where multiple sanctioned exploit developers were implicated. But it was Cytrox’s exploit that was linked to the year-long surveillance of a US citizen by the Greek government.
But the latest sanctions affect more than just Intellexa. It also targets those running the company, ensuring they can’t just rebrand or form another company to get out from under the Treasury Department’s edict.
Under the sanctions, Americans and people who do business with the U.S. are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four companies affiliated with Intellexa.
These sanctions, combined with the ones levied recently following Biden’s executive order, now have other malware purveyors worried they won’t be able to sell malware to bad people as easily as they used to. Lorenzo Franceschi-Bicchierai’s report for TechCrunch quotes several perturbed (but anonymous) malware purveyors who have probably developed very strong feelings about NSO and other competitors over the past couple of years.
The first two people quoted do their best to distance themselves from the likes of Cytrox/Intellexa and their apparently careless founder, pointing out that Dillian “moves like an elephant in a crystal shop” and was willing to sell to anyone “willing to pay.” Both of the anonymous sources have already gotten out of the phone exploit business, perhaps sensing the “human rights exploiters” market had been fully exploited.
The third person quoted by TechCrunch suggests that if exploit sellers can’t learn from this string of cautionary tales, they probably can’t be taught.
According to a third person working in the spyware industry, the sanctions against Dilian and his business associate Hamou should make the whole market have a moment of reflection.
“If I had to come back to work actively in this industry, and I couldn’t find an exclusive customer that is extremely trustworthy, [sanctions] would be a risk,” the third person said. “A company, however serious, can never be 100% sure about how its customers act, and the political developments that can embroil them.”
Of course, no one quoted in this article has any skin in the game. They’ve all gotten out of this particularly sordid business. Those that remain may figure they can outlast the current storm. Or maybe they just figure they’ll still be able to get away with selling to human rights abusers by tightening up internal security a bit.
What’s clear is that there will always be a market for phone exploits. And chances are, the entities interested in abusing these powerful tools will be willing to pay a premium for them. Greed and lax regulation have allowed several companies to get rich by helping autocrats become even more awful. There’s no permanent solution to this problem, but for now, what has been done to this point at least appears to be having some sort of deterrent effect.