The U.S. Department of Commerce has blacklisted affiliates of two European spyware technology makers – Cytrox and Intellexa – by adding them to the agency’s “Entity List” for allegedly trafficking in cyber exploits that can enable campaigns of repression and other human rights abuses.
The Commerce Department’s Bureau of Industry and Security placed the following commercial spyware companies on the Entity List, subjecting them to trade restrictions: Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.
“Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department’s action today targets these entities’ ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights,” the agency said.
The decision comes after the Biden Administration earlier this year issued an Executive Order that prohibits Federal agencies from using – on an operational basis – commercial spyware technology if the use of that technology would pose risks to U.S. national security, or if the technology “has been misused by foreign actors to enable human rights abuses around the world.”
“This rule reaffirms the protection of human rights worldwide as a fundamental U.S. foreign policy interest,” said Deputy Secretary of Commerce Don Graves. “The Entity List remains a powerful tool in our arsenal to prevent bad actors around the world from using American technology to reach their nefarious goals.”
Last year, Google’s Threat Analysis Group traced the discovery of nine zero-day vulnerabilities affecting major software providers to Cytrox, and said the firm packaged and sold them for spyware use to “government-backed actors.”
“We remain laser focused on stemming the proliferation of digital tools for repression,” said Bureau of Industry and Security Under Secretary Alan Estevez. “Considering the impact of surveillance tools and other technologies on international human rights, I am pleased to announce these additions to our Entity List.”
“We will continue to leverage U.S. regulatory tools to control the export of dual-use goods or technologies to end users who seek to misuse them for the purposes of serious violations or abuses of human rights,” said Assistant Secretary for Export Administration Thea D. Rozman Kendler.
Commercial spyware firms already on the Commerce Department’s Entity List include Israel’s NSO Group, maker of Pegasus spyware. It was added to the list in 2021.