Pierluigi Paganini July 19, 2023

The U.S. government added surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits.

The Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems.

The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.

The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.

The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.

The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.

“The proliferation and misuse of such commercial surveillance tools, including commercial spyware, pose distinct and growing security risks to the United States, facilitate repression, and enable human rights abuses. Today’s Entity List additions build on the Commerce Department’s prior actions against commercial spyware companies in November 2021” the Bureau of Industry and Security (BIS) said.

In May 2023, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

In December 2022, a report published by CitizenLab researchers detailed the use of the Predator spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

The exploits were used to initially deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

In November 2021, the Commerce Department’s Bureau of Industry and Security (BIS) sanctioned four companies for the development of spyware or the sale of hacking tools used by nation-state actors.

The surveillance firms were NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru were sanctioned for the development and the sale of surveillance software used to spy on journalists and activists. Positive Technologies and Computer Security Initiative Consultancy PTE. LTD. are being sanctioned because both entities traffic in cyber exploits used by threat actors to compromise computer networks of organizations worldwide. The US authorities have added the companies to the Entity List based on their engagement in activities counter to U.S. national security.

In the last couple of years, like NSO Group and Candiru, made the headlines because their spyware was used by totalitarian regimes to spy on journalists, dissidents, and government opposition.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cytrox)