May 25 2023
Azerbaijan Suspected in Hacking of Armenian Officials With Israeli NSO Spyware
Thirteen Armenian officials, human rights activists, journalists and academics had their phones infected with the Israeli NSO Group’s spyware after recent fighting in Nagorno-Karabakh. Azerbaijan has reportedly used Pegasus in the past against its own citizens
Oded Yaron
Thirteen government officials, human rights activists, journalists and academics from Armenia fell victim to spying by a foreign country using Pegasus spyware from the Israeli NSO Group, a new report from Amnesty International’s Security Lab and The Citizen Lab released on Thursday found.
Among the victims were the spokeswoman of Armenia’s Foreign Ministry, who is now an NGO worker, and then-Human Rights Defender (Ombudsman) of Armenia, who investigated suspicions of war crimes against Azerbaijan.
The researchers found circumstantial evidence linking the espionage to the war in the disputed territory of Nagorno-Karabakh, and suspect that the Azerbaijan is behind the hacking.
The roots of the affair go back to November 2021, after Apple sent the first round of warnings to some of those attacked, telling them they had been the victims of a cyberattack by a foreign nation.
The forensic examination of their phones was conducted by The Citizen Lab at the University of Toronto, the Access Now digital civil rights organization, Amnesty Tech and CyberHUB-AM, the emergency cyber response center for civil society organizations in Armenia.
Azerbaijan has previously been suspected of deploying Pegasus spyware against journalists and civil society activists in its own country, after the infections were exposed in July 2021 as part of the Pegasus project, led by Forbidden Stories and Amnesty, and in cooperation with Haaretz-TheMarker.
President Ilham Aliyev has total control over the country, and his rule has a long history of arrests and repression of civil rights and opposition activists. In 2017, the U.S. State Department released a harsh report on the state of the LGBTQ community in Azerbaijan, which suffers from persecution, murder and disappearances, arrests, torture and discrimination.
NSO was not the only Israeli company that supplied advanced military and intelligence systems to Azerbaijan. Israel has consolidated its strategic ties with Azerbaijan in recent years, exporting billions of dollars of arms to the country, which shares a border with its regional foe Iran.
But this time the targets of the spying were Armenians. Forensic evidence and the identity of the victims indicate that the government of Azerbaijan was likely behind the spying campaign.
The researchers said the spyware campaign began as a result of the tensions in the Nagorno-Karabakh region, a disputed enclave with a mostly ethnic Armenian population and a separatist government in the heart of Azerbaijan. During the Second Nagorno-Karabakh War, also known as the 44-day War, in 2020, Azerbaijan captured large amounts of territory and the defeat led to a severe political crisis in Armenia.
A few days after the cease-fire agreement, it was reported that Armenia’s National Security Service had thwarted an assassination attempt against the Prime Minister Nikol Pashinyan. The prime minister then dissolved the parliament and announced new elections in June 2021, which he won.
“We identified the first wave of infections in May to July 2021 at the time that Armenia was in a severe constitutional and political crisis over the loss of Nagorno-Karabakh,” Natalia Krapiva, the tech legal counsel for Access Now told Haaretz.
The talks between Azerbaijan and Armenia under the auspices of Russia continued during that period, and the prime minister’s resignation only made the political uncertainty even worse. Acting Foreign Minister Ara Ayvazyan resigned at the end of May, after he harshly criticized his own government’s policies. That same day, the telephone of Anna Naghdalyan, the then-spokeswoman of the Armenian Foreign Ministry, was infected, and she was not the only one.
A week later, all of the foreign minister’s deputies announced their resignations. Twenty-four hours earlier, according to the Citizen Labs report, Naghdalyan’s phone was infected for a second time. “I had a lot of important information, professional and also personal,” Naghdalyan told Haaretz. “I don’t know how much information they obtained, but this case proves that none of us are safe. Such gadgets have become an inseparable part of our lives – and such discoveries cause a deep feeling of insecurity.”
Among the victims whose phones were found to be infected with the Pegasus spyware were two Armenian academics specializing in international relations and Azerbaijan, and two United Nations employees, whose identities were not revealed.
Kristine Grigoryan, the Human Rights Defender of Armenia until January 2023, told Haaretz that additional infections occurred close to later flare-ups in Nagorno-Karabakh. Grigoryan worked in the office of Armenia’s human rights ombudsman, an accredited national institute of the United Nations, and she was responsible for investigating suspicions of war crimes.
She was tasked with the role after videos circulated in 2022 showing Azerbaijan commandos killing Armenian prisoners of war.
One of the clips depicts the abuse of a female Armenian sniper who was captured and later murdered. “She had three children,” said Grigoryan. “The family came to my office and begged for us to stop the distribution of the videos, but we couldn’t do anything.”
Due to her special role in investigating Azerbaijani war crimes, Grigoryan became a well-known figure in the media – and as a result was also the target Azerbaijan’s spying, said the researchers. In October 2022, she was notified by Apple that her phone had been infected. In December, her phone was infected a second time.
“Helping attack those already experiencing violence is a despicable act, even for a company like NSO Group,” said Natalia Krapiva from Access Now. “Inserting harmful spyware technology into the Armenia-Azerbaijan conflict shows a complete disregard for safety and welfare, and truly unmasks how depraved priorities can be. People must come before profit — it’s time to disarm spyware globally.”
NSO Group responded to Haaretz' questions:
While NSO is unable to confirm or deny the identity of its customers, past reports proved that various groups continue to produce inconclusive reports that are unable to differentiate between the various cyber tools in use. As always, these groups refuse to share their reports with the company, hence we cannot address any specific allegations we didn’t see.
NSO has the industry’s leading compliance and human rights policy and as always will investigate all credible allegations of misuse. Past NSO investigations have resulted in the termination of multiple contracts regarding the improper use of our technologies.
NSO has repeatedly called for a global regulatory cyber intelligence framework to address the responsibility of governmental operators to prevent technological misuse.
Donncha Ó Cearbhaill, the Head of Amnesty Tech Security Lab, responded to The comapny's claims about the report:
“NSO Group refuses to engage with or acknowledge the overwhelming weight of forensic evidence proving ongoing Pegasus abuses published by Amnesty International, Citizen Lab and civil society partners. Time and again this research been later validated by subsequent official investigations, government statements and major technology vendors.”
“NSO Group’s evidently inadequate human rights policy is little comfort to the journalists and human rights defenders who continue to be victimized by the company’s spyware
almost a decade after abuses were confirmed. We urgently need a ban on these most invasive forms of spyware to stop the ongoing crisis enabled by this industry.”
The Azerbaijan Ministry of Foreign Affairs and Israel’s Defense Ministry have not responded to requests from Haaretz.