The U.S. State Department said it’s implementing a new policy that imposes visa restrictions on individuals who are linked to the illegal use of commercial spyware to surveil civil society members.
“The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association,” Secretary of State Antony Blinken said. “Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”
The latest measures, underscoring continued efforts on part of the U.S. government to curtail the proliferation of surveillance tools, are designed to “promote accountability” for individuals involved in commercial spyware misuse.
The new policy covers people who have used such tools to “unlawfully surveil, harass, suppress, or intimidate individuals,” as well as those who stand to financially benefit from the misuse.
It also includes the companies (aka private sector offensive actors or PSOAs) that develop and sell the spyware to governments and other entities. It’s currently not clear how the new restrictions will be enforced for individuals who possess passports that don’t require a visa to enter the U.S.
However, CyberScoop notes that executives potentially affected by the ban would no longer be eligible to participate in the visa waiver program, and that they would need to apply for a visa to travel to the U.S.
The development comes days after Access Now and the Citizen Lab revealed that 35 journalists, lawyers, and human-rights activists in the Middle Eastern nation of Jordan were targeted with NSO Group’s Pegasus spyware.
In November 2021, the U.S. government sanctioned NSO Group and Candiru, another spyware vendor, for developing and supplying cyber weapons to foreign governments that “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
Then early last year, U.S. President Joe Biden signed an executive order barring federal government agencies from using commercial spyware that could pose national security risks. In July 2023, the U.S. also placed Intellexa and Cytrox on a trade blocklist.
According to an intelligence assessment released by the U.K. Government Communications Headquarters (GCHQ) in April 2023, at least 80 countries have purchased commercial cyber intrusion software over the past decade.
Google’s Threat Analysis Group (TAG), in a comprehensive report about the commercial spyware landscape shared with The Hacker News, said there are dozens of smaller vendors such as Cy4Gate, Negg Group, and Variston who “enable the proliferation of dangerous tools and capabilities used by governments against individuals.”
For example, Italian company Cy4Gate, which acquired RCS Lab in March 2022, is the maker of Android and iOS spyware known as Epeius. Negg Group, which is also from Italy, develops a strain of mobile spyware codenamed VBiss that’s delivered via one-click exploit chains. It has also been linked to another Android malware known as Skygofree.
“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over,” TAG said, adding it’s tracking nearly 40 companies with varying levels of sophistication. “The private sector is now responsible for a significant portion of the most sophisticated tools we detect.”
This is exemplified by the fact that of the 25 zero-days that were exploited in the wild in 2023, 20 were weaponized by PSOAs. Furthermore, 35 out of 72 zero-days found in Google products since 2014 have been actively exploited by commercial vendors.
“The development of surveillance technology often begins with the discovery of a vulnerability and ends with a government customer collecting data from spyware installed on a high risk user’s device,” TAG further noted, calling out the roles played by exploit developers, exploit brokers, and the vendors themselves, who sell the spyware as a product along with the initial delivery mechanisms and the exploits.
(The story was updated after publication to include additional insights shared by Google’s Threat Analysis Group.)