Researchers have been tracking the use of cyber surveillance software to target journalists for years, but until now no government has ever been caught using it during an active international conflict. New revelations from digital rights researchers and advocates uncovered the targeting of public officials and journalists with Pegasus spyware during the 2020 war between Armenia and Azerbaijan, raising new questions for the future of war reporting. IPI spoke with experts and others connected to the case, including one of the targeted journalists, on the impact of Pegasus surveillance on journalism.

A joint investigation and report released last month by Access Now, CyberHUB-AM, the Citizen Lab, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan found that at least 12 Armenian public figures were targeted by Pegasus between October 2020 and December 2022, including five members of the media, as confirmed by Natalia Krapiva, Tech-Legal Counsel at Access Now.

Pegasus, named for the winged horse of Greek mythology, is manufactured and sold by the Israeli cyber-arms company NSO Group, and has the ability to gain access to smartphones through a “zero-click” exploit that is virtually undetectable by the user. Once a device is infected, Pegasus allows a hacker to view call histories, emails, and text messages, including those sent through encrypted messaging services, as well as track the device’s location, and even open its camera and microphone.

In November 2021, Apple alerted several of the targets identified in the investigation that their devices may have been infected by state-sponsored spyware. Several of those who received these alerts contacted Access Now’s Digital Security Helpline, which “provides rapid-response emergency assistance” to digital attacks. Forensic analysis of the targeted devices and a larger investigation confirmed Pegasus infections. 

While the joint investigation’s report did not name a state party responsible for the attack, it did point out that the targets would have been “of intense interest” to the Azerbaijani government, a known user of Pegasus. The report also notes that while Armenia is not a documented user of Pegasus, it has used Cytrox’s Predator spyware — which has similar capabilities to Pegasus — in the past.

‘I have no idea why I should have been targeted’

The hacks occurred in the context of a decades-long territorial conflict between Armenia and Azerbaijan over the Nagorno-Karabakh region, a disputed territory that most recently led to a war in 2020 that killed nearly 7,000 soldiers, and several violent flare-ups since. The surveillance of journalists in the midst of an international conflict, which IPI has condemned, raises new concerns about the abuse of cyber surveillance technologies, and has had a chilling personal and professional effect on the media workers and outlets targeted.  

“I have no idea why I should have been targeted,” Samvel Farmanyan, co-founder of ArmNews TV, an independent broadcaster which shut down in February 2022, told IPI. Despite ArmNews TV’s critical coverage of the Armenian government, Farmanyan said that his journalistic activities could in “no way amount to” anything criminal or terroristic. NSO Group has repeatedly stated that it only provides its technology to government buyers for the express purposes of “preventing and investigating terrorism and crime”.

Farmanyan, who also served as a member of the National Assembly of Armenia between 2015 and 2019, said the only reasons he could have been targeted were his political stances or his media work — both ostensibly illegitimate applications of Pegasus. As with the other victims, it is not known how long the journalist’s mobile phone was surveilled for, what data was accessed during this time, or what was done with this information.

However, the context of the hacking period points in one direction. Astghik Bedevyan and Karlen Aslanyan, journalists with Radio Free Europe/Radio Liberty’s Armenian Service, were targeted while reporting on the political crisis that erupted in the country following the 2020 war. In response to the May joint report of the hack, RFE/RL CEO Jamie Fly said it was “no accident” that Bedevyan and Aslanyan were singled out, given their well-known, “hard-hitting reporting.”

Patrick Boehler, the acting head of innovation and audience engagement at RFE/RL, told IPI in an interview that Bedevyan and Aslanyan were some of RFE/RL’s “most high-profile journalists,” due to their reporting on regional politics and coverage of prominent politicians and opposition figures. “It’s difficult to single out a single topic or single story that might have led to [the hacking],” he said.

Revelations about the extent of the hacks have shaken up the private and work lives of the targeted journalists, and caused serious psychological damage. “I felt that my personal privacy was rudely violated,” Bedevyan told Access Now, who noted her phone contained personal information about her family. Boehler echoed this sentiment in his own comments regarding the hacks. “So much of our lives are in our phones, from our banking to health information, to contact details of friends and family,” he said. “It is just so awful to be exposed in such a way to bad actors.” 

For Farmanyan, the trauma he experienced changed every aspect of his life. “You know that you are followed 24/7 by a government without any understanding which government follows you,” he said. 

Of the five media workers targeted, two wished to remain anonymous for personal and professional reasons.

New risks for war correspondents 

NSO Group has come under fire repeatedly as researchers continue to uncover new instances of abuses of the technology and its widespread use against non-criminal targets. An international media consortium reported in July 2021 that authoritarian governments around the world have used Pegaus to spy on journalists, opposition politicians, activists, lawyers and business people. The years-long investigation, which became known as the “Pegasus Project,” also found that more than 1,000 Azerbaijani mobile phone numbers were on a list of potential Pegasus hacking targets. 

Widespread alarm over these revelations led the U.S. Department of Commerce to list NSO Group on its Entity List for malicious cyber activities in November 2021, warning that NSO’s spyware tools have “enabled foreign governments to conduct transnational repression.” Yet five days later, the Biden administration reportedly signed a secret contract with NSO Group, revealing the powerful pull cyberweapons have on governments worldwide, from autocracies to democracies.  

Despite the growing body of evidence that Pegasus has been weaponized by governments seeking to suppress dissent, applications of it have continued in client countries, and a new class of “boutique” spyware firms and suppliers has cropped up as companies like NSO Group face international backlash. The unprecedented, wartime context of the Armenian hack creates even more profound threats and risks to reporters operating in risky conflict zones. “State-sponsored spying adds yet another layer of danger to the work of journalists and correspondents covering conflict and will have a chilling effect on the media,” said IPI Deputy Director Scott Griffen.

The authors of the report warned that the provision of Pegasus spyware to governments actively enmeshed in international conflict “carries a substantial risk of contributing to and facilitating serious human rights violations and even war crimes,” and amounts to a violation of international humanitarian law. “By providing Pegasus to either one of the parties in the Karabakh war, already marred by atrocities, NSO makes itself potentially complicit in humanitarian law violations and even war crimes, Krapiva told IPI. “Journalists are not legitimate targets for attacks.”

Global regulation lacking

As of yet, there are no global safeguards or a regulatory framework governing the spyware industry, which extends well beyond NSO Group and Pegasus. In April 2021, the European Union took a first step in attempting to rein in abuses of spyware technologies through an established committee dedicated to increasing transparency surrounding the sale and purchase of Pegasus-type programs. The effect of the committee’s work has been limited, however, due to a variety of legal and political obstacles within the EU framework.

Last year, the EU released a first draft of the European Media Freedom Act (EMFA), which, among other things, would prohibit the deployment of spyware against journalists and media organizations. However, new proposed exemptions that would allow governments to circumvent these safeguards on grounds of national security have elicited strong criticism from human rights and press freedom groups, including IPI, which has advocated for a moratorium on the sale and implementation of digital spyware technology until a global framework can be agreed upon. 

In light of stalled action on the global scale, many outlets have taken steps of their own to deal with the rise of cyber surveillance attacks against journalists. Boehler said that this latest incident was not the first time RFE/RL journalists have been targeted with spyware. “It’s just a reminder of the conditions that we work in,” he told IPI. Boehler explained that RFE/RL already has protocols in place and forensic analysis capacities to assist journalists who suspect they may have been the target of a hack. “It’s become a relatively routine process unfortunately, given the pervasiveness of spyware.” 

The added financial burden of creating newer and stronger security protocols in the face of increasing numbers of attacks has drained resources, said Boehler. Yet the necessity of protecting sources divulging sensitive information and ensuring secure reporting is crucial, and goes beyond one single story, or even one country. In Boehler’s view, getting this right is critical for the future of journalism writ-large. “We really have to solve this to make sure that we can continue to attract the brightest minds.”