(Bloomberg) -- Hacking tools sold by the Israeli company NSO Group were used to wage a two-year campaign against a dozen prominent figures in Armenia, including a United Nations official, journalists, academics, a government spokesperson and human rights advocates, according to researchers.

The findings provide the first documented evidence of NSO’s Pegasus spyware being used in the context of an international war, according to a new report published on Thursday, which was jointly produced by groups including Access Now, Amnesty International, the University of Toronto’s Citizen Lab, and Armenia’s CyberHUB-AM.

The researchers said they couldn’t conclusively determine which of NSO’s government customers had deployed the spyware. There was “substantial evidence” that Azerbaijan is a Pegasus customer, they said. The targeting of Armenian victims often occurred shortly before or during outbreaks of the long-running conflict between Azerbaijan and Armenia over the disputed border region of Nagorno-Karabakh, according to the report.

“With NSO Group and the spyware industry operating with little constraints or oversight, it was only a matter of time until we saw these technologies used in a brutal international military conflict,” said Natalia Krapiva, tech-legal counsel at Access Now, a New York-based nonprofit that advocates for digital rights. 

Asked for a response, an NSO representative said the company couldn’t address specific allegations because “as always, these groups refuse to share their reports” with the Israeli firm.

“While NSO is unable to confirm or deny the identity of its customers, past reports proved that various groups continue to produce inconclusive reports that are unable to differentiate between the various cyber tools in use,” according to a NSO representative, in an email. “NSO has the industry’s leading compliance and human rights policy and as always will investigate allegations of misuse.” The company has previously stated that it supplies its technology to government agencies and law enforcement to help them combat terrorism and serious crime.

Azerbaijan’s Foreign Ministry didn’t respond to a request for comment.

The researchers identified 12 people who were targeted with the spyware and hacked between October 2020 and December 2022. The victims included Armenian journalists from the US government-funded media organization RadioFreeEurope/RadioLiberty, in addition to Armenian academics and several Armenian human rights defenders who have criticized the Azerbaijan government’s policies.

Among the victims was Kristinne Grigoryan, who served as Armenia’s human rights defender between January 2022 and January 2023. In September 2022, following clashes between Azerbaijani and Armenian forces that resulted in the deaths of more than 200 soldiers, Grigoryan focused on investigating alleged war crimes committed by Azerbaijan, she said in an interview with Bloomberg News.

The next month, she said her iPhone was hacked with NSO’s Pegasus. She was notified by Apple Inc. that her device had been compromised and later had it analyzed by security experts from Citizen Lab, who confirmed the breach.

Grigoryan said her phones was compromised in what’s known as a “zero-click” attack, meaning she didn’t click on a malicious link in an email or text message. Once installed on a device, Pegasus spyware can be used to steal data, listen in on phone calls, or covertly record audio from its inbuilt microphones or take photographs using its camera, according to NSO’s marketing materials that outline its capabilities.

“It was a tremendous shock for me,” said Grigoryan. “I had in my devices a lot of information connected with my work, different people whom my office was serving and helping.”

Another victim, Anna Naghdalyan, was hacked at least 27 times between October 2020 and July 2021, according to the research. Naghdalyan, who was serving as a spokesperson for Armenia’s Foreign Ministry when she was targeted, said in an interview with Bloomberg that she had followed recommended security guidelines, regularly updating her phone and not clicking on suspicious messages. She said the hack left her with a feeling of insecurity and wanted to speak out because she believed “this kind of action should not be common and remain unpunished.”

In July 2021, a leaked database revealed that Azerbaijan had allegedly deployed Pegasus spyware to target more than 200 people, predominantly journalists, activists, lawyers, and opposition politicians. 

Armenia has allegedly waged its own hacking operations using a different variation of spyware, purchased from a North Macedonian firm named Cytrox, which only sells to government agencies. Facebook parent Meta Platforms Inc. in December 2021 identified Armenia as a customer of Cytrox, whose spyware it said had been used to target politicians and journalists around the world, including in Armenia.

Armenia’s Ministry of Foreign Affairs didn’t respond to a request for comment, nor did a representative for Cytrox.

In November 2021, following persistent reports of abuse involving NSO’s technology, the US Commerce Department blacklisted the company, accusing it of enabling “transnational repression.”


©2023 Bloomberg L.P.