Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Pegasus Spyware Spotted in Nagorno-Karabakh WarAccess Now Calls Infections 1st Documented Evidence of Pegasus in Context of War
Digital rights organizations detected the commercial spyware Pegasus application on the devices of members of Armenian civil society during the outbreak of armed conflict over a disputed region in the South Caucasus region.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Access Now, which first detected the infections from the NSO Group-made app, called them the "first documented evidence of the use of Pegasus spyware in an international war context."
Analysis conducted by Access Now, the University of Toronto's Citizen Lab, Amnesty International's Security Lab and independent security researcher Ruben Muradyan published Thursday concludes that a government customer of Israel-based NSO Group used the Pegasus spyware to infect the Apple devices of a dozen victims starting in October 2020 through last December.
Fighting involving Azerbaijan and Armenian forces erupted in September 2020 over six weeks and resulted in Azerbaijan reclaiming control over large portions of an ethnically Armenian enclave known as Nagorno-Karabakh or Artsakh. Clashes have sporadically broken out since. The Armenian victims, whose professions include an official in the Ministry of Foreign Affairs, an academic specialist in Azerbaijan and journalists, "and the timing of the targeting strongly suggest that the conflict was the reason for the targeting,” the researchers said.
Researchers said they found "substantial evidence" to suggest that the Azerbaijani government is a Pegasus customer, and previous evidence identifies Azerbaijan-linked domains connected with Pegasus and one-click SMS infection infrastructures masquerading as Azerbaijani political websites. The U.S. embassy of Azerbaijan did not immediately respond to a request for comment.
Domain name system cache probing conducted by The Citizen Lab identified at least two suspected Pegasus operators in Azerbaijan dubbed "Bozbash" and "Yanar." The first appears to target Armenian smartphones while the second seeks domestic targets.
The researchers said that evidence exists that Armenia's government is a customer of a different spyware made by Cytrox, a North Macedonian developer whose product is known as Predator.
Azerbaijan launched another wave of Pegasus attacks "leading up to or around the major September 2022 escalations, the October 2022 peace talks in Prague and Sochi, and Azerbaijan’s ongoing blockade of the Lachin corridor that began on December 12, 2022," they added.
NSO Group has come under repeated criticism for selling Pegasus to suspect customers even as it said it limits sales to authorized states for use in national security and law enforcement investigations. The company is on a U.S. export blacklist and cannot be purchased by U.S. federal agencies. A European Parliament committee called for limits on commercial spyware exports from European Union member countries (see: PEGA Committee Calls for Limits on Commercial Spyware).