Source: Robert Brown via Alamy Stock Photo
Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group's Pegasus and Intellexa Consortium's Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.
Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.
In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," according to a Sept. 4 report from The Atlantic Council DFRLab.
Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab's report noted. In March of 2024, the US Department of the Treasury also levied sanctions against seven spyware entities. And the following month, the US government also issued Visa restrictions to "promote the accountability for the misuse of commercial spyware," the report added.
It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.
"Most available evidence suggests that spyware sales are a present reality and likely to continue," the Atlantic Council admitted. "Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo."
Predator Spyware Claws Back With Location Obfuscation
Take Predator as an example. In 2024 Predator spyware use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved Predator infrastructure has been detected in more countries, including the Democratic Republic of Congo and Angola.
Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.
"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the report added.
But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council's report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.
"The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd," the Atlantic Council's report noted.
The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.
"These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws," the Atlantic Council report said.
The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.
"Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States," according to the report. "For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment."
Spyware Vendors Concentrated in Three Countries
The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the Pall Mall Process.
India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.
More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.
"Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible," its report said. "However, much more remains to be done."