The Citizen Lab examined the devices of a number of individuals in Armenia for evidence of spyware infections including Pegasus, as part of an investigative collaboration with Access Now, CyberHUB-AM, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan.
Read the Access Now report on the civil society cases: Hacking in a war zone: Pegasus spyware in the Azerbaijan-Armenia conflict.
Our forensic analysis of the following individuals’ devices found evidence of Pegasus spyware infection with a high degree of confidence.
|Name or Alias||Occupation||Infection date(s)||Victim Location|
|Anna Naghdalyan||NGO Representative, former Spokesperson of the Ministry of Foreign Affairs (MFA) of the Republic of Armenia||
|Ruben Melikyan||Co-founder of Armenian NGO Path of Law, former Human Rights Ombudsman of the Republic of Artsakh||
|Varuzhan Geghamyan||Assistant Professor at Yerevan State University||
|Samvel Farmanyan||ArmNews TV Co-founder||
|Kristinne Grigoryan||Former Human Rights Defender of the Republic of Armenia (Human Rights Ombudsperson)||
|Victim 1||Works in Media||
|Victim 4||Civil Society Representative||
|Victim 5||United Nations Official||
Our analysis found individuals in Armenia targeted with NSO Group exploits including PWNYOURHOME, FINDMYPWN, FORCEDENTRY, and KISMET.
We do not conclusively attribute the infections listed above to a specific governmental entity, and our forensic analysis was unable to confirm which Pegasus operator conducted the infections listed above.
As part of the Citizen Lab’s ongoing internet scanning and DNS cache probing, we identified two suspected Pegasus operators in Azerbaijan. We name these two operators BOZBASH and YANAR.
Domains associated with both the BOZBASH and YANAR operators were registered by the end of 2018, or possibly before. NSO Group implemented a new version of their infrastructure at the end of 2018, following our HIDE AND SEEK report, and it is difficult to link customers conclusively across the new and old infrastructure versions.
We have only ever observed the YANAR Pegasus operator monitoring targets within Azerbaijan, while the BOZBASH operator appears to monitor targets both in Azerbaijan and several countries abroad, including Armenia.
We would like to thank each victim and potential target that participated in this investigation. Without them, this would not have been possible. Their participation also helped to meaningfully advance our understanding of NSO Group’s exploits.
The Citizen Lab would like to thank Access Now, CyberHUB-AM, Amnesty International’s Security Lab, and independent mobile security researcher Ruben Muradyan.
We thank our colleagues at Citizen Lab including Snigdha Basu, Siena Anstis and Adam Senft for editorial assistance.