The We Are Our Mountains monument in the disputed territory of Nagorno-Karabakh. IMAGE: Ani Adigyozalyan via Unsplash

Pegasus spyware was deployed in Armenia amid Nagorno-Karabakh war

Researchers from a handful of digital rights organizations have uncovered the first known case of Pegasus spyware being used in the middle of a war.

The notorious spying software developed by Israeli company NSO Group targeted Armenian journalists, activists, government officials and civilians during the war between Armenia and Azerbaijan in the disputed region of Nagorno-Karabakh. The two sides fought over the territory for 44 days in the Fall of 2020.

“The Armenia spyware victims’ work and the timing of the targeting strongly suggest that the conflict was the reason for the targeting,” the researchers said.

They believe that this spyware operation was carried out by government officials, as NSO Group has previously claimed that their technology is exclusively sold to governments.

The investigation began in 2021 after Apple sent notifications to users warning them that they may have been targeted with state-sponsored spyware.

A number of individuals from Armenia contacted the digital rights organizations CyberHUB-AM, an Armenian organization, and Access Now to check their devices for evidence of such spyware.

The investigation conducted by these organizations in cooperation with the watchdog group Citizen Lab, Amnesty International’s Security Lab, and an independent mobile security researcher Ruben Muradyan has identified 12 individuals whose Apple devices were targeted with the spyware at various times between October 2020 and December 2022.

Among them are an Armenian human rights defender, two journalists with Radio Free Europe’s Armenian Service, a United Nations official, a former spokesperson of Armenia’s Foreign Ministry and seven representatives of Armenian civil society.

The phone of one of the victims, NGO representative Anna Naghdalyan, was hacked at least 27 times between October 2020 and July 2021, with infections happening almost monthly. She told Citizen Lab that since her phone was hacked with Pegasus spyware she feels that “there is no way for her to feel fully safe.”

These incidents occurred amidst political upheaval in Armenia, which included the 2020 Nagorno-Karabakh conflict with Azerbaijan and Armenia's loss in the war; successive waves of protests within the country; an alleged military coup attempt, and the recent escalation of the conflict with Azerbaijan.

Who is behind the hacking?

The researchers lack evidence to concretely link the spyware to a specific government agency in either Armenia or Azerbaijan.

Given that Pegasus’ victims in Armenia include members of civil society that have been critical of Armenia’s current government, “it is possible that Armenia would have been quite interested in these individuals’ activities,” Access Now said.

Although there is no evidence suggesting that the Armenian government has ever been a Pegasus user, it is believed to be a user of a different spyware product, Predator, developed by North Macedonian spyware maker Cytrox.

According to Citizen Lab, Azerbaijan also could be a customer of Pegasus spyware. The researchers have identified at least two suspected Pegasus operators in Azerbaijan who have targeted individuals within the country as well as abroad.

Spyware & war

Pegasus spyware can access calls, messages, and photos on a victim’s phone, turn on a device's camera and microphone, and track its location.

It is usually deployed by authoritarian governments, including in Thailand and Mexico. Civil liberties and human rights organizations across Europe have called for the European Parliament to ban the technology throughout the EU.

“NSO Group continues to ignore how its technology is used in violation of human rights to target civil society, including journalists and human rights defenders,” Access Now said in the report.

Using Pegasus amid the war “is especially alarming.” It contributes to and facilitates serious human rights violations and even war crimes, the researchers said.

At the time of publication, NSO Group had not responded to a request for comment from The Record.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.