European and Middle Eastern spyware and surveillance firms are marketing intrusion software to adversaries of the U.S., its intelligence allies and NATO, Atlantic Council research published Monday reveals.
Looking at more than 200 companies that attended international arms fairs in the past two decades, researchers found that 85% of companies likely selling interception or intrusion technologies marketed these capabilities to governments outside their home country — even when no intelligence relationship existed. Five companies, including Israel-based Cellebrite and Sweden-based Micro Systemation AB, marketed those capabilities to U.S. and NATO adversaries.
“Cellebrite’s Digital Intelligence technology is used lawfully and with a warrant to help federal government agencies and law enforcement, including Five Eyes member nations, to investigate an event after it has taken place,” a Cellebrite spokesperson told CyberScoop in an email. “The report is inaccurate and misleading regarding how it positions Cellebrite.”
Cellebrite does not sell to countries on the “[Financial Action Task Force]’s blacklist or under sanction by the United States, Israel or the broader international community,” the spokesperson wrote.
MSAB did not respond to a request for comment.
The findings coincide with an explosion of surveillance vendors attending international arms trade shows, including the heavily attended Milipol France and the U.K. -based Security and Policing Home Office.
The report underscores growing concerns about the threat that spyware companies pose to the United States and its allies. U.S. and European leaders have begun to follow human rights organizations in vocalizing opposition to firms like the NSO Group, whose spyware technology has been used by authoritarian regimes to spy on dissidents and journalists.
“These vendors are increasingly looking to foreign governments to hawk their wares, and policymakers have yet to sufficiently recognize or respond to this emerging problem,” researchers Winnona DeSombre, Lars Gjesvik and Johann Ole Willers write. “Any cyber capabilities sold to foreign governments carry a risk: these capabilities could be used against individuals and organizations in allied countries, or even in one’s home country.”
Those risks aren’t hypothetical. The data on arms fair attendance collected by researchers included U.S. contractor CyberPoint, the precursor to DarkMatter, which was the subject of U.S. law enforcement after it designed cyber capabilities for the United Arab Emirates that led to spying on U.S. citizens.
The report provides one of the broadest overviews of the intrusion and surveillance industry to date, but the researchers note that it is likely far more firms exist. They say that because they were searching in English, “the dataset woefully underreports the presence of Chinese companies in this space.”
Researchers at the think tank urged U.S. and NATO forces to tighten export controls on the technology and work with arms fairs to limit attendance by companies that sell their technology to authoritarian or adversarial governments.
The United States took a major step against spyware Wednesday when the Commerce Department added Israel-based NSO Group and spyware firm Candiru to its list of companies that pose a national security risk to the United States. NSO Group has protested the U.S. decision. On Friday, three House Democrats called on the Biden administration to take even further action to limit investors from democratic countries from investing in hack-for-hire companies.
Updated 11/9/2021: With comment from Cellebrite.