US blacklists Luxembourg-linked spyware firm NSO Group
The United States has blacklisted the NSO Group, the company behind the controversial Pegasus spyware and which has multiple entities in the Grand Duchy, a week after Luxembourg's Prime Minister Xavier Bettel said the country had used the software in a Luxembourg Times interview.
The decision was made due to NSO Group "engaging in activities that are contrary to the national security or foreign policy interests of the United States", the US Department of Commerce said in a statement on Wednesday.
NSO, headquartered in Israel, was added to the blacklist based on evidence that it "developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers", the department added.
Luxembourg's State Ministry, which oversees the country's intelligence services, referred a request for comment on whether the country is considering a similar step to the Economy Ministry, which did not immediately respond.
“NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed," the company said in a statement, when asked to react to the news. It said it was using "the world's most rigorous compliance and human rights programs," and that it had terminated multiple contracts with governments "misusing" its products.
In Luxembourg too
The Pegasus spyware, produced by the NSO Group, was used by governments around the world to target numerous activists, journalists, lawyers and dissidents, a consortium of international media outlets revealed in July, which followed earlier reports that the spyware had been used to snoop on murdered Saudi Arabian journalist Jamal Khashoggi and other dissidents.
Such practices "threaten the rules-based international order", the statement from the Department of Commerce said. The 'Entity List' is a tool used by the US to restrict the export, re-export, and in-country transfer of items "reasonably believed" to be involved "in activities contrary to the national security or foreign policy interests of the United States", it said.
The US announcement comes after Luxembourg lawmakers began to probe a disclosure made by Prime Minister Xavier Bettel during a Luxembourg Times interview last Monday that the government had used the controversial spyware.
In response to a parliamentary question last Thursday, Bettel did not refer to Pegasus by name and said he had been talking about spyware generically, adding that "for security reasons and in order to protect investigations, it is not possible to publish details of technical equipment."
Yet Bettel's answers came in response to a question about NSO during a section of the interview that lasted more than five minutes and during which Bettel frequently referred to the company and mentioned Pegasus by name.
Bettel blamed governments for misusing the software, describing the reports as "a scandal" and "unacceptable". However, he said that the spyware, if used correctly, was a powerful tool to fight terrorism and went on to confirm that Luxembourg had used it "for reasons of state security".
It was the first public admission by the Grand Duchy it had used the software, two members of Luxembourg's parliament said in reaction to the interview.
"But at the beginning, when we bought it, it was for reasons of state security," the prime minister said, before repeating the admission later in the interview. "I fully agree that it is a very sensitive matter... but the fact is at the beginning, as a state we bought it for secret services and state safety."
"And for me…. we use it," Bettel said. "I have to be able to tell you that we use products where we are able to have intrusive methods to get information."
An Amnesty International study in June revealed the shadowy structure of the NSO Group, which is based in Israel but has multiple entities in the Grand Duchy. In 2019, in an announcement that the NSO Group had been acquired by its management, the company referred to Luxembourg as its headquarters.
In the wake of the July press reports, Foreign Minister Jean Asselborn acknowledged nine NSO entities were based in Luxembourg, after initially saying there were only two. Asselborn said he sent letters to the nine NSO entities reminding them of their human rights duties.
Luxembourg would need to act if a link was shown between NSO's operations in the Grand Duchy and human rights violations, the minister said, but without specifying any potential responses. NSO has repeatedly said that governments use its software to fight terrorism and serious crimes such as human trafficking and that they would take any allegation of misconduct seriously.
The NSO Group said in a confidential letter that they only export their spyware from Israel with the consent of the Israeli government, Asselborn said last month, although he had no means to verify that claim. Asselborn said previously Luxembourg had not granted the company an export licence.
NSO Group told Amnesty International this year that one of its Luxembourg entities, Q Cyber Technologies, is responsible for handling invoices, contracts and payments from customers of its software.
The Washington Post reported in 2018 that Saudi Arabia conducted some of its spyware operations, including tracking the murdered journalist Jamal Khashoggi, through Luxembourg entity Q Cyber Technologies.
In September, Apple issued a software update after a Canadian research lab revealed that NSO had supplied clients with a zero-click hacking tool. The US on Wednesday also blacklisted Israel's spyware firm Candiru, and one Russian and one Singaporean entity tied to similar activities.