Threat Actors Used Pegasus Spyware to Monitor Azerbaijan-Armenia War, Researchers Find

Researchers have uncovered hacking of civil society victims in Armenia with NSO Group’s Pegasus spyware in what is being described as the first documented evidence of the use of Pegasus in an international war context.

The joint investigation between Access Now, CyberHUB-AM, the Citizen Lab, Amnesty International’s Security Lab, and an independent mobile security researcher (Ruben Muradyan) kicked off after Apple sent a wave of notifications to iPhone users in November 2021, warning that they may have been targeted with state-sponsored spyware.

The investigation has identified a dozen individuals whose Apple devices were targeted with NSO Group’s infamous malware at various times between October 2020 and December 2022.

Access Now, with forensic assistance from the Citizen Lab, was able to confirm that the Apple device of Anna Naghdalyan, a former Armenia Foreign Ministry Spokesperson and current NGO worker, was infected a whopping 27 times with Pegasus.

Those who operate the malware from afar can use it to snoop on calls, messages, extract photos from a victim’s phone, turn on the device's front and back cameras and microphone, and track its location.

“Between October 2020 and May 2021, Anna was officially serving as the Spokesperson of the Ministry of Foreign Affairs (MFA) of the Republic of Armenia, which put her squarely in the middle of the most sensitive conversations and negotiations related to the Nagorno-Karabakh crisis, including the ceasefire mediation attempts by France, Russia, and the United States and official visits to Moscow and Karabakh,” reads the Access Now report.

Naghdalyan told investigators she had “all the information about the developments during the war on [her] phone,” adding that since her phone was hacked she feels that there is no way for her to feel fully safe.

Researchers couldn’t conclusively link this Pegasus hacking to a specific government or threat actor. But because the targeting includes members of civil society that have been critical of Armenia’s current government, they speculate it is possible that Armenia would have been keen to monitor those individuals. In fact, Armenia’s government is believed to be a user of a different spyware product - Predator - developed by North Macedonian’s Cytrox.

Rather, the researchers stress, there is plenty more “substantial evidence” to suggest that Azerbaijan is behind the Pegasus infections, as the targets “would have been of intense interest to Azerbaijan.”

“Providing Pegasus spyware to either of the countries’ authorities in the context of a violent conflict carries a substantial risk of contributing to and facilitating serious human rights violations and even war crimes,” the report says.

NSO Group has been under fire in recent years for allegedly facilitating mercenary cyber attacks surrounding key geopolitical events through its Pegasus spyware.

Apple has sued NSO Group over its practices. Seeing NSO Group customers’ sustained efforts to infect iOS users with Pegasus, the tech giant introduced a feature called Lockdown Mode designed to substantially reduce the attack surface on its mobile operating system.

Pegasus spyware typically leverages unpatched vulnerabilities and can infect both iOS and Android devices. Many of the exploits documented over the years require little or no input from the target victim, in what researchers describe as “zero click” infection.

While most such attacks are highly targeted, at Bitdefender we strongly recommend that everyone keep their smartphones updated with the latest security patches issued by the vendor. Both iPhone and Android users should consider deploying a dedicated security solution to stay safe from online threats at all times.