Pegasus Spyware Is Detected in a War Zone for the First Time
On November 10, 2021, Varuzhan Geghamyan, an assistant professor at Yerevan State University in Armenia, received a notification from Apple on his phone. His device had been compromised by Pegasus, a sophisticated piece of spyware created by the Israeli NSO Group that has been used by governments to spy on and repress journalists, activists, and civil society groups. But Geghamyan was mystified as to why he’d been targeted.
“At the time, I was delivering public lectures and giving commentaries, appearing on local and state media,” he says. He was mainly speaking about the ongoing conflict in Nagorno-Karabakh, a disputed territory that is internationally recognized as part of Azerbaijan but has sought independence, with the backing of Armenia.
In a joint investigation by Access Now, Citizen Lab, Amnesty International, CyberHub-AM, and independent security researcher Ruben Muradyan, the team concluded that Geghamyan was one of 13 Armenian public officials, including journalists, former government workers, and at least one United Nations official, whose phones were targeted by the elite spyware. Amnesty’s research previously found that more than 1,000 Azerbaijanis were also included on a leaked list of potential Pegasus targets. Five of them were confirmed to have been hacked.
“It was the first time that we have spyware use documented in a war like this,” says Natalia Krapiva, tech-legal counsel at Access Now. With it comes a whole host of complications.
NSO Group did not provide an attributable comment in time for publication.
Nagorno-Karabakh has been the site of ongoing violent clashes between Armenia and Azerbaijan since the fall of the Soviet Union. But in September 2020, these escalated into an all-out war that lasted for about six weeks and left more than 5,000 people dead. Despite a ceasefire agreement, clashes continued into 2021.
In 2022, Human Rights Watch documented war crimes against Armenian prisoners of war, and the region has suffered a massive blockade that has left tens of thousands of people without basic necessities. The researchers found that most of the spyware victims were infected during the time of the war and its aftermath.
“Most of the people targeted were those working on topics related to human rights violations,” says Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
While the researchers were unable to conclusively determine who was behind the surveillance, NSO Group has historically said that it only licenses its products to governments, particularly to law enforcement and intelligence agencies. Previous reporting has found that Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates were all likely NSO Group customers, In 2022, the company said it would no longer sell to non-NATO countries.
A Pegasus infection is a “zero-click” attack, meaning the victim doesn’t need to open a suspicious email or click a bad link. “There is no behavior that would have protected these people from this spyware,” says John Scott-Railton, senior researcher at Citizen Lab.
While Pegasus has historically been used by government officials against their own populations, particularly activists and journalists, for which the company has come under international scrutiny, Scott-Railton says the use across borders in a conflict is particularly concerning. “NSO is always saying, ‘We sell our stuff to fight crime and terror,’ obviously this suggests that the reality goes beyond that,” he says.