The Biden administration on Tuesday added the foreign commercial spyware companies Intellexa and Cytrox to a federal "entity list" that prohibits American companies from engaging in certain trade activities with them, after determining that the two firms pose a threat to U.S. national security and foreign policy interests.
The decision is part of an ongoing effort to address the proliferation and misuse of commercial spyware, according to senior administration officials, who spoke on the condition of anonymity to brief reporters on the matter. The move is the most significant since President Biden issued an executive order in March that sets limits on U.S. agencies' use of spyware and bars the technology's use when there's a risk it could be exploited by foreign governments to target Americans or violate human rights.
That action serves as a "strong signal" to entities that use commercial spyware, as well as the surveillance industry as a whole, a senior administration official said.
"This is also an opportunity for private investors to consider the risk" and reevaluate whether to invest and support "such commercial spyware companies whose business practices threaten the security and safety of technology used by citizens around the world, not just here in the United States," the official added.
The companies added to the entity list include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia. They are being penalized for "trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide," according to an update in the Federal Register.
The move builds on U.S. actions in November 2021, when the Israeli spyware company NSO Group was added to the federal blacklist when it was determined that its phone hacking tool had been used by foreign governments to target government officials, academics, journalists and others. Hanan Elatr, the wife of slain Saudi journalist and Washington Post contributing columnist Jamal Khashoggi, sued NSO Group last month, alleging that the group infected her phone with its spyware to track her late husband.
Cytrox was founded in 2017, according to the technology investment platform PitchBook. A 2021 Citizen Lab report described it as part of Intellexa, although the exact nature of the relationship between the two companies was described as "murky at best."
Intellexa was formed as a sort of "Star Alliance of Spyware" to compete with NSO Group, according to the Citizen Lab report. Its founder, Tal Dilian, is a former Israeli intelligence officer and entrepreneur.
Cytrox software was used to hack into the phones of Egyptian politician Ayman Nour, who once ran for his country's presidency, and the phone of a prominent Egyptian news reporter. The report found that Nour's phone had been infected simultaneously with NSO Group's Pegasus software and Cytrox's own spyware, which is called Predator.
"The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company," according to Citizen Lab. "Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology."
The report's authors identified an IP address in Saudi Arabia as a possible Predator customer. This, taken together with media reports to the effect that Saudi Arabia cut off NSO Group as a client, "may be an indication that Saudi Arabia has switched from Pegasus to Predator," the report said.
The White House has previously stated that foreign governments have used spyware to target U.S. personnel maliciously. After the executive order in March, officials said that the electronic devices of 50 U.S. government workers appeared or were confirmed to have been hacked with commercial malware tools.
The new federal action also comes on the heels of a pledge made by the U.S. and allied nations in March to develop and implement measures aimed at countering commercial spyware abuses.
— David DiMolfetta and Aaron Gregg, The Washington Post