U.S. Clamps Down on Computer Security Companies Intellexa and Cytrox Over Security Threats
Entity List Imposes Restrictions
On Tuesday, the U.S. government made a significant move in the escalating battle against commercial spyware, adding developers Intellexa and Cytrox to its Entity List over potential threats to national security.
Intellexa SA of Greece, Ireland’s Intellexa Limited, North Macedonia’s Cytrox AD, and Hungary's Cytrox Holdings, according to U.S. authorities, are linked entities engaged in the development and sale of software capable of infiltrating and monitoring electronic devices, a statement from the U.S. State Department posted July 18 explained.
The Department of Commerce listed such activities "are acting contrary to the national security or foreign policy interests of the United States," a record in the Federal Register explained.
The inclusion of Intellexa and Cytrox on the Entity List imposes export restrictions on these software vendors, representing a crucial step in the Biden administration's ongoing crackdown on commercial surveillance technology. The restrictions render it legally impossible for U.S. organizations to transact with these listed entities without express governmental permission, effectively severing ties between Intellexa, Cytrox, and the American market.
This decisive move comes in the wake of warnings from cybersecurity experts about the potential misuse of these companies' surveillance products. Google's Threat Analysis Group (TAG), Cisco Talos, and Canadian nonprofit Citizen Lab have published damning reports on Cytrox's Predator and Alien spyware, indicating their deployment by clients targeting politicians, journalists, and activists.
These spyware packages, similar to the infamous Pegasus developed by NSO Group, which was added to the Entity List in 2021, have been documented exploiting zero-day vulnerabilities to infiltrate and control Android and Apple iOS devices, effectively spying on users and extracting valuable data.
As noted by Citizen Lab, in a 2021 report, Cytrox is linked with Intellexa, a conglomerate that formed the so-called "Star Alliance of spyware" in 2019 to rival NSO Group. However, as Citizen Lab pointed out in a 2021 report, "the specific link between Cytrox and Intellexa, as well as other companies in the 'alliance,' remains murky at best."
In 2021, Google TAG reported that Cytrox had sold zero-day exploits to government-backed entities, enabling them to deploy Predator in at least three distinct campaigns. The team identified the exploit buyers as originating from Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, among other countries.
"We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns," stated Google security researchers Clement Lecigne and Christian Resell.
Notably, in March, a former security policy manager at Meta who was based between the U.S. and Greece launched a lawsuit against the Hellenic national intelligence service, accusing it of compromising her phone and deploying Predator spyware. The case is still ongoing.
Inclusion on the Entity List of the U.S. Department of Commerce marks a serious blow to Intellexa and Cytrox, hampering their operations and shining a glaring spotlight on the wider industry of commercial spyware.