The IPI global network is alarmed by a new report by internet watchdogs and digital rights advocacy groups uncovering the use of Pegasus, a controversial spyware developed by the Israeli cyber-arms company NSO Group, to target journalists and other civil society actors during the ongoing conflict between Armenia and Azerbaijan.

The latest revelations are another example of how advanced surveillance tools have been used to violate journalistic privacy and media freedom. They are also understood to be the first documented time that spyware has been weaponized to surveil journalists in the context of an international conflict. IPI continues to push for a global regulatory framework to control the development, trade and use of spyware and urges governments worldwide to halt abuses of state surveillance.

A joint investigation and report released May 25 by Access Now, CyberHUB-AM, the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan found that at least 12 Armenian public figures were targeted by Pegasus between October 2020 and December 2022, including two Radio Free Europe/Radio Liberty (RFE/RL) journalists. 

The report found that the hacks were linked to a territorial conflict between Armenia and Azerbaijan over the Nagorno-Karabakh region, a disputed territory that most recently led to a war in 2020 and multiple outbreaks of violence since.

The two journalists targeted, Karlen Aslanyan and Astghik Bedevyan of RFE/RL’s Armenian Service, are “well-known for their hard-hitting reporting,” according to RFE/RL President and CEO Jamie Fly. Around the time their mobile devices were infected, Aslanyan and Astghik had been reporting on the Armenian political crisis and snap parliamentary elections that followed in the wake of the 2020 war. The investigation in Armenia began after Apple sent notifications to users warning that they may have been targets of state-sponsored spyware.

The report did not definitively point to a state party responsible for the hacks, but does note that Azerbaijan’s authoritarian government is a documented customer of Pegasus, and has used it in the past to target journalists. However, Armenia too has a history with cyber-surveillance technology, albeit with a different private surveillance group, and would also have reason to want to monitor the targets.

“Revelations about the use of Pegasus spyware to surveil journalists reporting on the Nagorno-Karabakh conflict are extremely concerning and illustrate the grave threat that abuses of such advanced surveillance technology pose to journalistic privacy and the freedom of the media,” said IPI Deputy Director Scott Griffen. “With these findings, we enter a dangerous new chapter in the global abuse of spyware tools against journalists and members of civil society: this is understood to be the first time that advanced spyware has been used to hack into the phones of journalists in the context of an international conflict. State-sponsored spying adds yet another layer of danger to the work of journalists and correspondents covering conflict and will have a chilling effect on the media.”

Griffen added: “IPI urges the governments of both Armenia and Azerbaijan to launch transparent investigations into the abuse of spyware and other hacking tools against journalists by domestic intelligence and military authorities, and to ensure safeguards are implemented to protect members of the press from all forms of unjustified surveillance. We will continue to push for a moratorium on the sale and implementation of digital spyware technology until global safeguards and a regulatory framework that complies with international human rights and humanitarian law can be agreed upon.”