The notorious Pegasus software exploit developed by the Israeli tech company NSO Group has allegedly been used for the first time as a weapon against civilians in an international conflict. According to a new report, the software is being used to spy on experts, journalists, and others critical of Azerbaijan’s incursion into the territories of Nagorno-Karabakh in Armenia.
Reports of potentially the first documented case of a sovereign state utilizing the commercial spyware during a cross-border conflict comes courtesy of the digital rights group, Access Now, in collaboration with CyberHUB-AM, the University of Toronto’s Citizen Lab at the Munk School of Global Affairs, Amnesty International’s Security Lab, and independent mobile security researcher, Ruben Muradyan.
According to the research team’s findings published on Thursday, at least 12 individuals’ Apple devices were targets of the spyware between October 2020 and December 2022, including journalists, activists, a government worker, and Armenia’s “human rights ombudsperson.” Once infected with the Pegasus software, third-parties can access text messages, emails, and photos, as well as activate microphones and cameras to secretly record communications.
Although Access Now and its partners cannot conclusively link these attacks to a “specific [sic] governmental actor,” the “Armenia spyware victims’ work and the timing of the targeting strongly suggest that the conflict was the reason for the targeting,” they write in the report. As TechCrunch also noted on Thursday, The Pegasus Project, monitoring the spyware’s international usage, previously determined that Azerbaijan is one of NSO Group’s customers.
Based in Israel, NSO Group claims to provide “best-in-class technology to help government agencies detect and prevent terrorism and crime.” The group has long faced intense international criticism, blacklisting, and lawsuits for its role in facilitating state actors with invasive surveillance tools. Pegasus is perhaps its most infamous product, and offers what is known as a “zero-click” hack. In 2021, PopSci explained:
Unlike the type of viruses you might have seen in movies, this one doesn’t spread. It is targeted at a single phone number or device, because it is sold by a for-profit company with no incentive to make the virus easily spreadable. Less sophisticated versions of Pegasus may have required users to do something to compromise their devices, like click on a link sent to them from an unknown number.
In September 2021, the University of Toronto’s Citizen Lab discovered NSO Group’s Pegasus spyware on a Saudi Arabian activists’ iPhones that may have proved instrumental in the assassination of US-based Saudi critic Jamal Khashoggi, quickly prompting Apple to release a security patch to its over 1.65 billion users. Later that year the US Department of Commerce added NSO Group to its “Entity List for Malicious Cyber Activities.”
“Helping attack those already experiencing violence is a despicable act, even for a company like NSO Group,” Access Now’s senior humanitarian officer, Giulio Coppi, said in a statement. “Inserting harmful spyware technology into the Armenia-Azerbaijan conflict shows a complete disregard for safety and welfare, and truly unmasks how depraved priorities can be. People must come before profit—it’s time to disarm spyware globally.”