Bigger, bolder: U.S. slaps sanctions on spyware company and executives

Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict

Content note: The following post contains references to alleged murder and war crimes.

A joint investigation between Access Now, CyberHUB-AM, the Citizen Lab at the Munk School of Global Affairs at the University of Toronto (the Citizen Lab), Amnesty International’s Security Lab, and an independent mobile security researcher Ruben Muradyan, has uncovered hacking of civil society victims in Armenia with NSO Group’s Pegasus spyware. The Armenia spyware victims include a former Human Rights Defender of the Republic of Armenia (the Ombudsperson), two Radio Free Europe/Radio Liberty (RFE/RL) Armenian Service journalists, a United Nations official, a former spokesperson of Armenia’s Foreign Ministry (now an NGO worker), and seven other representatives of Armenian civil society. Circumstantial evidence suggests that the targeting is related to the military conflict in Nagorno-Karabakh (also referred to as the Republic of Artsakh in Armenia) between Armenia and Azerbaijan. This is the first documented evidence of the use of Pegasus spyware in an international war context.

// The investigation

The investigation began after Apple sent its first wave of notifications to their users in November 2021, warning them that they may have been targeted with state-sponsored spyware. A number of individuals from Armenia then contacted CyberHUB-AM and Access Now’s Digital Security Helpline seeking assistance with checking their devices for evidence of such spyware. 

Access Now, with forensic assistance from the Citizen Lab, was able to confirm that the Apple device of at least one of those individuals — Anna Naghdalyan, a former Armenia Foreign Ministry Spokesperson and current NGO worker — was infected with Pegasus. Subsequently, Access Now, jointly with CyberHUB-AM, independent researcher Ruben Muradyan, and the Citizen Lab, uncovered many more infections of Apple devices belonging to Armenian civil society victims. In addition, Amnesty International’s Security Lab, jointly with CyberHUB-AM, also uncovered infections of devices belonging to two of RFE/RL’s Armenian Service journalists, after one of them received notifications from Apple in November 2021. 

According to the Citizen Lab, the indications of the following exploits were observed during their forensic investigation of devices in Armenia: PWNYOURHOME, FINDMYPWN, FORCEDENTRY (also referred to as Megalodon by Amnesty’s Security Lab), and KISMET.

// Case studies of the Armenia spyware victims

The investigation has identified 12 individuals whose Apple devices were targeted with Pegasus spyware at various times between October 2020 and December 2022.

The backdrop of the first cluster of civil society Pegasus infections found in Armenia is the bloody 2020 Nagorno-Karabakh war with Azerbaijan, the associated peace talks in October 2020, and the November 9, 2020 ceasefire agreement that locked territorial gains for Azerbaijan. Armenia’s defeat in the war led to a major political crisis at home and prompted waves of protests and an alleged military coup attempt, where high-ranking military officials called for Armenian Prime Minister Nikol Pashinyan’s resignation. Pashinyan announced his resignation in April 2021 and called for snap parliamentary elections in June 2021. 

At the same time, the Karabakh conflict itself began to intensify again with the Azerbaijan May 12, 2021 offensive and more clashes in July and November 2021. The majority of the Armenia spyware victims were infected during this time period in 2020-2021; between them, there were over 30 successful Pegasus infections.

The second cluster of Pegasus targeting in 2022 took place leading up to or around the major September 2022 escalations, the October 2022 peace talks in Prague and Sochi, and Azerbaijan’s ongoing blockade of the Lachin corridor that began on December 12, 2022.

Anna Naghdalyan, NGO representative

Anna Naghdalyan was one of the first victims from Armenia who contacted Access Now’s Digital Security Helpline in November 2021, after the first wave of Apple notifications. Anna is also the victim whose phone was the most extensively hacked — at least 27 times between October 2020 and July 2021, with infections happening almost every single month, according to the Citizen Lab. Between October 2020 and May 2021, Anna was officially serving as the Spokesperson of the Ministry of Foreign Affairs (MFA) of the Republic of Armenia, which put her squarely in the middle of the most sensitive conversations and negotiations related to the Nagorno-Karabakh crisis, including the ceasefire mediation attempts by France, Russia, and the United States and official visits to Moscow and Karabakh. Anna was also working at the MFA in the critical transitional moment when Foreign Minister Zohrab Mnatsakanyan resigned over the unpopular 2020 Karabakh ceasefire and Ara Ayvazyan took over the role. At the end of May 2021, Ayvazyan and all deputy foreign ministers resigned over the disagreement with the Prime Minister’s policy on Nagorno-Karabakh. This act also put the MFA in the middle of the domestic policy of Armenia, as the country was going for the snap elections. While Anna left her official position that month, she continued non-officially covering the activities of the spokesperson for the rest of the time when her phone was infected. As Anna stated to Access Now, she had “all the information about the developments during the war on [her] phone.” Anna also said that since her phone was hacked with Pegasus spyware she feels that there is no way for her to feel fully safe: “even if you have the most secure system on your phone, you cannot be secure.” Today, Anna is working for an NGO.

Karlen Aslanyan, Radio Azatutyun journalist

Amnesty International’s Security Lab confirmed that the device of Karlen Aslanyan, RFE/RL Armenian Service (Radio Azatutyun) journalist, was infected with Pegasus on or around April 14, 2021. In April 2021, Karlen was covering the Armenian political crisis that had its roots in Armenia’s defeat in the 2020 Nagorno-Karabakh war with Azerbaijan. In the months around his device’s infection, Karlen, the host of a popular Armenian show on Azatutyun TV called Interview with Karlen Aslanyan, had many political guests regularly discussing the situation in Nagorno-Karabakh, including the first Karabakh war military commander Jirair Sefilian, the Secretary of the Security Council Armen Grigoryan, and President of the National Assembly Ararat Mirzoyan (now Foreign Minister). At least one other Pegasus victim, Kristinne Grigoryan, appeared on Karlen’s show in September 2022, a month before her own device was infected.

Astghik Bedevyan, Radio Azatutyun journalist

The device of Astghik Bedevyan, another Radio Azatutyun journalist, was infected with Pegaus on or around May 11, 2021, according to the forensic findings by Amnesty International. In May 2021, Astghik, a senior journalist at RFE/RL’s Armenian Service, was covering the Armenian snap parliamentary elections which were heavily focused on the Nagorno-Karabakh conflict and the consequences of Armenia’s defeat in the 2020 Nagorno-Karabakh war. Astghik’s device was infected in the month leading up to the parliamentary elections, not long after Pashinyan’s resignation and before his campaign started. The Pegasus infection profoundly impacted Astghik, as her device contained a lot of personal information, including information about her children. “I felt that my personal privacy was rudely violated,” Astghik shared with Access Now.

Ruben Melikyan, Path of Law co-founder

Ruben Melikyan is another member of the Armenian civil society whose iPhone was infected with Pegasus in May 2021. According to the Citizen Lab’s forensic research, Ruben’s device was infected on or around May 20, 2021. There was also an unsuccessful attempt at compromise of his device on or around December 7, 2022, a few days before Azerbaijan began the blockade of the Lachin corridor. Ruben is the former Human Rights Ombudsman of the Republic of Artsakh between 2016 and 2018 who continues to be vocal on the issue of Nagorno-Karabakh, including through his Armenian NGO Path of Law. Since 2019, Ruben has also been one of the most outspoken critics of the Armenian government, both on external and internal policies. In May 2021, Ruben was involved in monitoring the snap 2021 parliamentary elections called in response to the political crisis caused by Armenia’s defeat in the 2020 Nagorno-Karabakh war.

Dr. Varuzhan Geghamyan, Yerevan State University professor 

Dr. Varuzhan Geghamyan’s iPhone was infected during the weeks leading up to Armenia’s snap parliamentary elections, on or around June 3, 2021, according to the Citizen Lab. Varuzhan is an Assistant Professor at the Yerevan State University, a Turkologist, and a prolific lecturer on the issue of regional and external politics of Azerbaijan. In June 2021, Varuzhan was giving almost daily public lectures before different audiences, providing analysis on the Nagorno-Karabakh crisis and making predictions about further developments in the conflict.  

Samvel Farmanyan, ArmNews TV co-founder

The device of Samvel Farmanyan, the co-founder of ArmNews TV, was infected on or around June 30, 2022, according to the Citizen Lab. Samvel’s channel ArmNews TV (Karyak Media Holding), an opposition television broadcasting company in Armenia, criticized the Armenian government following its defeat in the 2020 Nagorno-Karabakh War. The channel shut down in February 2022.

Kristinne Grigoryan, Human rights defender 

Kristinne Grigoryan was serving as the Human Rights Defender of the Republic of Armenia (Human Rights Ombudsperson) when her iPhone was infected with Pegasus on or around October 4, 2022, according to the Citizen Lab’s findings. Part of her former Office’s mandate is the protection of human rights of the members of the armed forces. On September 5, 2022 Kristinne met with her Azerbaijani counterpart, Commissioner for Human Rights of the Republic of Azerbaijan, Sabina Aliyeva. That day, they exchanged mobile numbers; however, the Azerbaijani Human Rights Commissioner never reacted to Kristinne’s messages or calls. On September 13, 2022, Azerbaijan began a new offensive, attacking several Armenian border areas with heavy artillery, killing and capturing Armenian military personnel. On September 15 and October 1, 2022 videos surfaced online, depicting mass executions and mutilations of Armenian soldiers by Azerbaijani forces. In her capacity as the Human Rights Ombudsperson, Kristinne was vocal about these alleged atrocities, publishing fact-finding and analytical reports, presenting evidence, and briefing diplomats in Armenia and international media, which led to Azerbaijan’s accusations that her role “became a foreign policy instrument.” Kristinne’s case was among those that led to the discovery of the real-time warnings of spyware targeting when Apple users enabled the Lockdown Mode feature.

Armenia spyware victims to stay anonymous

Five of the 12 individuals in this investigation whose Apple devices were infected with Pegasus have requested to remain anonymous for personal and professional reasons. These include two media representatives, one activist, another Armenian civil society actor, and one anonymous United Nations representative who does not have the consent of their employer to come forward publicly. Many other civil society individuals in Armenia also received Apple notifications, but it was not possible to conclusively determine if their devices were infected with spyware at this stage due to the inability to access data on their devices.

// Who is behind the hacking?

NSO Group claims that their technology is exclusively sold to governments, which is broadly consistent with past findings by research groups and investigative journalists. Access Now and partners believe that this operation is the work of a governmental Pegasus customer.

Neither Access Now nor the technical partners at the Citizen Lab and Amnesty International conclusively link this Pegasus hacking to a specific governmental operator. The targeting occurred during the Azerbaijan-Armenia conflict, and the Armenia spyware victims’ work and the timing of the targeting strongly suggest that the conflict was the reason for the targeting.

Because the targeting observed as part of this investigation includes members of civil society that have been critical of Armenia’s current government, it is possible that Armenia would have been quite interested in these individuals’ activities. However, at this time, Access Now is unaware of any technical evidence suggesting that Armenia has ever been a Pegasus user. 

It is important to note, nonetheless, that Armenia’s government is believed to be a user of a different spyware product: Cytrox’s Predator. Meta’s December 2021 Threat Report on the Surveillance-for-Hire Industry identified an Armenia-based customer of mercenary spyware firm Cytrox. Cytrox’s Predator spyware has been implicated in abuses around the world and was a subject of the E.U. PEGA Committee inquiry. Meta also identified targets of Cytrox’s spyware in Armenia. Both the Citizen Lab and Amnesty International’s Security Lab have the technical expertise to differentiate between Predator and Pegasus spyware.

Substantial evidence exists, meanwhile, to suggest that Azerbaijan is a Pegasus customer, and the targets would have been of intense interest to Azerbaijan. The Citizen Lab’s ongoing internet scanning and DNS cache probing has identified at least two suspected Pegasus operators in Azerbaijan that they call “BOZBASH” and “YANAR.” According to the Citizen Lab, The YANAR Pegasus operator appears to have exclusively domestic-focused targeting within Azerbaijan, while the BOZBASH operator has targets including a broad range of entities within Armenia.

The Citizen Lab previously found Pegasus one-click SMS infection infrastructure masquerading as Azerbaijani political websites. Amnesty Tech’s research has also identified Azerbaijan-linked domains that point to Azerbaijan as a likely Pegasus customer. 

Furthermore, the Pegasus Project joint investigation by Amnesty International, Forbidden Stories, and a consortium of world media organizations identified more than 1,000 Azerbaijani numbers on the list of individuals potentially selected for Pegasus targeting. Of these, the Pegasus Project was able to identify 245 individuals who used these numbers, including reporters, editors, or media company owners, human rights defenders, lawyers, opposition figures, and academics. The list includes seven RFE/RL Azerbaijan journalists. Amnesty International’s Security Lab forensically confirmed that five of these individuals from the list had their devices infected with Pegasus, including a former RFE/RL Azerbaijan journalist, Khadija Ismayilova. A number of the affected individuals have subsequently filed lawsuits with domestic courts in Azerbaijan and with the European Court of Human Rights (ECrHR).

// NSO Group sends its dangerous spyware to the bloody conflict

This investigation shows that despite the barrage of scandals and the associated lawsuits and sanctions that have followed, including the November 2, 2021 U.S. Commerce Department’s inclusion of NSO Group on its Entity List for exactly the kind of conduct described in this investigation, NSO Group has not stopped facilitating abuses around the world. In fact, the attempts at Pegasus infections continued into at least December, 2022 during the time this investigation was still ongoing. This demonstrates that NSO Group continues to ignore how its technology is used in violation of human rights to target civil society, including journalists and human rights defenders.

The context in which Pegasus was sold and deployed is especially alarming. Nagorno-Karabakh is a disputed territory between Azerbaijan and Armenia that has been the subject of two wars and multiple violent clashes over the span of more than 30 years. Human rights organizations, including Amnesty International, found that both sides have committed war crimes in the course of the conflict. During the most recent escalations since the November 9, 2020 ceasefire, escalations that began in May 2021, and further intensified in July and November of 2021 and again in September 2022, groups like Human Rights Watch and Bellingcat reported on video evidence of alleged mass executions of Armenian prisoners of war and mutilations of dead service members committed by Azerbaijani soldiers. Azerbaijan has also been blockading the Lachin corridor since December 12, 2022, leaving 120,000 residents of Nagorno-Karabakh without electricity or access to basic necessities, like food, fuel, and medicines. Both countries also blocked TikTok and other websites in September 2022, violating their own citizens’ right to freedom of expression and information in the midst of a violent conflict.  

Providing Pegasus spyware to either of the countries’ authorities in the context of a violent conflict carries a substantial risk of contributing to and facilitating serious human rights violations and even war crimes. In addition, deliberate or indiscriminate targeting of humanitarian personnel and other protected categories is expressly prohibited under international humanitarian law, which forbids any form of hindrance to humanitarian action. 

This investigation shows that NSO Group not only failed to learn its lesson, but has doubled down on its abuses.

// All stakeholders: let’s disarm spyware globally 

This investigation of Armenia spyware victims is a sign the spyware industry is out of control. States have used spyware to intimidate the free press, destroy civil society, silence dissidents, undermine democracy, suppress independence movements, and more. This investigation reveals that this cyberweapon is being used against civil society and humanitarian actors amidst a brutal conflict. 

Given these conclusions, Access Now calls on the parties to the conflict and other relevant stakeholders to comply with international human rights and humanitarian law and to take the following actions:

Governments of Armenia and Azerbaijan

➡️ Azerbaijan to halt the use of Pegasus spyware and be subject to an independent and transparent investigation into the targeting of civil society at home and the use of spyware abroad, with results to be available to the public;

➡️ Armenia to halt its own use of spyware and conduct an independent and transparent investigation and provide public information about its own use of spyware technologies, including its relationship with both NSO Group and Cytrox; and

➡️ Armenia to formally waive the rule of exhaustion of domestic remedies in order for legal actions related to transnational use of spyware to be transmitted rapidly to the European Court of Human Rights (ECrHR), where appropriate.

Other governments

➡️ States, including Armenia and Azerbaijan, must implement an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and comply with other measures outlined in the Geneva Declaration;

➡️ Where there is evidence that commercial spyware technology facilitates or enables human rights abuses, implement a ban on the purchase of said technology, including from NSO Group and Cytrox; and 

➡️ All states to stop targeting humanitarian and international organizations workers, human rights ombudspersons, journalists, and activists exposing human rights and humanitarian law violations during conflict, online or off, which is impermissible and is prohibited under international human rights and international humanitarian law.

Private sector (applicable to both the private sector and investors in the private sector)

➡️ NSO Group and other spyware companies to immediately end providing their technologies to all parties to the Nagorno-Karabakh conflict;

➡️ Commit publicly to the implementation of the UN Guiding Principles on Business and Human Rights (UNGPs); 

➡️ In line with the UNGPs, publicly affirm a commitment to respect all fundamental rights by putting in place a human rights policy covering all areas of the business;

➡️ Put in place policies and practices that identify, assess, and address the impact of the business on human rights, including appropriate consideration for business partners and customers, as well as high-risk individuals and communities who may be impacted by the company’s policies, products, or operations, and the potential impact of technology or platform misuse, particularly in times of crisis; 

➡️ Undergo a heightened human rights due diligence assessment when considering providing its technologies to states involved in a conflict, especially in situations where such states are known for committing war crimes and other atrocities and publicly disclose those risks and the plans to mitigate them; 

➡️ Create and implement a strategy to push back on government or law enforcement assistance requests which appear overbroad, unlawful, or disproportionate, and publicly report on the requests received and how the company responded; 

➡️ Engage with peers and stakeholders, including civil society, to verify the governance put in place to mitigate the potential adverse human rights impacts is effective and appropriate; 

➡️ Issue regular public reports on the related due diligence efforts and procedures in place to cease, prevent, and mitigate negative human rights impacts; and

➡️ Put in place a grievance mechanism to ensure access to remedy from potentially affected stakeholders.

International organizations

➡️ Ensure that the Council of Europe and the intergovernmental and expert bodies, cooperation programs, and country offices of the Council of Europe monitor and highlight the use of spyware against journalists, human rights defenders, and other civil society and humanitarian actors in the context of the Nagorno-Karabakh conflict;

➡️ Ensure that the country-specific Action Plans of the Council Europe for Armenia (2023-2026) and Azerbaijan (2022-2025) are revised to include specific provisions on addressing the use of spyware against journalists, human rights defenders, and other civil society and humanitarian actors in the context of the conflict;

➡️ European Union to ensure that all countries that are part of the European Neighborhood Policy (ENP), including Armenia and Azerbaijan, abide by human rights protected under the Charter and commit to not use spyware against journalists, human rights defenders, and other civil society and humanitarian actors; 

➡️ Ensure that Organization for Security and Co-operation in Europe (OSCE) Minsk Group processes include investigation of spyware use by all parties to the conflict, especially against journalists, human rights defenders, and other civil society and humanitarian actors, and ensure that any peace process also includes de-escalation of cyber warfare and unlawful surveillance activities; and

➡️ Ensure adequate and, where possible, expedited process for the victims of transnational surveillance operations to receive adequate remedies in courts, including at the ECtHR and other relevant courts.

Access Now thanks Ron Deibert, John Scott-Railton, Siena Anstis, Bill Marczak, and Nicola Lawford from the Citizen Lab, Artur Papayan and Samvel Martirosyan from the CyberHUM-AM, Donncha Ó Cearbhaill and Rebecca White from Amnesty International, and mobile researcher Ruben Muradyan for their invaluable help during the investigation, drafting, and editing of this report.