Armenia-Azerbaijan conflict: Pegasus infections - Technical Brief [1]

Infection Confirmations

The Citizen Lab examined the devices of a number of individuals in Armenia for evidence of spyware infections including Pegasus, as part of an investigative collaboration with Access Now, CyberHUB-AM, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan.

Read the Access Now report on the civil society cases: Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict.

Our forensic analysis of the following individuals’ devices found evidence of Pegasus spyware infection with a high degree of confidence.

Name or Alias	Occupation	Infection date(s)	Victim Location
Anna Naghdalyan	NGO Representative, former Spokesperson of the Ministry of Foreign Affairs (MFA) of the Republic of Armenia	Sometime 2020-10-11 – 2020-10-13 Sometime 2020-10-13 – 2020-10-19 Sometime 2020-10-19 – 2020-10-21 Sometime 2020-10-24 – 2020-10-28 On or around 2020-11-02 Sometime 2020-11-04 – 2020-11-05 Sometime 2020-11-07 – 2020-11-18 Sometime 2020-11-18 – 2020-12-08 Sometime 2020-12-08 – 2021-01-03 Sometime 2021-01-06 – 2021-01-07 On or around 2021-01-11 On or around 2021-01-15 Sometime 2021-02-04 – 2021-02-05 Sometime 2021-02-05 – 2021-02-11 Sometime 2021-03-04 – 2021-03-15 Sometime 2021-03-15 – 2021-03-18 Sometime 2021-03-18 – 2021-03-27 Sometime 2021-03-28 – 2021-03-31 Sometime 2021-03-31 – 2021-04-03 Sometime 2021-04-03 – 2021-04-08 Sometime 2021-04-08 – 2021-04-17 Sometime 2021-04-27 – 2021-05-15 On or around 2021-05-31 On or around 2021-06-06 On or around 2021-06-30 On or around 2021-07-03 On or around 2021-07-05	Armenia
Ruben Melikyan	Co-founder of Armenian NGO Path of Law, former Human Rights Ombudsman of the Republic of Artsakh	On or around 2021-05-20 Unsuccessful infection attempt on or around 2022-12-07	Armenia
Varuzhan Geghamyan	Assistant Professor at Yerevan State University	On or around 2021-06-03	Armenia
Samvel Farmanyan	ArmNews TV Co-founder	On or around 2022-06-30	Armenia
Kristinne Grigoryan	Former Human Rights Defender of the Republic of Armenia (Human Rights Ombudsperson)	On or around 2022-10-04	Armenia
Victim 1	Works in Media	Date(s) withheld	Armenia
Victim 2	Journalist	Date(s) withheld	Armenia
Victim 3	Activist	Date(s) withheld	Armenia
Victim 4	Civil Society Representative	Date(s) withheld	Armenia
Victim 5	United Nations Official	Date(s) withheld	Armenia

Our analysis found individuals in Armenia targeted with NSO Group exploits including PWNYOURHOME, FINDMYPWN, FORCEDENTRY, and KISMET.

Spyware Scanning

We do not conclusively attribute the infections listed above to a specific governmental entity, and our forensic analysis was unable to confirm which Pegasus operator conducted the infections listed above.

As part of the Citizen Lab’s ongoing internet scanning and DNS cache probing, we identified two suspected Pegasus operators in Azerbaijan. We name these two operators BOZBASH and YANAR.

Domains associated with both the BOZBASH and YANAR operators were registered by the end of 2018, or possibly before. NSO Group implemented a new version of their infrastructure at the end of 2018, following our HIDE AND SEEK report, and it is difficult to link customers conclusively across the new and old infrastructure versions.

We have only ever observed the YANAR Pegasus operator monitoring targets within Azerbaijan, while the BOZBASH operator appears to monitor targets both in Azerbaijan and several countries abroad, including Armenia.

Acknowledgements

We would like to thank each victim and potential target that participated in this investigation. Without them, this would not have been possible. Their participation also helped to meaningfully advance our understanding of NSO Group’s exploits.

The Citizen Lab would like to thank Access Now, CyberHUB-AM, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan.

We thank our colleagues at Citizen Lab including Snigdha Basu, Siena Anstis and Adam Senft for editorial assistance.