Pegasus Spyware Is Detected in a War Zone for the First Time
On November 10, 2021, Varuzhan Geghamyan, an assistant professor at Yerevan State University in Armenia, received a notification from Apple on his phone. His device had been compromised by Pegasus, a sophisticated piece of spyware created by the Israeli NSO Group that has been used by governments to spy on and repress journalists, activists, and civil society groups. But Geghamyan was mystified as to why he’d been targeted.
“At the time, I was delivering public lectures and giving commentaries, appearing on local and state media,” he says. He was mainly speaking about the ongoing conflict in Nagorno-Karabakh, a disputed territory that is internationally recognized as part of Azerbaijan but has sought independence, with the backing of Armenia.
In a joint investigation by Access Now, Citizen Lab, Amnesty International, CyberHub-AM, and independent security researcher Ruben Muradyan, the team concluded that Geghamyan was one of 13 Armenian public officials, including journalists, former government workers, and at least one United Nations official, whose phones were targeted by the elite spyware. Amnesty’s research previously found that more than 1,000 Azerbaijanis were also included on a leaked list of potential Pegasus targets. Five of them were confirmed to have been hacked.
“It was the first time that we have spyware use documented in a war like this,” says Natalia Krapiva, tech-legal counsel at Access Now. With it comes a whole host of complications.
NSO Group did not provide an attributable comment in time for publication.
Nagorno-Karabakh has been the site of ongoing violent clashes between Armenia and Azerbaijan since the fall of the Soviet Union. But in September 2020, these escalated into an all-out war that lasted for about six weeks and left more than 5,000 people dead. Despite a ceasefire agreement, clashes continued into 2021.
In 2022, Human Rights Watch documented war crimes against Armenian prisoners of war, and the region has suffered a massive blockade that has left tens of thousands of people without basic necessities. The researchers found that most of the spyware victims were infected during the time of the war and its aftermath.
“Most of the people targeted were those working on topics related to human rights violations,” says Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
While the researchers were unable to conclusively determine who was behind the surveillance, NSO Group has historically said that it only licenses its products to governments, particularly to law enforcement and intelligence agencies. Previous reporting has found that Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates were all likely NSO Group customers, In 2022, the company said it would no longer sell to non-NATO countries.
A Pegasus infection is a “zero-click” attack, meaning the victim doesn’t need to open a suspicious email or click a bad link. “There is no behavior that would have protected these people from this spyware,” says John Scott-Railton, senior researcher at Citizen Lab.
While Pegasus has historically been used by government officials against their own populations, particularly activists and journalists, for which the company has come under international scrutiny, Scott-Railton says the use across borders in a conflict is particularly concerning. “NSO is always saying, ‘We sell our stuff to fight crime and terror,’ obviously this suggests that the reality goes beyond that,” he says.
While Scott-Railton says it’s unclear what information was being sought from the victims, the Pegasus software gives nearly unprecedented access to anything in an infected phone. It also allows the surveillant to turn on the microphone or camera remotely, turning the device into a “pocket spy.” “It’s the kind of thing that could potentially … change or influence the course of a conflict.”
Nowhere is this more evident than in the experience of one victim, Anna Naghdalyan, a former spokesperson for the Armenian Foreign Ministry. In her role, Naghdalyan had intimate knowledge of the ceasefire negotiations between Armenia and Azerbaijan, with “all the information about the war on my phone,” she told Access Now.
“It’s one thing for a state to use a tool like this against military adversaries on the battlefield,” says David Kaye, a former UN special rapporteur on the right to freedom of opinion and expression and a clinical professor of law at the University of California, Irvine. But the potential to surveil across borders in a time of conflict has “not just human rights concerns, but national security concerns.”
According to the report, if any humanitarian organizations were caught in the surveillance dragnet, that could make the use of Pegasus a violation of international law, which protects humanitarian workers in conflict settings.
“Humanitarian workers are considered outside of combat, so efforts to infiltrate their communications or to conduct surveillance for purposes of military advantage on humanitarian aid workers and humanitarian installations is prohibited in most cases,” says Raymond, a coleader of the Humanitarian Research Lab and lecturer at Yale’s School of Public Health.
“Regardless of which state is using this, there needs to be a comprehensive investigation and accountability,” says Ó Cearbhaill.