* [Threat Intelligence](/threat-intelligence)* [Vulnerabilities -& Threats](/vulnerabilities-threats)* [Cyber Risk](/cyber-risk)Commercial Spyware Use Roars Back Despite Sanctions Commercial Spyware Use Roars Back Despite Sanctions=======================================================================================================Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.  [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken)September 6, 2024 4 Min Read  Source: Robert Brown via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](/cdn-cgi/l/email-protection#b08fc3c5d2dad5d3c48df3dfddddd5c2d3d9d1dc90e3c0c9c7d1c2d590e5c3d590e2dfd1c2c390f2d1d3db90f4d5c3c0d9c4d590e3d1ded3c4d9dfdec396d1ddc08bd2dfd4c98df9958280c4d8dfc5d7d8c4958280c4d8d5958280d6dfdcdcdfc7d9ded7958280d6c2dfdd958280f4d1c2db958280e2d5d1d4d9ded7958280ddd9d7d8c4958280d9dec4d5c2d5c3c4958280c9dfc59e9580f49580f19580f49580f1958280f3dfddddd5c2d3d9d1dc958280e3c0c9c7d1c2d5958280e5c3d5958280e2dfd1c2c3958280f2d1d3db958280f4d5c3c0d9c4d5958280e3d1ded3c4d9dfdec39580f49580f1d8c4c4c0c39583f19582f69582f6c7c7c79ed4d1c2dbc2d5d1d4d9ded79ed3dfdd9582f6c4d8c2d5d1c49dd9dec4d5dcdcd9d7d5ded3d59582f6d3dfddddd5c2d3d9d1dc9dc3c0c9c7d1c2d59dc5c3d59dc2dfd1c2c39dd2d1d3db9dd4d5c3c0d9c4d59dc3d1ded3c4d9dfdec3)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions&title=Commercial%20Spyware%20Use%20Roars%20Back%20Despite%20Sanctions) Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group’s Pegasus and Intellexa Consortium’s Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for ‘trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide,’ according to a Sept. 4 [report from The Atlantic Council DFRLab.](https://dfrlab.org/2024/09/04/mythical-beasts-and-where-to-find-them-report/?utm_source=pocket_saves#provide)Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab’s report noted. In March of 2024, the US Department of the Treasury also levied [sanctions against seven spyware entities](https://www.darkreading.com/endpoint-security/global-commercial-spyware-operators-sanctioned-by-us). And the following month, the US government also [issued Visa restrictions](https://www.darkreading.com/cybersecurity-operations/us-gov-visa-restrictions-spyware-honchos) to ‘promote the accountability for the misuse of commercial spyware,’ the report added.It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.’Most available evidence suggests that spyware sales are a present reality and likely to continue,’ the Atlantic Council admitted. ‘Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo.’Predator Spyware Claws Back With Location Obfuscation—————————————————–Take Predator as an example. In 2024 [Predator spyware](https://www.darkreading.com/endpoint-security/global-commercial-spyware-operators-sanctioned-by-us) use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved [Predator infrastructure](https://therecord.media/predator-spyware-rebounds-even-after-sanctions?&web_view=true) has been detected in more countries, including the Democratic Republic of Congo and Angola.Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.’This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator,’ the report added.But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council’s report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.’The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd,’ the Atlantic Council’s report noted.The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.’These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws,’ the Atlantic Council report said.The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.’Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States,’ according to the report. ‘For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment.’Spyware Vendors Concentrated in Three Countries———————————————–The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the [Pall Mall Process](https://rusi.org/explore-our-research/publications/commentary/pall-mall-process-cyber-intrusion-tools-putting-words-practice).India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.’Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible,’ its report said. ‘However, much more remains to be done.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions)[](/cdn-cgi/l/email-protection#27185452454d4244531a64484a4a4255444e464b0774575e5046554207725442077548465554076546444c07634254574e53420774464944534e48495401464a571c4548435e1a6e021517534f4852404f53021517534f4202151741484b4b48504e49400215174155484a0215176346554c021517754246434e49400215174a4e404f530215174e495342554254530215175e48520902176302176602176302176602151764484a4a4255444e464b02151774575e5046554202151772544202151775484655540215176546444c021517634254574e534202151774464944534e4849540217630217664f53535754021466021561021561505050094346554c554246434e49400944484a021561534f554246530a4e4953424b4b4e404249444202156144484a4a4255444e464b0a54575e504655420a5254420a55484655540a4546444c0a434254574e53420a54464944534e484954)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/commercial-spyware-use-roars-back-despite-sanctions&title=Commercial%20Spyware%20Use%20Roars%20Back%20Despite%20Sanctions) About the Author—————- [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken)
[See more from Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [How to Evaluate Hybrid-Cloud Network Policies and Enhance Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi05&ch=SBX&cid=_upcoming_webinars_8.500001471&_mc=_upcoming_webinars_8.500001471)September 18, 2024* [DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6923&ch=SBX&cid=_upcoming_webinars_8.500001477&_mc=_upcoming_webinars_8.500001477)September 26, 2024* [Harnessing the Power of Automation to Boost Enterprise Cybersecurity](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_autp86&ch=SBX&cid=_upcoming_webinars_8.500001472&_mc=_upcoming_webinars_8.500001472)October 3, 2024[More Webinars](/resources?types=Webinar) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)October 30, 2024* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events) ### Editor’s Choice[A person’s finger about to click on a screen that says Windows 11 with a blue abstract background behind it ](/vulnerabilities-threats/poc-exploit-for-zero-click-vulnerability-made-available-to-the-masses)[Vulnerabilities -& Threats](/vulnerabilities-threats) [PoC Exploit for Zero-Click Vulnerability Made Available to the Masses](/vulnerabilities-threats/poc-exploit-for-zero-click-vulnerability-made-available-to-the-masses)[PoC Exploit for Zero-Click Vulnerability Made Available to the Masses](/vulnerabilities-threats/poc-exploit-for-zero-click-vulnerability-made-available-to-the-masses) by[Dark Reading Staff](/author/dark-reading-staff) Aug 27, 2024 1 Min Read [Person holding a cellphone; black background _Tero_Vesalainen_Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)](/vulnerabilities-threats/how-telecom-vulnerabilities-can-be-a-threat-to-cybersecurity-posture)[Vulnerabilities -& Threats](/vulnerabilities-threats) [How Telecom Vulnerabilities Can Be a Threat to Cybersecurity Posture](/vulnerabilities-threats/how-telecom-vulnerabilities-can-be-a-threat-to-cybersecurity-posture)[How Telecom Vulnerabilities Can Be a Threat to Cybersecurity Posture](/vulnerabilities-threats/how-telecom-vulnerabilities-can-be-a-threat-to-cybersecurity-posture) by[Ayan Halder](/author/ayan-halder) Aug 29, 2024 5 Min Read [CCTV control room ](/ics-ot-security/cctv-zero-day-targeted-by-mirai-botnet-campaign)[ICS/OT Security](/ics-ot-security) [CCTV Zero-Day Exposes Critical Infrastructure to Mirai Botnet](/ics-ot-security/cctv-zero-day-targeted-by-mirai-botnet-campaign)[CCTV Zero-Day Exposes Critical Infrastructure to Mirai Botnet](/ics-ot-security/cctv-zero-day-targeted-by-mirai-botnet-campaign) by[Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Aug 28, 2024 1 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)* [AI-Driven Testing: Bridging the Software Automation Gap](https://www.informationweek.com/whitepaper/operating-systems/application-acceleration/ai-driven-testing-bridging-the-software-automation-gap/436523?keycode=sbx&cid=_analytics_7.300005927&_mc=_analytics_7.300005927)* [The Foundation for Building Scalable Applications to Fuel Customer Satisfaction and Growth](https://www.informationweek.com/whitepaper/big-data-analytics/big-data/insights-platform-the-foundation-for-building-scalable-applications-to-fuel-customer-satisfaction-and-growth-/436443?keycode=sbx&cid=_analytics_7.300005926&_mc=_analytics_7.300005926)* [Forrester Total Economic Impact Study: Team Cymru Pure Signal Recon](https://www.informationweek.com/whitepaper/cybersecurity/risk-management-security/forrester-total-economic-impact%E2%84%A2-study-team-cymru-pure-signal%E2%84%A2-recon/429373?cid=_analytics_7.300005909&_mc=_analytics_7.300005909)[More Reports](/resources?types=Report) Webinars* [How to Evaluate Hybrid-Cloud Network Policies and Enhance Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi05&ch=SBX&cid=_upcoming_webinars_8.500001471&_mc=_upcoming_webinars_8.500001471)September 18, 2024* [DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6923&ch=SBX&cid=_upcoming_webinars_8.500001477&_mc=_upcoming_webinars_8.500001477)September 26, 2024* [Harnessing the Power of Automation to Boost Enterprise Cybersecurity](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_autp86&ch=SBX&cid=_upcoming_webinars_8.500001472&_mc=_upcoming_webinars_8.500001472)October 3, 2024[More Webinars](/resources?types=Webinar) White Papers* [SANS Security Awareness Maturity Model](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6823&ch=SBX&cid=_whitepaper_14.500005769&_mc=_whitepaper_14.500005769)* [The Future of Passwords and the Passwordless Evolution](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels12&ch=SBX&cid=_whitepaper_14.500005745&_mc=_whitepaper_14.500005745)* [Boston Beer Company Transforms OT Security -& Reduces Costs](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_drah15&ch=SBX&cid=_whitepaper_14.500005715&_mc=_whitepaper_14.500005715)* [OT Cybersecurity Glossary -& Quick Start Guide](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_drah14&ch=SBX&cid=_whitepaper_14.500005714&_mc=_whitepaper_14.500005714)* [The Future of Audit, Risk, and Compliance: Exploring AI’s Transformative Impact, Use Cases, and Risks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_audb61&ch=SBX&cid=_whitepaper_14.500005707&_mc=_whitepaper_14.500005707)[More Whitepapers](/resources?types=Whitepaper) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)October 30, 2024* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events)
Related Tags:
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Blog: Dark Reading
Associated Indicators: