(C) Radio Free Europe/Radio Liberty
This story was originally published by Radio Free Europe/Radio Liberty and is unaltered.
. . . . . . . . . .



Armenia spyware victims: Pegasus hacking in war [1]

[]

Date: 2023-05

Content note: The following post contains references to alleged murder and war crimes.

A joint investigation between Access Now, CyberHUB-AM, the Citizen Lab at the Munk School of Global Affairs at the University of Toronto (the Citizen Lab), Amnesty International’s Security Lab, and an independent mobile security researcher Ruben Muradyan, has uncovered hacking of civil society victims in Armenia with NSO Group’s Pegasus spyware. The Armenia spyware victims include a former Human Rights Defender of the Republic of Armenia (the Ombudsperson), two Radio Free Europe/Radio Liberty (RFE/RL) Armenian Service journalists, a United Nations official, a former spokesperson of Armenia’s Foreign Ministry (now an NGO worker), and seven other representatives of Armenian civil society. Circumstantial evidence suggests that the targeting is related to the military conflict in Nagorno-Karabakh (also referred to as the Republic of Artsakh in Armenia) between Armenia and Azerbaijan. This is the first documented evidence of the use of Pegasus spyware in an international war context.

// The investigation

The investigation began after Apple sent its first wave of notifications to their users in November 2021, warning them that they may have been targeted with state-sponsored spyware. A number of individuals from Armenia then contacted CyberHUB-AM and Access Now’s Digital Security Helpline seeking assistance with checking their devices for evidence of such spyware.

Access Now, with forensic assistance from the Citizen Lab, was able to confirm that the Apple device of at least one of those individuals — Anna Naghdalyan, a former Armenia Foreign Ministry Spokesperson and current NGO worker — was infected with Pegasus. Subsequently, Access Now, jointly with CyberHUB-AM, independent researcher Ruben Muradyan, and the Citizen Lab, uncovered many more infections of Apple devices belonging to Armenian civil society victims. In addition, Amnesty International’s Security Lab, jointly with CyberHUB-AM, also uncovered infections of devices belonging to two of RFE/RL’s Armenian Service journalists, after one of them received notifications from Apple in November 2021.

According to the Citizen Lab, the indications of the following exploits were observed during their forensic investigation of devices in Armenia: PWNMYHOME, FINDMYPWN, FORCEDENTRY (also referred to as Megalodon by Amnesty’s Security Lab), and KISMET.

// Case studies of the Armenia spyware victims

The investigation has identified 12 individuals whose Apple devices were targeted with Pegasus spyware at various times between October 2020 and December 2022.

The backdrop of the first cluster of civil society Pegasus infections found in Armenia is the bloody 2020 Nagorno-Karabakh war with Azerbaijan, the associated peace talks in October 2020, and the November 9, 2020 ceasefire agreement that locked territorial gains for Azerbaijan. Armenia’s defeat in the war led to a major political crisis at home and prompted waves of protests and an alleged military coup attempt, where high-ranking military officials called for Armenian Prime Minister Nikol Pashinyan’s resignation. Pashinyan announced his resignation in April 2021 and called for snap parliamentary elections in June 2021.

At the same time, the Karabakh conflict itself began to intensify again with the Azerbaijan May 12, 2021 offensive and more clashes in July and November 2021. The majority of the Armenia spyware victims were infected during this time period in 2020-2021; between them, there were over 30 successful Pegasus infections.

The second cluster of Pegasus targeting in 2022 took place leading up to or around the major September 2022 escalations, the October 2022 peace talks in Prague and Sochi, and Azerbaijan’s ongoing blockade of the Lachin corridor that began on December 12, 2022.

// Who is behind the hacking?

NSO Group claims that their technology is exclusively sold to governments, which is broadly consistent with past findings by research groups and investigative journalists. Access Now and partners believe that this operation is the work of a governmental Pegasus customer.

Neither Access Now nor the technical partners at the Citizen Lab and Amnesty International conclusively link this Pegasus hacking to a specific governmental operator. The targeting occurred during the Azerbaijan-Armenia conflict, and the Armenia spyware victims’ work and the timing of the targeting strongly suggest that the conflict was the reason for the targeting.

Because the targeting observed as part of this investigation includes members of civil society that have been critical of Armenia’s current government, it is possible that Armenia would have been quite interested in these individuals’ activities. However, at this time, Access Now is unaware of any technical evidence suggesting that Armenia has ever been a Pegasus user.

It is important to note, nonetheless, that Armenia’s government is believed to be a user of a different spyware product: Cytrox’s Predator. Meta’s December 2021 Threat Report on the Surveillance-for-Hire Industry identified an Armenia-based customer of mercenary spyware firm Cytrox. Cytrox’s Predator spyware has been implicated in abuses around the world and was a subject of the E.U. PEGA Committee inquiry. Meta also identified targets of Cytrox’s spyware in Armenia. Both the Citizen Lab and Amnesty International’s Security Lab have the technical expertise to differentiate between Predator and Pegasus spyware.

Substantial evidence exists, meanwhile, to suggest that Azerbaijan is a Pegasus customer, and the targets would have been of intense interest to Azerbaijan. The Citizen Lab’s ongoing internet scanning and DNS cache probing has identified at least two suspected Pegasus operators in Azerbaijan that they call “BOZBASH” and “YANAR.” According to the Citizen Lab, The YANAR Pegasus operator appears to have exclusively domestic-focused targeting within Azerbaijan, while the BOZBASH operator has targets including a broad range of entities within Armenia.

The Citizen Lab previously found Pegasus one-click SMS infection infrastructure masquerading as Azerbaijani political websites. Amnesty Tech’s research has also identified Azerbaijan-linked domains that point to Azerbaijan as a likely Pegasus customer.

Furthermore, the Pegasus Project joint investigation by Amnesty International, Forbidden Stories, and a consortium of world media organizations identified more than 1,000 Azerbaijani numbers on the list of individuals potentially selected for Pegasus targeting. Of these, the Pegasus Project was able to identify 245 individuals who used these numbers, including reporters, editors, or media company owners, human rights defenders, lawyers, opposition figures, and academics. The list includes seven RFE/RL Azerbaijan journalists. Amnesty International’s Security Lab forensically confirmed that five of these individuals from the list had their devices infected with Pegasus, including a former RFE/RL Azerbaijan journalist, Khadija Ismayilova. A number of the affected individuals have subsequently filed lawsuits with domestic courts in Azerbaijan and with the European Court of Human Rights (ECrHR).

// NSO Group sends its dangerous spyware to the bloody conflict

This investigation shows that despite the barrage of scandals and the associated lawsuits and sanctions that have followed, including the November 2, 2021 U.S. Commerce Department’s inclusion of NSO Group on its Entity List for exactly the kind of conduct described in this investigation, NSO Group has not stopped facilitating abuses around the world. In fact, the attempts at Pegasus infections continued into at least December, 2022 during the time this investigation was still ongoing. This demonstrates that NSO Group continues to ignore how its technology is used in violation of human rights to target civil society, including journalists and human rights defenders.

The context in which Pegasus was sold and deployed is especially alarming. Nagorno-Karabakh is a disputed territory between Azerbaijan and Armenia that has been the subject of two wars and multiple violent clashes over the span of more than 30 years. Human rights organizations, including Amnesty International, found that both sides have committed war crimes in the course of the conflict. During the most recent escalations since the November 9, 2020 ceasefire, escalations that began in May 2021, and further intensified in July and November of 2021 and again in September 2022, groups like Human Rights Watch and Bellingcat reported on video evidence of alleged mass executions of Armenian prisoners of war and mutilations of dead service members committed by Azerbaijani soldiers. Azerbaijan has also been blockading the Lachin corridor since December 12, 2022, leaving 120,000 residents of Nagorno-Karabakh without electricity or access to basic necessities, like food, fuel, and medicines. Both countries also blocked TikTok and other websites in September 2022, violating their own citizens’ right to freedom of expression and information in the midst of a violent conflict.

Providing Pegasus spyware to either of the countries’ authorities in the context of a violent conflict carries a substantial risk of contributing to and facilitating serious human rights violations and even war crimes. In addition, deliberate or indiscriminate targeting of humanitarian personnel and other protected categories is expressly prohibited under international humanitarian law, which forbids any form of hindrance to humanitarian action.

This investigation shows that NSO Group not only failed to learn its lesson, but has doubled down on its abuses.

// All stakeholders: let’s disarm spyware globally

This investigation of Armenia spyware victims is a sign the spyware industry is out of control. States have used spyware to intimidate the free press, destroy civil society, silence dissidents, undermine democracy, suppress independence movements, and more. This investigation reveals that this cyberweapon is being used against civil society and humanitarian actors amidst a brutal conflict.

Given these conclusions, Access Now calls on the parties to the conflict and other relevant stakeholders to comply with international human rights and humanitarian law and to take the following actions:

Armenia and Azerbaijan Other governments companies and investors International organizations Governments of Armenia and Azerbaijan ➡️ Azerbaijan to halt the use of Pegasus spyware and be subject to an independent and transparent investigation into the targeting of civil society at home and the use of spyware abroad, with results to be available to the public; ➡️ Armenia to halt its own use of spyware and conduct an independent and transparent investigation and provide public information about its own use of spyware technologies, including its relationship with both NSO Group and Cytrox; and ➡️ Armenia to formally waive the rule of exhaustion of domestic remedies in order for legal actions related to transnational use of spyware to be transmitted rapidly to the European Court of Human Rights (ECrHR), where appropriate. Other governments ➡️ States, including Armenia and Azerbaijan, must implement an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and comply with other measures outlined in the Geneva Declaration; ➡️ Where there is evidence that commercial spyware technology facilitates or enables human rights abuses, implement a ban on the purchase of said technology, including from NSO Group and Cytrox; and ➡️ All states to stop targeting humanitarian and international organizations workers, human rights ombudspersons, journalists, and activists exposing human rights and humanitarian law violations during conflict, online or off, which is impermissible and is prohibited under international human rights and international humanitarian law. Private sector (applicable to both the private sector and investors in the private sector) ➡️ NSO Group and other spyware companies to immediately end providing their technologies to all parties to the Nagorno-Karabakh conflict; ➡️ Commit publicly to the implementation of the UN Guiding Principles on Business and Human Rights (UNGPs); ➡️ In line with the UNGPs, publicly affirm a commitment to respect all fundamental rights by putting in place a human rights policy covering all areas of the business; ➡️ Put in place policies and practices that identify, assess, and address the impact of the business on human rights, including appropriate consideration for business partners and customers, as well as high-risk individuals and communities who may be impacted by the company’s policies, products, or operations, and the potential impact of technology or platform misuse, particularly in times of crisis; ➡️ Undergo a heightened human rights due diligence assessment when considering providing its technologies to states involved in a conflict, especially in situations where such states are known for committing war crimes and other atrocities and publicly disclose those risks and the plans to mitigate them; ➡️ Create and implement a strategy to push back on government or law enforcement assistance requests which appear overbroad, unlawful, or disproportionate, and publicly report on the requests received and how the company responded; ➡️ Engage with peers and stakeholders, including civil society, to verify the governance put in place to mitigate the potential adverse human rights impacts is effective and appropriate; ➡️ Issue regular public reports on the related due diligence efforts and procedures in place to cease, prevent, and mitigate negative human rights impacts; and ➡️ Put in place a grievance mechanism to ensure access to remedy from potentially affected stakeholders. International organizations ➡️ Ensure that the Council of Europe and the intergovernmental and expert bodies, cooperation programs, and country offices of the Council of Europe monitor and highlight the use of spyware against journalists, human rights defenders, and other civil society and humanitarian actors in the context of the Nagorno-Karabakh conflict; ➡️ Ensure that the country-specific Action Plans of the Council Europe for Armenia (2023-2026) and Azerbaijan (2022-2025) are revised to include specific provisions on addressing the use of spyware against journalists, human rights defenders, and other civil society and humanitarian actors in the context of the conflict; ➡️ European Union to ensure that all countries that are part of the European Neighborhood Policy (ENP), including Armenia and Azerbaijan, abide by human rights protected under the Charter and commit to not use spyware against journalists, human rights defenders, and other civil society and humanitarian actors; ➡️ Ensure that Organization for Security and Co-operation in Europe (OSCE) Minsk Group processes include investigation of spyware use by all parties to the conflict, especially against journalists, human rights defenders, and other civil society and humanitarian actors, and ensure that any peace process also includes de-escalation of cyber warfare and unlawful surveillance activities; and ➡️ Ensure adequate and, where possible, expedited process for the victims of transnational surveillance operations to receive adequate remedies in courts, including at the ECtHR and other relevant courts.



Access Now thanks Ron Deibert, John Scott-Railton, Siena Anstis, Bill Marczak, and Nicola Lawford from the Citizen Lab, Artur Papayan and Samvel Martirosyan from the CyberHUM-AM, Donncha Ó Cearbhaill and Rebecca White from Amnesty International, and mobile researcher Ruben Muradyan for their invaluable help during the investigation, drafting, and editing of this report.

[END]
---
[1] Url: https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/

Published and (C) by Radio Free Europe/Radio Liberty
Content appears here under this condition or license: By permission of RFE/RL.

via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/rferl/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.