Spyware in Serbia: civil society under attack

In the latest example of how invasive surveillance technology is being used to silence and suppress civil society, Access Now, SHARE Foundation, the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto (the Citizen Lab), and Amnesty International have discovered that two members of civil society in Serbia were targeted with spyware earlier this year. 

The targeting came to light last month when, on October 30, two civil society representatives in Serbia, who have chosen to remain anonymous for security reasons, received Apple threat notifications warning that their iPhones might have been targeted by state-sponsored attacks. The victims contacted SHARE Foundation, a Serbian digital rights NGO, who in turn asked Access Now’s Digital Security Helpline and Amnesty International’s Security Lab to check both devices for possible traces of spyware.

Assisted by the Citizen Lab, Access Now’s Digital Security Helpline discovered traces of attempted spyware attacks targeting the devices. These attacks, which occurred approximately one minute apart from each other on or about August 16, 2023, leveraged the iOS HomeKit iPhone functionality. The tactics are consistent with those previously used by NSO Group’s Pegasus spyware, although given limited available forensic indicators on the targeted devices, we cannot confirm the exact type of spyware used in this attack. NSO Group has released multiple exploits targeting the iPhone’s HomeKit functionality, including the PWNYOURHOME exploit deployed from October 2022. 

Following a separate SHARE Foundation request, Amnesty International’s Security Lab also examined the two devices independently, and their forensic analysis concurred with Access Now and the Citizen Lab’s findings. 

Both targeted civil society members have been openly critical of Serbia’s government, which has a track record of deploying spyware and other digital surveillance tools. The Citizen Lab previously identified the Serbian Information Security Agency (BIA) as a customer of FinFisher’s spyware as of 2014, and a Circles’ mobile phone geolocation and call interception tool as of 2020. According to leaked emails, in 2012, the BIA received a demonstration of Hacking Team’s RCS spyware. Last year, the Citizen Lab and Google’s Threat Analysis Group (TAG) identified the Serbian government as a likely operator of Cytrox’s Predator spyware. Citizen Lab’s research also indicates that Serbia has been operating Pegasus spyware since at least December 2021. 

This finding comes hot on the heels of Access Now and the Citizen Lab’s most recent spyware investigation, which uncovered how Vladimir Putin’s critics are being hacked with NSO Group’s Pegasus spyware in the European Union. From Armenia to Thailand, from Mexico to Morocco; the list goes on of countries where civil society groups, human rights workers, and journalists have been targeted by invasive spyware with little to no accountability or remedy. In the face of mounting evidence of harms perpetuated by the spyware industry, governments are starting to take action. The Council of Europe, European Parliament, and E.U. member states are all advancing efforts to tackle Europe’s spyware problem, and in the U.S., President Biden has barred federal agencies from using foreign commercial spyware that enables human rights abuses and jeopardizes national security. 

However, there is still a long way to go. Although 11 countries, including Australia, Canada, Costa Rica, Denmark, France, and the U.K., have committed to working together towards curbing spyware proliferation, we are yet to see robust implementation of these commitments – and there is still a notable lack of global framework for regulating the use of targeted digital surveillance technologies. Access Now calls on all governments to implement an immediate moratorium on the export, sale, transfer, use and servicing of targeted digital surveillance technologies — until rigorous human rights safeguards are put in place — while implementing bans on any invasive commercial spyware technology, and its vendors, found to facilitate or enable human rights abuses. As long as such companies continue to violate human rights, they must not be awarded more contracts and rewarded with more profit.