We confirm that two members of Serbian civil society were targeted with spyware earlier this year. Both have publicly criticized the Serbian government. We are not naming the individuals at this time by their request. The Citizen Lab’s technical analysis of forensic artifacts was conducted in support of an investigation led by Access Now in collaboration with the SHARE Foundation. Researchers from Amnesty International independently analyzed the cases and their conclusions match our findings.

Click here to read the full post at Access Now.

Device Analysis

Our analysis of forensic artifacts confirms that on or around August 16, 2023, attackers attempted to exploit and infect the devices of these unnamed individuals leveraging iPhone’s HomeKit functionality. The attacks took place within approximately one minute of each other and the HomeKit vector is consistent with several exploits used by NSO Group’s Pegasus spyware. However, given the limited indicators available in this case, we cannot confirm the specific spyware used in this attack.

Mercenary Surveillance Tech & Russian Influence Concerns in Serbia

A decade of Citizen Lab investigations have found that Serbia is a regular user of mercenary spyware and other surveillance technologies of concern. Several of our past findings feature Serbia’s Security Information Agency (BIA) as the suspected operator.

The BIA undertakes covert data collection, and the monitoring center which conducts surveillance is located in the BIA’s headquarters. The most recent director of the BIA (until his resignation this November 2023) was Aleksandar Vulin.

In July 2023, the United States Treasury placed BIA head Vulin on a sanctions list for his support for Moscow. Specifically, the designation was based on Vulin using “his political positions to build public support for Russia’s malign activities, while promoting ethno-nationalist narratives that fuel instability in Serbia and the region.” The US also states Vulin is believed to have “maintained a mutually beneficial relationship” with a US-sanctioned Serbian arms dealer.

Although we are not naming a suspected operator or spyware used in the August 2023 targeting at this time, we note that Vulin was at the head of the BIA during this period.

Predator Mercenary Spyware

In 2021, we conducted Internet scanning for Predator spyware servers and found a likely Predator customer in Serbia. An independent follow-up investigation by Google’s Threat Analysis Group confirmed these findings.

Circles Geolocation & Interception

Using Internet scanning in 2020, we found a unique signature associated with firewalls used in the deployments of Circles’ technology. Circles is a provider of global geolocation and interception services. This scanning enabled us to identify Circles deployments in at least 25 countries, one of which was operated by Serbia’s BIA.

Cyberbit Mercenary Spyware

A report we published in 2017, shows that spyware made by Cyberbit was used by Ethiopia to mount a global espionage campaign against dissidents. We found evidence that Cyberbit was marketing its spyware to Serbia during that investigation.

Finfisher Mercenary Spyware

Previous research by the Citizen Lab revealed that Finfisher spyware was being used by the Serbian BIA. In 2013, we discovered a Serbian customer as part of an investigation into the widespread use of the Finfisher spyware worldwide.

Acknowledgements

We are grateful to the targets of this attack for graciously consenting to the analysis of forensic artifacts from their devices.  Without their willingness to be analyzed and to have their cases discussed, research on mercenary spyware would be infinitely more difficult, and accountability elusive.

We also thank Access Now and the SHARE Foundation for their collaboration, and Amnesty International’s Security Lab for their independent forensic analysis of this case.

Special thanks to Snigdha Basu and Adam Senft for editing support, feedback and review.