on Nov. 10 In 2021, Varuzhan Geghamyan, an assistant professor at Yerevan State University in Armenia, received a notification from Apple on his phone. His device had been compromised by Pegasus, an advanced piece of spyware created by Israel’s NSO Group that has been used by governments to spy on and suppress journalists, activists and civil society groups. But Geghamyan was baffled as to why he was targeted.
“At the time, I gave public lectures and commentaries, and appeared on local and state media,” he says. He focused on the ongoing conflict in Nagorno-Karabakh, a disputed territory that is internationally recognized as part of Azerbaijan but is seeking independence with Armenia’s support.
In a joint investigation by Access Now, Citizen Lab, Amnesty International, CyberHub-AM and independent security researcher Ruben Muradyan, the team concluded that Geghamyan was one of 13 Armenian government officials, including journalists, former government employees and at least one United States official whose phones were targeted by elite spyware. Previous research by Amnesty found that more than 1,000 Azerbaijanis were also on a leaked list of potential Pegasus targets. Five of them were confirmed to have been hacked.
“It was the first time we’ve documented the use of spyware in a war like this,” said Natalia Krapiva, technical legal counsel at Access Now. With that comes a whole host of complications.
NSO Group did not provide attributable comments in time for publication.
Nagorno-Karabakh has been the scene of ongoing violent clashes between Armenia and Azerbaijan since the fall of the Soviet Union. But in September 2020, these escalated into an all-out war that lasted about six weeks and killed more than 5,000 people. Despite a ceasefire, clashes continued into 2021.
In 2022, Human Rights Watch documented war crimes against Armenian prisoners of war, and the region has suffered a massive blockade leaving tens of thousands of people without basic necessities. The researchers found that most of the spyware victims had been infected during the war and its aftermath.
“Most of the people targeted were those who engaged in issues related to human rights violations,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
While investigators were unable to determine for sure who was behind the surveillance, NSO Group has said in the past that it only licenses its products to governments, particularly law enforcement and intelligence agencies. Earlier reports indicated that Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo and the United Arab Emirates were all likely customers of the NSO Group. In 2022, the company said it would no longer sell to non-NATO countries.
A Pegasus infection is a “zero-click” attack, which means that the victim does not have to open a suspicious email or click on a bad link. “There is no behavior that would have protected these people from this spyware,” said John Scott-Railton, senior researcher at Citizen Lab.
While Pegasus has traditionally been used by government officials against their own populations, particularly activists and journalists, for which the company has come under international scrutiny, Scott-Railton says its use across borders in conflict is of particular concern. “NSO always says, ‘We sell our stuff to fight crime and terror’. This clearly suggests that reality goes further,” he says.
